The latest articles on DEV Community by GDS K S (@thegdsks). https://dev.to/thegdsks https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3592860%2F7dec468f-4f91-4b1d-9d24-99091e204707.jpg https://dev.to/thegdsks en GDS K S Thu, 23 Apr 2026 20:41:06 +0000 https://dev.to/thegdsks/claude-code-felt-off-for-a-month-here-is-what-broke-751 https://dev.to/thegdsks/claude-code-felt-off-for-a-month-here-is-what-broke-751 <p>For about four weeks in March and April, Claude Code felt noticeably worse. I was not imagining it. Sessions got repetitive. Tool calls chose weird paths. My usage limits emptied faster than the work I got out of them. I kept switching models, clearing context, restarting CLIs, convinced I had broken something in my own setup.</p> <p>Then on April 23 Anthropic <a href="https://www.anthropic.com/engineering/april-23-postmortem" rel="noopener noreferrer">published a postmortem</a>. Three separate bugs, all resolved by April 20. Usage limits were reset for every subscriber as compensation. The apology was thorough. The more interesting part is what the timeline reveals about the failure modes of agent products, and what that means for any developer building on top of one.</p> <h2> TL;DR </h2> <blockquote> <p>The three bugs overlapped. All three felt like the same thing to users: Claude got dumber. None would have been caught by a normal test suite.</p> </blockquote> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Window</th> <th>Bug</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Mar 4 – Apr 7</td> <td>Reasoning effort default lowered <code>high</code> → <code>medium</code> for latency</td> <td>Reverted Apr 7</td> </tr> <tr> <td>2</td> <td>Mar 26 – Apr 10</td> <td>Cache cleared "thinking blocks" every turn after 1h idle, not once</td> <td>CLI <code>v2.1.101</code> </td> </tr> <tr> <td>3</td> <td>Apr 16 – Apr 20</td> <td>Prompt capped responses to 25/100 words, cost ~3% benchmark intelligence</td> <td>CLI <code>v2.1.116</code> </td> </tr> </tbody> </table></div> <h2> The three bugs, expanded </h2> <h3> Bug 1: the silent default change </h3> <p>On March 4, Anthropic lowered the default reasoning effort from <code>high</code> to <code>medium</code> to reduce latency. It was a product call, not a bug per se, and the reasoning was defensible. Users noticed anyway. Reverted April 7.</p> <blockquote> <p><strong>Lesson:</strong> a "config" change to an agent's reasoning budget is a model change. It deserves a changelog entry. Quietly tuning it down to hit a latency target is the kind of decision that reads reasonable in a meeting and awful in a transcript.</p> </blockquote> <h3> Bug 2: the caching regression </h3> <p>This one is the scariest of the three. A prompt-cache optimization shipped March 26. The intent was to clear "thinking blocks" from the cache after an hour of inactivity, once. The implementation cleared them on every turn after that first hour.</p> <p>The symptom was that Claude became forgetful. It repeated itself. It picked strange tools. It burned through usage quotas far faster than the same session would have a week earlier. None of that raised an HTTP 500 or fired a test alert. It only manifested as "this feels worse."</p> <p> Click for the exact shape of the regression <p>The cache was supposed to do this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>t=0: start session, thinking blocks written to cache t=1h: cache cleared once due to inactivity t=1h+1turn: normal flow resumes, new thinking blocks cached </code></pre> </div> <p>Instead it did this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>t=0: start session, thinking blocks written to cache t=1h: cache cleared due to inactivity t=1h+1turn: new thinking blocks cached... then cleared t=1h+2turn: thinking blocks cached... then cleared [repeat every turn] </code></pre> </div> <p>Each turn paid the full cost of re-deriving reasoning from scratch, and lost the prior context.</p> <br> </p> <h3> Bug 3: the word-limit constraint </h3> <p>Someone added this to the system prompt on April 16:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>keep text between tool calls to ≤25 words. keep final responses to ≤100 words. </code></pre> </div> <p>It read fine. It even looks like the kind of instruction I would write to tighten my own agents. What it actually did was clip the model by roughly 3% across the benchmark suite. Reverted April 20.</p> <h2> What I learned running projects on top of this </h2> <p>Two lessons stuck.</p> <p><strong>Agent regressions are diffuse.</strong> A classic API regression has a clear signal. The test fails, the error rate spikes, the latency chart moves. An agent regression shows up as <em>my work feels worse</em>. The only way I caught anything was by noticing I was redoing work more often, not because a metric turned red. If you are building tools that route to an agent, you need a drift signal that does not rely on exceptions or HTTP status codes.