Forem: Iulian Iordache The latest articles on Forem by Iulian Iordache (@iordache). https://forem.com/iordache https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3603540%2F044a68b9-c779-4e15-80d7-3e6c52b8474a.png Forem: Iulian Iordache https://forem.com/iordache en Hear me out Iulian Iordache Mon, 10 Nov 2025 23:37:22 +0000 https://forem.com/iordache/-52gl https://forem.com/iordache/-52gl <div class="ltag__link"> <a href="/iordache" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3603540%2F044a68b9-c779-4e15-80d7-3e6c52b8474a.png" alt="iordache"> </div> </a> <a href="https://dev.to/iordache/auth-series-yet-another-password-authentication-flow-but-hear-me-out-4mj2" class="ltag__link__link"> <div class="ltag__link__content"> <h2>A Better Password Authentication Flow.. hear me out</h2> <h3>Iulian Iordache ・ Nov 10</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#authentification</span> <span class="ltag__link__tag">#backend</span> <span class="ltag__link__tag">#security</span> <span class="ltag__link__tag">#encryption</span> </div> </div> </a> </div> authentification backend security encryption A Better Password Authentication Flow.. hear me out Iulian Iordache Mon, 10 Nov 2025 04:03:31 +0000 https://forem.com/iordache/auth-series-yet-another-password-authentication-flow-but-hear-me-out-4mj2 https://forem.com/iordache/auth-series-yet-another-password-authentication-flow-but-hear-me-out-4mj2 <p>Auth is one of those topics everyone touches but few explore deeply. Most posts repeat the same template: hash passwords, issue a JWT, add middleware, done. That works for demos, not production. MERN stack buddies will learn a lot from this one!</p> <p>This is a blueprint, not a tutorial. It shows you the architecture that Auth0, Clerk, and Supabase use internally for password authentication. You'll see the patterns, understand the threat models, and know how to adapt them to your stack.</p> <p>I tried to provide a "more complete" flow than what I've seen out there on YouTube where they only focus on the token generation but they don't talk about refresh tokens, how to SECURELY store them, how to retrieve them, how to detect replays and how to handle revocation and server-side session versions.</p> <h2> <strong>The Three Pillars: Identity, Proof, Trust</strong> </h2> <p>Every auth system, from basic logins to OAuth, is built on these:</p> <ul> <li><p><strong>Identity</strong><br> Who you claim to be</p></li> <li><p><strong>Proof</strong><br> Evidence that proves your claim (password, key, code)</p></li> <li><p><strong>Trust</strong><br> How the system remembers you proved yourself (sessions, tokens)</p></li> </ul> <p>The rest is details.</p> <h2> <strong>Passwords: Store Proof, not Plaintext</strong> </h2> <p>A password exists to provide proof once, then never again until the next login. Your job is to make reversing that proof computationally infeasible.</p> <p>Use Argon2id with memory-hard parameters. The numbers below are reasonable defaults, not universal law, because hardware and concurrency vary across deployments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Parameters tuned for modern hardware (adjust for your environment ofc)</span> <span class="nf">hashPassword</span><span class="p">(</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">argon2</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">argon2id</span><span class="p">,</span> <span class="na">memoryCost</span><span class="p">:</span> <span class="mi">65536</span><span class="p">,</span> <span class="c1">// 64 MiB (many prod systems use 32–64 MiB)</span> <span class="na">timeCost</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="c1">// ~50–150ms depending on your server</span> <span class="na">parallelism</span><span class="p">:</span> <span class="mi">4</span><span class="p">,</span> <span class="c1">// matches typical CPU cores but tune for load</span> <span class="na">hashLength</span><span class="p">:</span> <span class="mi">32</span> <span class="c1">// 256 bits is the industry standard</span> <span class="p">})</span> <span class="p">}</span> <span class="nf">verifyPassword</span><span class="p">(</span><span class="nx">hash</span><span class="p">,</span> <span class="nx">input</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">argon2</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">hash</span><span class="p">,</span> <span class="nx">input</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Why these numbers you might ask, well:</p> <ul> <li> <code>memoryCost</code>: 65536 forces 64 MiB RAM per hash. Attackers can't parallelize millions of attempts on limited GPU memory.</li> <li> <code>timeCost</code>: 3 makes each hash take ~50-150ms. Negligible for one login, crushing for brute force.</li> <li> <code>parallelism</code>: 4 uses your CPU cores efficiently without starving other requests, if you're in an environment where CPU time is limited like serverless, consider using a lower number, decide what's best for your use case.</li> </ul> <p><strong>The threat model</strong>: Always assume your passwords will leak someday. These parameters make brute forcing painful, unless the user chooses something like "123456789", which, yeah, will be cracked instantly.