SECURE AUTHENTICATION IMPLEMENTATION GUIDE | VIBEEVAL

Never Build Custom Authentication

AI-generated authentication code is frequently vulnerable. Building secure authentication requires expertise in cryptography, session management, and attack vectors. Always use established authentication libraries and services like Supabase Auth, Firebase Auth, or Auth0 instead of custom implementations.

Authentication Security Checklist

Follow these 12 steps to properly implement authentication. Critical items are non-negotiable security requirements for any authentication system.

Use established authentication libraries

Never build custom authentication from scratch. Use Supabase Auth, Firebase Auth, Auth0, NextAuth.js, or Passport.js instead of rolling your own.

Hash passwords with bcrypt or argon2

Never store plaintext passwords. Use bcrypt with cost factor 12+ or argon2id for password hashing. Reject weak hash functions like MD5 or SHA1.

Implement secure session management

Use cryptographically secure session tokens, set HttpOnly and Secure flags on cookies, and implement session timeout and rotation.

Validate JWT tokens properly

Verify JWT signature, check expiration and issuer claims, and reject tokens with suspicious claims. Never trust client-provided tokens without verification.

Enforce password strength requirements

Require minimum length of 12+ characters. Check against common password lists and prevent use of leaked passwords from breaches.

Implement account lockout

Lock accounts after 5-10 failed login attempts to prevent brute force attacks. Use exponential backoff or CAPTCHA for additional protection.

Add multi-factor authentication (MFA)

Support TOTP, SMS, or email-based second factor authentication for sensitive operations and high-value accounts.

Implement secure password reset

Use time-limited, single-use tokens sent to verified email addresses. Never reset passwords via security questions or unverified channels.

Log authentication events

Record successful logins, failed attempts, password changes, and MFA enrollment for security monitoring and incident response.

Use secure random for tokens

Generate session tokens, reset tokens, and API keys using cryptographically secure random sources, not Math.random() or predictable sequences.

Implement refresh token rotation

Use short-lived access tokens with refresh tokens. Rotate refresh tokens on each use and revoke tokens on logout.

Add authentication monitoring

Alert on suspicious patterns like logins from new locations, multiple failed attempts, or unusual access times for user accounts.

Common Authentication Vulnerabilities

Weak Password Hashing

Using MD5, SHA1, or plaintext storage instead of bcrypt or argon2, allowing attackers to easily crack stolen password databases

JWT Verification Skipped

Accepting JWT tokens without signature verification, allowing attackers to forge tokens and impersonate any user

Session Tokens in URLs

Passing authentication tokens in URL query parameters instead of cookies or headers, exposing them in logs and browser history

No Brute Force Protection

Missing rate limiting or account lockout allows unlimited login attempts, enabling credential stuffing and password guessing attacks

Related Resources

Authorization Patterns

RBAC and access control models

API Security Guide

Protecting API endpoints

Supabase RLS Guide

Implementing Row Level Security

Supabase Security Guide

Complete Supabase security

Test Your Authentication Security

VibeEval automatically tests authentication implementations for weak password hashing, JWT vulnerabilities, session hijacking, and brute force protection gaps.