</p> <p><strong>Caching is the most dangerous optimization in agent systems.</strong> The bug with the biggest blast radius was, on paper, a small optimization with an obvious upside. It was not visible until you imagined what happens when "clear thinking blocks after inactivity" runs every turn instead of once. In my own tooling I have pulled back on aggressive cache-invalidation heuristics since reading this.</p> <blockquote> <p>If it is not obvious that the cache key captures every meaningful state change, I would rather pay for the tokens.</p> </blockquote> <h2> What this means for tool builders </h2> <p>I build a small local tool that orchestrates Claude to draft and publish articles. Reading this postmortem changed a few defaults in how I build.</p> <h3> 1. Version your prompts </h3> <p>Every system prompt my tooling ships now embeds a version string in a trailing comment. Git tells me the same thing, but an ad hoc marker is faster to spot in a transcript.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">SYSTEM_PROMPT</span> <span class="o">=</span> <span class="s2">`You are a writing assistant for Dev.to articles. Follow the style guide. Prefer short sentences for impact. &lt;!-- prompt-v: 2026-04-23.3 --&gt;`</span><span class="p">;</span> </code></pre> </div> <p>When a session feels off, I grep for the version in the transcript. If it has drifted, I know where to look.</p> <h3> 2. Log tokens per turn </h3> <p>A silent spike in tokens-per-turn is exactly what the caching bug would have produced in my transcripts. That was not a thing I was watching for.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">"</span><span class="s2">turn</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">completed</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">turn</span><span class="p">:</span> <span class="nx">turnIndex</span><span class="p">,</span> <span class="na">inputTokens</span><span class="p">:</span> <span class="nx">usage</span><span class="p">.</span><span class="nx">input_tokens</span><span class="p">,</span> <span class="na">outputTokens</span><span class="p">:</span> <span class="nx">usage</span><span class="p">.</span><span class="nx">output_tokens</span><span class="p">,</span> <span class="na">cacheHit</span><span class="p">:</span> <span class="nx">usage</span><span class="p">.</span><span class="nx">cache_read_input_tokens</span> <span class="o">??</span> <span class="mi">0</span><span class="p">,</span> <span class="na">promptVersion</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2026-04-23.3</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>A rolling average of input tokens per turn is a cheap drift detector. If it doubles on a Tuesday and your code has not changed, the thing underneath you has.</p> <h3> 3. Stop testing agents with toy tasks </h3> <p>The bugs Anthropic describes would not have shown up in a short demo. They only surface in sessions that run long enough for the agent to need its earlier reasoning, or for the cache to kick in.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Eval type</th> <th>Catches bug 1?</th> <th>Bug 2?</th> <th>Bug 3?</th> </tr> </thead> <tbody> <tr> <td>Single-prompt accuracy bench</td> <td>maybe</td> <td>no</td> <td>no</td> </tr> <tr> <td>Short multi-turn demo</td> <td>no</td> <td>no</td> <td>maybe</td> </tr> <tr> <td>30-minute real session</td> <td>yes</td> <td>yes</td> <td>yes</td> </tr> </tbody> </table></div> <p>If you are benchmarking an agent for production use, your evaluation needs sessions that last at least half an hour of real work. Anything shorter gives false confidence.</p> <h2> The tradeoff nobody is naming </h2> <p>Here is the uncomfortable part. The fixes Anthropic describes are the kind you only find by rolling back and listening to complaints. Each of the three initial changes was made for a reasonable-sounding reason.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Change</th> <th>Stated reason</th> <th>Actual cost</th> </tr> </thead> <tbody> <tr> <td>Lower default effort</td> <td>Latency matters</td> <td>Perceived IQ drop</td> </tr> <tr> <td>Cache aggressively</td> <td>Money matters</td> <td>Thinking history destroyed every turn</td> </tr> <tr> <td>Constrain response length</td> <td>Readability matters</td> <td>3% benchmark hit</td> </tr> </tbody> </table></div> <p>The problem is that agent quality is multi-dimensional, and the postmortem made visible something most vendors quietly hope users do not notice. You cannot A/B test an agent the way you A/B test a search ranker. The feedback loop is noisy, delayed, and routed through the subjective experience of people who already had a rough day.