Authentication
Security features
This template implements a comprehensive authentication system with security best practices:
- Token Security:
- JWT-based with separate access/refresh tokens
- Strict expiry times (30 min access, 30 day refresh)
- Token type validation
- HTTP-only cookies
- Secure flag enabled
- SameSite=strict restriction
- Password Security:
- Strong password requirements enforced
- Bcrypt hashing with random salt
- Password reset tokens are single-use
- Reset tokens have expiration
- Cookie Security:
- HTTP-only prevents JavaScript access
- Secure flag ensures HTTPS only
- Strict SameSite prevents CSRF
- Error Handling:
- Validation errors properly handled
- Security-related errors don’t leak information
- Comprehensive error logging
The diagrams below show the main authentication flows.
Registration and login flow
Password reset flow