</p> <h2> Access Tokens: Short-Lived Signed Envelopes </h2> <p>Access tokens are ephemeral proof you were authenticated recently, think of them as signed receipts, not universal truth.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">createAccessToken</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">sessionVersion</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">sub</span><span class="p">:</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">ver</span><span class="p">:</span> <span class="nx">sessionVersion</span> <span class="c1">// ties token to the server state</span> <span class="p">},</span> <span class="nx">ACCESS_TOKEN_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">10m</span><span class="dl">"</span> <span class="p">}</span> <span class="c1">// 5–15 minutes is typical</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key principle</strong>: <code>sessionVersion</code> lives server-side. Bump it and all access tokens go stale instantly. This sidesteps the “JWTs can’t be revoked” myth.</p> <p><strong>Lifetime</strong>: Very short lived, 5-15 minutes max. Long enough to not annoy users, short enough that a stolen token has limited value.</p> <h2> Refresh Tokens: Long-Lived Database-Backed Trust </h2> <p>Refresh tokens are the "remember me" mechanism. They live in your database, rotate on every use, and track lineage for replay detection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">refresh_tokens</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">user_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">token_hash</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="c1">-- SHA256 hash for indexed lookup</span> <span class="n">token_encrypted</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="c1">-- AES-256-GCM encrypted blob</span> <span class="n">iv</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="c1">-- AES-GCM IV</span> <span class="n">auth_tag</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="c1">-- AES-GCM authentication tag</span> <span class="n">parent_id</span> <span class="n">UUID</span><span class="p">,</span> <span class="c1">-- tracks rotation lineage</span> <span class="n">expires_at</span> <span class="nb">TIMESTAMP</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="n">now</span><span class="p">(),</span> <span class="n">used_at</span> <span class="nb">TIMESTAMP</span><span class="p">,</span> <span class="n">revoked_at</span> <span class="nb">TIMESTAMP</span><span class="p">,</span> <span class="k">INDEX</span><span class="p">(</span><span class="n">token_hash</span><span class="p">),</span> <span class="k">INDEX</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">revoked_at</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>Now some of you might ask, "Why both hash AND encryption?", hear me out:</p> <ul> <li> <strong>Hash</strong>: Fast O(1) (again O(log n) in databases) lookup without decrypting every token</li> <li> <strong>Encryption</strong>: If DB dumps, attacker still needs your encryption key</li> <li> <strong>AES-GCM note</strong> : GCM requires an IV and auth tag; those need to be stored. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// generate once with a CSPRNG library (node's "crypto" module in this case)</span> <span class="nx">ENCRYPTION_KEY</span> <span class="o">=</span> <span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_TOKEN_ENCRYPTION_KEY</span> <span class="nf">createRefreshToken</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">parentId</span> <span class="o">=</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// generate cryptographically random token and again,</span> <span class="c1">// use your platform's recommended way of generating random keys,</span> <span class="c1">// "crypto/rand" in Go or "secrets" in Python</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nf">sha256</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="c1">// now encrypt the token for storage, we'll used AES for this</span> <span class="p">{</span> <span class="nx">encrypted</span><span class="p">,</span> <span class="nx">iv</span><span class="p">,</span> <span class="nx">authTag</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">aes256gcm</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">ENCRYPTION_KEY</span><span class="p">)</span> <span class="nx">expiresAt</span> <span class="o">=</span> <span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">30</span><span class="p">.