</p> <p>Anthropic did the right thing by publishing the timeline. Most vendors do not.</p> <h2> At Glincker </h2> <p>At <a href="https://glincker.com" rel="noopener noreferrer">Glincker</a> I am building tooling that assumes the underlying model is going to wobble, not that it is going to be stable. The orchestration layer logs enough to catch regressions my users cannot articulate. The retry logic notices when the agent is burning effort without making progress. The postmortem did not change my plan. It confirmed it.</p> <h2> The bottom line </h2> <ul> <li>Three bugs, four weeks, an ecosystem of developers quietly wondering if they should switch tools.</li> <li>Short evals would not have caught any of them.</li> <li>Prompt versions, per-turn token logging, and long-session evals are the minimum viable drift detectors.</li> <li>When you build on top of an agent, you are depending on a product team's prompt, their cache policy, and their default settings. All three can change without a version bump you would notice.</li> </ul> <p>Read the <a href="https://www.anthropic.com/engineering/april-23-postmortem" rel="noopener noreferrer">full postmortem</a>. Then look at whether your own tooling would have caught any of these regressions. Mine would not have, fast enough. I have some work to do.</p> ai productivity webdev tutorial GDS K S Thu, 23 Apr 2026 04:45:18 +0000 https://dev.to/thegdsks/the-token-tab-a-developers-audit-of-the-ai-hype-stack-6gg https://dev.to/thegdsks/the-token-tab-a-developers-audit-of-the-ai-hype-stack-6gg <p>A GitHub repo I starred in January does not run anymore. The tutorial I followed in February has a pinned issue that says "keys getting banned." The Mac mini I was going to buy is still on the wish list, which turns out to be the only part of this I got right.</p> <p>This is not an anti-AI post. The tools are real, the tokens are real, the productivity wins are real. But most AI tutorials in 2026 are selling layers 1 and 4 of a four-layer stack and hoping you do not look at layers 2 and 3 until after your credit card is on file.</p> <p>This post is a teardown of those four layers, with real numbers, and a checklist you can run on any tool before you commit hardware or a subscription to it.</p> <h2> The four layers of the hype stack </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>What it is</th> <th>Who pays for it</th> </tr> </thead> <tbody> <tr> <td>1. UI wrapper</td> <td>The app you interact with</td> <td>You (subscription)</td> </tr> <tr> <td>2. Orchestration</td> <td>Agent loop, tool calls, memory, retries</td> <td>You (eventually, in tokens)</td> </tr> <tr> <td>3. Inference</td> <td>The model behind the curtain</td> <td>You (tokens) or the provider (loss)</td> </tr> <tr> <td>4. Hardware</td> <td>Whatever runs the inference</td> <td>Data center, or your desk</td> </tr> </tbody> </table></div> <p>Most hype cycles concentrate on layers 1 and 4 because those are the layers a YouTube thumbnail can sell. A slick dashboard on layer 1. A glowing Mac mini on layer 4. Layer 2 is engineering and hard to video. Layer 3 is invisible until the bill arrives.</p> <blockquote> <p><strong>Rule of thumb:</strong> If a tutorial spends more time unboxing a Mac mini than discussing the inference bill, layer 3 is where your surprise is going to land.</p> </blockquote> <h2> Layer 1: The wrapper </h2> <p>Call it what you want. Agent, copilot, assistant, IDE extension, self-hosted dashboard. The UX sits on top of someone else's model. That is not a bad thing. Wrappers are legitimate businesses. The problem is when the pitch implies the wrapper is the product, which it almost never is.</p> <p>Audit questions for layer 1:</p> <ul> <li>Can I swap the model underneath without rewriting my workflow?</li> <li>What happens to my prompts, context, and memory if the provider changes ToS?</li> <li>Is there a ToS clause in the provider's terms that names this tool, or its category, as prohibited?</li> </ul> <p>That last one bites harder than people realize. As of April 2026 there are several major provider ToS updates that explicitly prohibit certain third-party agentic tools. Users have reported keys being revoked. A wrapper that routes through a non-permitted path is one enforcement pass away from being a paperweight.</p> <h2> Layer 2: Orchestration </h2> <p>This is where the real engineering lives. Tool calling, retries, memory, sandboxing, error recovery, concurrency, cost control. Most OSS projects that show off a "watch it book my flight" demo are one degraded model or one retry storm away from the same flow taking forty minutes and four dollars in tokens.