Pluie Lab
Pluie Lab
← Back to ideas

Common Authentication Platform for Personal Projects

A reusable authentication server (auth.pluie-lab.com) for personal development projects. Supporting email authentication, OAuth, and 2FA to provide shared authentication capabilities across multiple projects.

🌐Web App🚫Status: AbandonedPriority: High
#Authentication#OAuth#2FA#Security#Web Development#API#JWT#Identity Management
Created on: May 12, 2025
Updated on: May 25, 2025
Common Authentication Platform for Personal Projects
This content has been translated by AI from the original Japanese version.

Note: This project has been abandoned in favor of using Clerk for authentication. This decision was made to increase development speed and enhance security by leveraging a proven authentication solution.

Overview

Implementing authentication features for each personal development project can be time-consuming. To solve this, I'm building a reusable common authentication platform that can be utilized across multiple projects.

This authentication server will provide the following capabilities:

  • Email + password authentication
  • OAuth integration (Google, GitHub, etc.)
  • Two-factor authentication (TOTP)
  • Secure token management
  • Cross-domain authentication

Key Features

1. Login System

  • User-friendly login form
  • Brute force attack prevention
  • IP-based connection limits
  • Login attempt rate limiting

2. Token Management

  • JWT issuance and verification
  • Secure Refresh Token management
  • JWKS (JSON Web Key Set) endpoint
  • Regular key rotation
  • Token theft detection

3. Cookie Management

  • Secure cookie configuration
    • HttpOnly attribute
    • SameSite=Strict attribute
    • Secure attribute (HTTPS environments)
    • Cross-domain compatible Domain settings
    • Appropriate expiration settings

4. Logout Functionality

  • Secure logout processing
  • Cookie deletion
  • Refresh Token invalidation
  • Redirect handling

Technical Specifications

Refresh Token

  • Format: JWT or random string
  • Validity period: 7 days
  • Storage method: httpOnly Cookie
  • Rotation: New token issuance upon use
  • Invalidation conditions: Expiration, explicit logout, security-based invalidation

Access Token

  • Format: JWT
  • Signature algorithm: RS256/ES256
  • Validity period: 15 minutes
  • Return method: JSON response
  • Payload:
    • Issuer
    • Subject
    • Audience
    • Expiration
    • Issued at
    • JWT ID
    • Scope/permissions

Key Management

  • RSA 2048bit or EC P-256
  • Key ID (kid) for identification
  • Regular rotation every 30 days
  • Multiple valid keys during transition periods

API Endpoints

Public APIs

  • GET /.well-known/jwks.json - Public key set for JWT verification
  • GET /login - Display login page
  • POST /login - User authentication processing
  • POST /logout - Logout processing
  • POST /api/refresh - Access Token renewal

Security Considerations

  • CSRF prevention
  • XSS prevention
  • Password strength validation
  • Account lockout functionality
  • Logging and auditing
  • Error handling

Next Steps

  1. Detailed server architecture design
  2. Database model design
  3. Detailed API specification documentation
  4. Frontend UI design
  5. Backend API implementation
  6. Security testing
  7. Operations design (monitoring, logging, maintenance)