</span><span class="nx">days</span> <span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nf">uuid</span><span class="p">(),</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">token_hash</span><span class="p">:</span> <span class="nx">hash</span><span class="p">,</span> <span class="na">token_encrypted</span><span class="p">:</span> <span class="nx">encrypted</span><span class="p">,</span> <span class="nx">iv</span><span class="p">,</span> <span class="na">auth_tag</span><span class="p">:</span> <span class="nx">authTag</span><span class="p">,</span> <span class="na">parent_id</span><span class="p">:</span> <span class="nx">parentId</span><span class="p">,</span> <span class="na">expires_at</span><span class="p">:</span> <span class="nx">expiresAt</span> <span class="p">})</span> <span class="k">return</span> <span class="nx">token</span> <span class="c1">// send the plaintext to the client</span> <span class="p">}</span> </code></pre> </div> <p><strong>Threat model for this one</strong>:</p> <ul> <li>If the attackers dump your DB, what will they get is a bunch of encrypted tokens, pretty much useless without keys</li> <li>Now if they steal a single token (let's assume they are limited to a 30-day window) you will easily detect these on replay</li> </ul> <p>"But grandpa, what happens if the attackers get both the DB and the encryption keys?", well, at this point, tbh, you have bigger issues but the session version bump still invalidates everything :)</p> <h2> Token Rotation + Replay Detection </h2> <p>Every time a refresh token is used, it's marked as used and replaced, if a token is used twice, you know one request was from an attacker.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">rotateRefreshToken</span><span class="p">(</span><span class="nx">oldTokenId</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// mark as used</span> <span class="nx">db</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">oldTokenId</span><span class="p">,</span> <span class="p">{</span> <span class="na">used_at</span><span class="p">:</span> <span class="nf">now</span><span class="p">()</span> <span class="p">})</span> <span class="c1">// create child token</span> <span class="k">return</span> <span class="nf">createRefreshToken</span><span class="p">(</span> <span class="nx">oldToken</span><span class="p">.</span><span class="nx">user_id</span><span class="p">,</span> <span class="nx">parentId</span><span class="p">:</span> <span class="nx">oldTokenId</span> <span class="p">)</span> <span class="p">}</span> <span class="nf">detectReplay</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">.</span><span class="nx">used_at</span> <span class="o">!=</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// this token was already used, possible attack</span> <span class="c1">// revoke entire session tree</span> <span class="nf">bumpSessionVersion</span><span class="p">(</span><span class="nx">token</span><span class="p">.</span><span class="nx">user_id</span><span class="p">)</span> <span class="c1">// up to you what you do now: lock account, alert security team</span> <span class="k">return</span> <span class="nx">REPLAY_DETECTED</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">OK</span> <span class="p">}</span> </code></pre> </div> <p><strong>Parent-child lineage</strong>: If <code>token_A</code> has two children (<code>token_B</code> and <code>token_C</code>), one was created by an attacker. The legitimate client will send <code>token_B</code>, the attacker <code>token_C</code>, so, whichever arrives second triggers replay detection, easy.</p> <h2> Session Versions: Server-Side Revocation </h2> <p>JWTs are stateless, but you still need instant revocation. Session versions solve this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">sessions</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">user_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">version</span> <span class="nb">INT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="mi">1</span><span class="p">,</span> <span class="n">last_active</span> <span class="nb">TIMESTAMP</span> <span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// on login</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nf">findOrCreate</span><span class="p">(</span><span class="nx">user_id</span><span class="p">)</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nf">createAccessToken</span><span class="p">(</span><span class="nx">user_id</span><span class="p">,</span> <span class="nx">session</span><span class="p">.</span><span class="nx">version</span><span class="p">)</span> <span class="c1">// pn protected request</span> <span class="nf">validateAccessToken</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">db</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">ver</span> <span class="p">?</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">sub</span> <span class="p">:</span> <span class="kc">null</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">session</span><span class="p">.</span><span class="nx">version</span> <span class="o">!=</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">ver</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">INVALID</span> <span class="c1">// token was issued before version bump</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">VALID</span> <span class="p">}</span> <span class="c1">// on logout, password change, or security event</span> <span class="nf">revokeAllSessions</span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="nx">db</span><span class="p">.</span><span class="nf">updateWhere</span><span class="p">({</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">},</span> <span class="p">{</span> <span class="na">version</span><span class="p">:</span> <span class="nf">increment</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><strong>This works beautifully because</strong>: Incrementing the version invalidates all access tokens and refresh tokens tied to that session, no need to track individual tokens.