</p> <p>Agent loops are where cost explodes. A single user message can trigger ten or fifteen tool calls, each with a full context window of system prompt, tool descriptions, and prior turns. Input tokens dominate. You do not see this on the demo.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Simplified agent loop cost surface </span><span class="k">def</span> <span class="nf">agent_run</span><span class="p">(</span><span class="n">user_msg</span><span class="p">):</span> <span class="n">context</span> <span class="o">=</span> <span class="nf">load_memory</span><span class="p">()</span> <span class="c1"># N input tokens </span> <span class="k">while</span> <span class="ow">not</span> <span class="n">done</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">llm</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span> <span class="c1"># N input + M output tokens </span> <span class="n">system</span> <span class="o">+</span> <span class="n">tools</span> <span class="o">+</span> <span class="n">context</span> <span class="p">)</span> <span class="n">tool_result</span> <span class="o">=</span> <span class="nf">run_tool</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> <span class="n">context</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">tool_result</span><span class="p">)</span> <span class="c1"># grows N each iteration </span> <span class="k">return</span> <span class="n">final_answer</span> </code></pre> </div> <p>Notice the loop. Each iteration includes the full context of every previous iteration. A ten-step agent run with a 30K-token system prompt and 4K-token tool results runs roughly 300K input tokens before you count output. At current Claude Sonnet rates that is about $0.90 for a single user request. Do that twenty times a day and you have replaced a $20 subscription with a $540 month.</p> <p>Real numbers from the All-In podcast in February 2026:</p> <ul> <li>Jason Calacanis: his team's AI agents were running at $300 a day, roughly $110K annualized.</li> <li>Chamath Palihapitiya: started imposing token budgets on his developers. Direct quote, paraphrased: "I'll run out of money."</li> <li>Mark Cuban: eight Claude agents at $300 a day plus a human maintaining them at $200 a day costs more than the employee they replace.</li> </ul> <p>These are people who can afford it. They are flinching.</p> <p>Audit questions for layer 2:</p> <ul> <li>What is the worst-case token spend on a single request loop?</li> <li>Does the agent have a hard cap on tool-call iterations?</li> <li>Is retry logic fixed-interval or exponential? Exponential plus a flaky tool is where budgets die.</li> <li>Does the memory layer grow unbounded, or is it summarized?</li> </ul> <h2> Layer 3: Inference </h2> <p>Every tool you are looking at, self-hosted or otherwise, runs on someone's inference bill. When a subscription "includes" a feature, somebody is eating the difference. That works until it does not.</p> <p>Recent, concrete, April 2026 examples:</p> <ul> <li> <strong>April 4, 2026:</strong> Anthropic revoked subscription billing for third-party tools. OpenClaw and similar tools that previously rode on a Pro/Max subscription now bill to Extra Usage.</li> <li> <strong>April 21, 2026:</strong> Anthropic A/B tested removing Claude Code from the $20 Pro plan for 2% of new signups. The pricing page briefly reflected the removal before clarification.</li> <li> <strong>2025 and 2026 economics:</strong> OpenAI reportedly burned about $8 billion against $13 billion in revenue in 2025, with roughly $14 billion in losses projected for 2026. Sam Altman has publicly said OpenAI loses money on the $200/month ChatGPT Pro tier.</li> <li> <strong>GTC 2026:</strong> Jensen Huang put a gigawatt data center, amortized over 15 years, at roughly $40 billion empty.</li> </ul> <p>Per-token prices have collapsed. GPT-4 input tokens went from $30 per million to $2.50 per million in eighteen months, an 80 to 90 percent drop. The floor is not zero, and consumption keeps rising faster than price falls.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>2023</th> <th>2025/2026</th> <th>Change</th> </tr> </thead> <tbody> <tr> <td>GPT-4-class input tokens</td> <td>$30/M</td> <td>~$2.50/M</td> <td>-90%</td> </tr> <tr> <td>Avg enterprise AI spend</td> <td>—</td> <td>$85K/month</td> <td>+36% YoY</td> </tr> <tr> <td>Orgs spending &gt;$100K/month</td> <td>baseline</td> <td>2x baseline</td> <td>doubled</td> </tr> <tr> <td>Daily tokens processed (China alone)</td> <td>100B (Jan 2024)</td> <td>140T</td> <td>~1400x</td> </tr> </tbody> </table></div> <p>The structural problem: per-token costs are down 80-90% in 18 months, per-user consumption is up faster. Your effective monthly bill is not going down.</p> <p>Audit questions for layer 3:</p> <ul> <li>If the provider moved every call to strict pay-per-token tomorrow, what would my monthly bill look like?