Identity and security
Authentication verifies who you are. Authorization verifies what you can do.
Authentication methods
| Method | When to use |
|---|
| OAuth | Login with Google, GitHub |
| Email/Password | Own users |
| Magic Links | Passwordless |
| JWT | Stateless APIs |
OAuth 2.0 Flow
User โ Your app โ Provider (Google)
โ
User โ Your app โ Token + Info
JWT (JSON Web Tokens)
// Structure: header.payload.signature
const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
// Content (payload)
{
"sub": "user123",
"email": "user@email.com",
"exp": 1699999999
}
Recommended services
| Service | Type | Ideal for |
|---|
| Firebase Auth | BaaS | Mobile, web apps |
| Supabase Auth | BaaS | Full-stack |
| Auth0 | SaaS | Enterprise |
| NextAuth.js | Library | Next.js apps |
Basic security
| Practice | Why |
|---|
| HTTPS always | Encrypts traffic |
| Short tokens | Limits damage if stolen |
| Refresh tokens | Renew without re-login |
| Rate limiting | Prevents brute force |
๐ฆ Security for Financial Apps
If your app handles money or financial data, you need additional measures.
Required Checklist
| Requirement | Why | Standard |
|---|
| โ
Mandatory MFA | PSD2/Open Banking regulation | NIST 800-63B |
| โ
Immutable logs | Regulatory audits | SOC 2 |
| โ
Encryption at rest | Sensitive data protection | PCI DSS |
| โ
Session timeout | Fraud prevention | OWASP |
| โ
Aggressive rate limiting | Anti-scraping | - |
What is PCI DSS?
If your app processes, stores or transmits payment card data, you must comply with PCI DSS.
| Level | Transactions/year | Requirements |
|---|
| 4 | < 20,000 | SAQ (Self-Assessment) |
| 3 | 20,000 - 1M | SAQ + quarterly scan |
| 2 | 1M - 6M | SAQ + audit |
| 1 | > 6M | Full annual audit |
๐ก Tip: Use Stripe, PayPal or similar to avoid handling card data directly. They assume the compliance burden.
MFA Implementation
// Verify second factor before sensitive operations
async function requireMFA(userId: string, action: string) {
const user = await getUser(userId)
if (SENSITIVE_ACTIONS.includes(action) && !user.mfaVerifiedAt) {
throw new Error('MFA_REQUIRED')
}
// Audit log
await auditLog({
userId,
action,
mfaVerified: true,
timestamp: new Date().toISOString(),
ip: request.ip
})
}
const SENSITIVE_ACTIONS = [
'TRANSFER_FUNDS',
'CHANGE_PASSWORD',
'ADD_BENEFICIARY',
'EXPORT_DATA'
]
Practice
โ Auth with Firebase Google