</p> <p>Bump the version on logout, password change, or anything security-sensitive.</p> <h2> The Complete Flow </h2> <h3> Login </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">POST</span> <span class="o">/</span><span class="nx">auth</span><span class="o">/</span><span class="nx">login</span> <span class="p">{</span> <span class="nl">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="nx">password</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span> <span class="p">}</span> <span class="o">-</span> <span class="nx">Verify</span> <span class="nx">password</span> <span class="kd">with</span> <span class="nx">argon2</span> <span class="o">-</span> <span class="nx">Find</span> <span class="nx">or</span> <span class="nx">create</span> <span class="nx">session</span> <span class="k">for</span> <span class="nx">user</span> <span class="o">-</span> <span class="nx">Create</span> <span class="nx">access</span> <span class="nx">token</span> <span class="kd">with</span> <span class="nx">session</span><span class="p">.</span><span class="nx">version</span> <span class="o">-</span> <span class="nx">Create</span> <span class="nx">refresh</span> <span class="nf">token </span><span class="p">(</span><span class="nx">store</span> <span class="nx">encrypted</span><span class="p">)</span> <span class="o">-</span> <span class="nb">Set</span> <span class="nx">httpOnly</span> <span class="nx">cookie</span> <span class="kd">with</span> <span class="nx">refresh</span> <span class="nx">token</span> <span class="o">-</span> <span class="nx">Return</span> <span class="p">{</span> <span class="nx">accessToken</span> <span class="p">}</span> </code></pre> </div> <h3> Refresh </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">POST</span> <span class="o">/</span><span class="nx">auth</span><span class="o">/</span><span class="nx">refresh</span> <span class="nx">Cookie</span><span class="p">:</span> <span class="nx">refresh_token</span><span class="o">=</span><span class="p">...</span> <span class="o">-</span> <span class="nx">Look</span> <span class="nx">up</span> <span class="nx">token</span> <span class="nx">by</span> <span class="nf">hash </span><span class="p">(</span><span class="nc">O</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="o">-</span> <span class="nx">Decrypt</span> <span class="nx">and</span> <span class="nx">validate</span> <span class="o">-</span> <span class="nx">Check</span> <span class="nx">expiration</span><span class="p">,</span> <span class="nx">revocation</span> <span class="o">-</span> <span class="nx">Detect</span> <span class="nf">replay </span><span class="p">(</span><span class="nx">fail</span> <span class="k">if</span> <span class="nx">used_at</span> <span class="nx">exists</span><span class="p">)</span> <span class="o">-</span> <span class="nx">Rotate</span> <span class="nf">token </span><span class="p">(</span><span class="nx">mark</span> <span class="nx">old</span> <span class="k">as</span> <span class="nx">used</span><span class="p">,</span> <span class="nx">create</span> <span class="k">new</span><span class="p">)</span> <span class="o">-</span> <span class="nx">Fetch</span> <span class="nx">current</span> <span class="nx">session</span><span class="p">.</span><span class="nx">version</span> <span class="o">-</span> <span class="nx">Create</span> <span class="k">new</span> <span class="nx">access</span> <span class="nx">token</span> <span class="o">-</span> <span class="nb">Set</span> <span class="k">new</span> <span class="nx">refresh</span> <span class="nx">token</span> <span class="nx">cookie</span> <span class="o">-</span> <span class="nx">Return</span> <span class="p">{</span> <span class="nx">accessToken</span> <span class="p">}</span> </code></pre> </div> <h3> Protected Request </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">GET</span> <span class="o">/</span><span class="nx">api</span><span class="o">/</span><span class="nx">resource</span> <span class="nx">Authorization</span><span class="p">:</span> <span class="nx">Bearer</span> <span class="o">&lt;</span><span class="nx">access_token</span><span class="o">&gt;</span> <span class="o">-</span> <span class="nx">Verify</span> <span class="nx">JWT</span> <span class="nx">signature</span> <span class="o">-</span> <span class="nx">Check</span> <span class="nx">expiration</span> <span class="o">-</span> <span class="nx">Fetch</span> <span class="nx">session</span> <span class="nx">by</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">sub</span> <span class="o">-</span> <span class="nx">Validate</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">ver</span> <span class="o">==</span> <span class="nx">session</span><span class="p">.</span><span class="nx">version</span> <span class="o">-</span> <span class="nx">Allow</span> <span class="nx">request</span> </code></pre> </div> <h3> Logout </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">POST</span> <span class="o">/</span><span class="nx">auth</span><span class="o">/</span><span class="nx">logout</span> <span class="o">-</span> <span class="nx">Bump</span> <span class="nx">session</span><span class="p">.