Next, we want to tell Wasp that we want full-stack [authentication](language/basic-elements.md#authentication--authorization) in our app, and that it should use entity `User` for it:
```c title="main.wasp"
// ...
auth {
// Expects entity User to have (email:String) and (password:String) fields.
userEntity: User,
methods: [ EmailAndPassword ], // More methods coming soon!
onAuthFailedRedirectTo: "/login" // We'll see how this is used a bit later
}
```
What this means for us is that Wasp now offers us:
- Login and Signup forms located at `@wasp/auth/forms/Login` and `@wasp/auth/forms/Signup` paths, ready to be used.
-`logout()` action.
- React hook `useAuth()`.
-`context.user` as an argument within query/action.
This is a very high-level API for auth which makes it very easy to get started quickly, but is
not very flexible. If you require more control (e.g. want to execute some custom code on the server
during signup, check out [lower-level auth API](/docs/language/basic-elements#lower-level-api).
Ok, that was easy!
To recap, so far we have created:
-`User` entity.
-`auth` declaration thanks to which Wasp gives us plenty of auth functionality.
## Adding Login and Signup pages
When we declared `auth` we got login and signup forms generated for us, but now we have to use them in their pages. In our `main.wasp` we'll add the following:
```c title="main.wasp"
// ...
route "/signup" -> page Signup
page Signup {
component: import Signup from "@ext/SignupPage"
}
route "/login" -> page Login
page Login {
component: import Login from "@ext/LoginPage"
}
```
Great, Wasp now knows how to route these and where to find the pages. Now to the React code of the pages:
I already have an account (<Linkto="/login">go to login</Link>).
</span>
</>
)
}
export default SignupPage
```
## Updating Main page to check if user is authenticated
Now, let's see how are we going to handle the situation when user is not logged in. `Main` page is a private
page and we want users to be able to see it only if they are authenticated.
There is a specific Wasp feature that allows us to achieve this in a simple way:
```c {3} title="main.wasp"
// ...
page Main {
authRequired: true,
component: import Main from "@ext/MainPage.js"
}
```
With `authRequired: true` we declared that page `Main` is accessible only to the authenticated users.
If an unauthenticated user tries to access route `/` where our page `Main` is, they will be redirected to `/login` as specified with `onAuthFailedRedirectTo` property in `auth`.
Also, when `authRequired` is set to `true`, the React component of a page (specified by `component` property within `page`) will be provided `user` object as a prop. It can be accessed like this:
to create a database schema migration and apply it to the database.
:::note
We made `user` and `userId` in `Task` optional (via `?`) because that allows us to keep the existing tasks, which don't have a user assigned, in the database.
This is not recommended because it allows unwanted state in the database (what is the purpose of the task not belonging to anybody?) and normally we would not make these fields optional.
Instead, we would do a data migration to take care of those tasks, even if it means just deleting them all.
However, for this tutorial, for the sake of simplicity, we will stick with this.
:::
## Updating operations to forbid access to non-authenticated users
Next, let's update the queries and actions to forbid access to non-authenticated users and to operate only on currently logged in user's tasks:
