AuthGuard

A drop-in authentication microservice. Handles registration, login, MFA, SSO, and session management so your apps don't have to.

View on GitHub
Authentication Flow

How it works

Users sign up or log in with email/password or Google SSO. If MFA is enabled, a 6-digit code is sent to their email for verification.

01

Sign In

Users authenticate with email/password or continue with Google via OAuth 2.0 with PKCE. Passwords are validated against bcrypt hashes with 14 salt rounds.

Sign in page
02

Sign Up

New users register with name, email, and a strong password. Server-side Zod schemas validate all fields. Duplicate emails are rejected with clear feedback.

Sign up page
03

MFA Verification

When MFA is enabled, a 6-digit OTP is sent via email. Codes are bcrypt-hashed in storage. After 10 failed attempts, a 15-minute cooldown kicks in.

MFA verification page
Architecture

Tech Stack

Split into a React client and Express server, deployed via Kubernetes with NGINX ingress and TLS.

Server

REST API handling auth flows, token management, and sessions.

Express.js TypeScript MongoDB Jose AWS SES

Client

Login, registration, and MFA UI with real-time validation.

React 18 Ant Design Tailwind Zod Vite

Infrastructure

Containerized deployment with K8s orchestration.

Docker Kubernetes Skaffold NGINX TLS

Auth Flow

Stateful sessions with JWT access tokens and PKCE OAuth.

ES256 Key Rotation PKCE bcrypt
Endpoints

API Reference

Full OpenAPI 3.0 spec with Swagger UI available in development. All endpoints are under /api/accounts.

MethodEndpointDescription
POST/auth/signinEmail/password login
POST/auth/signupRegistration
DELETE/auth/signoutLogout (clears session)
GET/auth/signin/sso/{provider}OAuth redirect (Google, Microsoft)
GET/auth/signin/sso/{provider}/callbackOAuth callback
POST/auth/mfa/challengeGet MFA challenge details
POST/auth/mfa/challenge/sendSend or resend MFA code
POST/auth/mfa/challenge/verifyVerify MFA code
GET/users/meCurrent user info
GET/users/me/linked-accountsList linked SSO accounts
DELETE/users/me/linked-accounts/{provider}Unlink SSO account
GET/users/me/sessionsList active sessions
DELETE/users/me/sessions/{id}Revoke a session
Swagger UI documentation
Hardened

Security Design

Every layer is built with security in mind — from password storage to token signing to rate limiting.

Password Hashing
bcrypt (14 rounds)
Token Signing
ES256 (ECDSA)
Key Management
Dual-key Rotation
OAuth Flow
PKCE + State
MFA Codes
bcrypt-hashed
Rate Limiting
10 req / 15min
Session TTL
90 days (auto-cleanup)
Access Token
1 hour expiry