</span><span class="nx">version</span> <span class="o">-</span> <span class="nx">Revoke</span> <span class="nx">all</span> <span class="nx">user</span><span class="dl">'</span><span class="s1">s refresh tokens - Clear cookie </span></code></pre> </div> <h3> Password Reset </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">POST</span> <span class="o">/</span><span class="nx">auth</span><span class="o">/</span><span class="nx">reset</span><span class="o">-</span><span class="nx">password</span> <span class="p">{</span> <span class="nl">token</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span><span class="p">,</span> <span class="nx">newPassword</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span> <span class="p">}</span> <span class="o">-</span> <span class="nx">Validate</span> <span class="nx">reset</span> <span class="nx">token</span> <span class="o">-</span> <span class="nx">Hash</span> <span class="k">new</span> <span class="nx">password</span> <span class="o">-</span> <span class="nx">Update</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password_hash</span> <span class="o">-</span> <span class="nx">Bump</span> <span class="nx">session</span><span class="p">.</span><span class="nf">version </span><span class="p">(</span><span class="nx">invalidates</span> <span class="nx">all</span> <span class="nx">devices</span><span class="p">)</span> <span class="o">-</span> <span class="nx">Revoke</span> <span class="nx">all</span> <span class="nx">refresh</span> <span class="nx">tokens</span> <span class="o">-</span> <span class="nx">Force</span> <span class="nx">re</span><span class="o">-</span><span class="nx">login</span> <span class="nx">everywhere</span> </code></pre> </div> <h2> Critical Security Considerations </h2> <p>httpOnly Cookies for Refresh Tokens<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">setCookie</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="dl">"</span><span class="s2">refresh_token</span><span class="dl">"</span><span class="p">,</span> <span class="nx">token</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// JS can't touch it</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// HTTPS only</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">strict</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// CSRF protection</span> <span class="na">path</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/auth/refresh</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// scoped, though path scoping is weaker than domain/sameSite</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">30</span> <span class="o">*</span> <span class="mi">86400</span> <span class="c1">// in your code, don't use these magic numbers, create a variable somewhere where you comment what these numbers are please, ok?</span> <span class="p">})</span> </code></pre> </div> <p><strong>Note</strong>: path helps reduce accidental exposure, but the real safety comes from httpOnly, secure, sameSite, and domain scoping.</p> <h3> Token Expiration Hierarchy </h3> <ul> <li> <strong>Access token</strong>: 5-15 minutes (minimizes damage from XSS)</li> <li> <strong>Refresh token</strong>: 7-30 days (balance between security and UX)</li> <li> <strong>Session version</strong>: Never expires (but bumped on security events)</li> </ul> <h3> When to Bump Session Version </h3> <ul> <li>User logs out</li> <li>Password changed</li> <li>Email changed</li> <li>MFA enabled/disabled</li> <li>Suspicious activity detected</li> <li>User clicks "log out all devices"</li> </ul> <h3> Rate Limiting </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// per IP</span> <span class="nx">POST</span> <span class="o">/</span><span class="nx">auth</span><span class="o">/</span><span class="nx">login</span> <span class="err">→</span> <span class="mi">5</span> <span class="nx">attempts</span> <span class="o">/</span> <span class="mi">15</span> <span class="nx">minutes</span> <span class="nx">POST</span> <span class="o">/</span><span class="nx">auth</span><span class="o">/</span><span class="nx">refresh</span> <span class="err">→</span> <span class="mi">100</span> <span class="nx">attempts</span> <span class="o">/</span> <span class="nx">hour</span> <span class="c1">// per user</span> <span class="nx">POST</span> <span class="o">/</span><span class="nx">auth</span><span class="o">/</span><span class="nx">login</span> <span class="err">→</span> <span class="mi">10</span> <span class="nx">failed</span> <span class="nx">attempts</span> <span class="err">→</span> <span class="nx">lock</span> <span class="nx">account</span> <span class="k">for</span> <span class="mi">1</span> <span class="nx">hour</span> <span class="c1">// this example is very strict and you should use whatever makes sense for your use case</span> </code></pre> </div> <h2> Now the fun part: Scaling Considerations </h2> <p>We talked about <code>hash</code> and <code>encryption</code> at the beginning of the article, that little decision helps us scale real production systems;</p> <ul> <li>Using a hash for lookup: WHERE token_hash = sha256(input) is O(1) ( O(log n) in databases :) )</li> <li>You still need to decrypt but you only do that for the mached record</li> <li>Index aggressively, (user_id, revoked_at), (expires_at)</li> </ul> <h2> Cleanup Strategy </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// run daily</span> <span class="nx">DELETE</span> <span class="nx">FROM</span> <span class="nx">refresh_tokens</span> <span class="nx">WHERE</span> <span class="nx">expires_at</span> <span class="o">&lt;</span> <span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">INTERVAL</span> <span class="dl">'</span><span class="s1">7 days</span><span class="dl">'</span> <span class="c1">// or on refresh attempt</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">.</span><span class="nx">expires_at</span> <span class="o">&lt;</span> <span class="nf">now</span><span class="p">())</span> <span class="p">{</span> <span class="nf">asyncCleanup</span><span class="p">(</span><span class="nx">token</span><span class="p">.</span><span class="nx">user_id</span><span class="p">)</span> <span class="k">return</span> <span class="nx">EXPIRED</span> <span class="p">}</span> </code></pre> </div> <p>Also check expiration during refresh and soft-retire old token trees.</p> <p>If you got here, you might still have some questions, I'll try to guess one of them; "Wait what? What about multi device sessions? The architecture above uses one session version per user!", well my friend, if you do something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">sessions</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">user_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">device_id</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="c1">-- browser fingerprint or explicit device ID for example</span> <span class="k">version</span> <span class="nb">INT</span> <span class="k">DEFAULT</span> <span class="mi">1</span><span class="p">,</span> <span class="n">last_active</span> <span class="nb">TIMESTAMP</span> <span class="p">)</span> </code></pre> </div> <p>Refresh tokens then reference <code>session_id</code> instead of <code>user_id</code>. You can revoke individual devices without logging out everywhere.</p> <h2> Common Pitfalls </h2> <p>I'll go in order of importance:</p> <ol> <li> <strong>Storing the refresh token in <code>localStorage</code></strong>: From what I've seen in YouTube tutorials, this is often labeled as "you shouldn't do this but I do it for the sake of the tutorial", where in reality it's very simple, use an <code>httpOnly</code> cookie and enable <code>credentials</code> so only the browser can access and send it with the requests.</li> <li> <strong>No rotating refresh tokens or no refresh tokens at all</strong>: The stolen token will be valid until the end of time in most JWT implementations I've seen or until natural expiration.</li> <li> <strong>Weak secrets</strong>: Please use a CSPRNG library, node has one, golang has one, python has one, don't try to come up with strings yourself.</li> <li> <strong>Missing rate limits</strong>: Welcome to the credential stuffing festival everybody</li> <li>This one is on 5 but should actually be up there on 1. <strong>No replay detection</strong>: Well.. attacker can reuse stolen refresh token indefinitely</li> </ol> <h2> <strong>When to Use This vs. a Service You Might Ask Next</strong> </h2> <h3> I'd say, build this yourself when: </h3> <ul> <li>You need full control over auth flows</li> <li>You have custom business logic tied to authentication</li> <li>Avoiding vendor lock-in is critical</li> <li>You're operating in a regulated industry with strict compliance requirements, and since you have full control, it makes it easier to tune the flow</li> </ul> <h3> Use Auth0/Clerk/Supabase when: </h3> <ul> <li>You need OAuth/social logins (Google, GitHub, etc.), many libraries have a truck load of integrations for every last social login, so implementing them yourself is a waste of time, using Auth0 for password only defeats the purpose of a service</li> <li>You want MFA/WebAuthn out of the box</li> <li>You're building an MVP and speed matters but as your app scales so does the consequences of your decision... am talking about pricing here</li> <li>You have a small team without dedicated security expertise although with a bit of care, the service becomes redundant</li> </ul> <p>This blueprint is the foundation. OAuth, MFA, and passwordless flows layer on top of these same primitives: proof, trust, and server-side validation.</p> <p>Sooo</p> <h2> Summary </h2> <p><strong>Passwords</strong>: Argon2id with memory-hard parameters<br> <strong>Access tokens</strong>: Short-lived JWTs tied to session versions<br> <strong>Refresh tokens</strong>: Long-lived, encrypted at rest, rotated on use, parent-child tracking<br> <strong>Session versions</strong>: Server-side revocation mechanism<br> <strong>Replay detection</strong>: Identifies stolen tokens via usage patterns</p> <p>This is what production auth looks like and this is the "hear me out part", IMO this is a more complete and production ready flow than what I've seen out there. Each piece has a job, and together, they create a system that's both secure and maintainable.</p> <p>The goal was to have this as a blueprint so you can hand this to any engineer in any stack and they'll know what to build.</p> <p>The code patterns shown here are language-agnostic, adapt them to your stack, but keep the architecture intact.</p> authentification backend security encryption