</li> <li>Can I cap spend at the provider level, not just the app level?</li> <li>Does the tool work with a local fallback that preserves 80% of function, or does it hard-fail without the frontier model?</li> </ul> <h2> Layer 4: Hardware </h2> <p>The Mac mini posts, the "$2000 gets you your own AI" guides, the affiliate-stuffed "best LLM server" roundups. This is not a scam. Apple Silicon really is good for local inference. Unified memory, no PCIe copy penalty, low idle power, silent. All genuinely useful.</p> <p>But the honest read on local models for agentic workflows in April 2026:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Model</th> <th>RAM needed</th> <th>Speed on consumer Apple Silicon</th> <th>Usable for agents?</th> </tr> </thead> <tbody> <tr> <td>Kimi K2 (1.8-bit quantized)</td> <td>245GB+</td> <td>1-2 tokens/sec on Mac Studio 512GB</td> <td>No, too slow</td> </tr> <tr> <td>Qwen3-Coder-30B (MoE, 3B active)</td> <td>64GB</td> <td>10-15 tokens/sec on M4 Pro</td> <td>Yes, for simple flows</td> </tr> <tr> <td>GLM-4.7-Flash (9B active, 128K ctx)</td> <td>24GB</td> <td>~20 tokens/sec on M4</td> <td>Yes, for coding subset</td> </tr> <tr> <td>GPT-OSS-20B</td> <td>24GB</td> <td>~15 tokens/sec on M4</td> <td>Yes, general purpose</td> </tr> </tbody> </table></div> <p>Local models are usable. They are not the same as frontier cloud models for multi-step agentic work, especially when the task needs long-horizon planning or serious tool use. A local 30B is a working tool. A local Kimi K2 is a science project unless you own a Mac Studio cluster.</p> <p>Anyone telling you otherwise is usually selling you something (affiliate link, course, the same course with a new thumbnail).</p> <p>Audit questions for layer 4:</p> <ul> <li>Do the benchmarks in the guide match the task I actually want to do, or are they summarization benchmarks being used to imply coding performance?</li> <li>What is the tokens-per-second floor for the model at the context length I'll actually use?</li> <li>If I only use the hardware four hours a day, is the cloud API still cheaper at my real usage?</li> </ul> <h2> Four signals a stack is on borrowed time </h2> <p>Run these before you commit.</p> <ol> <li> <strong>The pricing page changed silently in the last 30 days.</strong> Check the Wayback Machine. Compare.</li> <li> <strong>The tutorial's recent comments are mostly "this doesn't work for me."</strong> Filter by newest. If the top new comments are bug reports, the snapshot decayed.</li> <li> <strong>The GitHub issues tab has an open "API keys being banned" or "provider blocked us" thread.</strong> Search by keyword. This one is terminal.</li> <li> <strong>The tool routes through a provider whose ToS explicitly names it, its category, or its pattern.</strong> Find the ToS. Ctrl-F the project name.</li> </ol> <p>Three of four true: the stack is late cycle, budget accordingly or skip.<br> One or two true: yellow flag, keep watching.<br> Zero: you might be early, which is also risky, but at least the risk is legible.</p> <h2> What to actually build on </h2> <p>Boring but it holds up:</p> <ul> <li>Prefer tools where the provider bills you directly. The bill is honest. The less abstraction between you and the token meter, the fewer surprises.</li> <li>Prefer stacks where swapping the underlying model is a config change, not a rewrite. Portability is the cheapest insurance you can buy.</li> <li>Treat GitHub stars like follower counts. Not meaningless, but not the product.</li> <li>Assume any third-party tool that rides a major provider's consumer subscription instead of an API key is temporary, and price that temporariness into your decision.</li> <li>Run the 30-day test. If a tutorial still has fresh comments saying "this works" a month out, it is probably safe. If not, skip.</li> </ul> <p>None of this is anti-AI. It is pro not-getting-caught-out. The tools are real. The wins are real. The token bill is also real. The layer you are not looking at is usually the one that bites.</p> <p><em>What signals have you seen that a tool is late cycle? Drop them in the comments. I am genuinely collecting patterns, because the next wave of this is already starting.</em></p> ai devtools productivity career GDS K S Sat, 18 Apr 2026 20:52:03 +0000 https://dev.to/thegdsks/i-replaced-auth0-with-an-open-source-library-in-30-minutes-here-is-what-broke-3l2c https://dev.to/thegdsks/i-replaced-auth0-with-an-open-source-library-in-30-minutes-here-is-what-broke-3l2c <p>My Auth0 bill last month was $427. For 12,000 monthly active users on a side project that makes roughly $0 in revenue. I spent a Saturday moving off it. This is what happened.</p> <h2> The bill </h2> <p>Auth0's pricing jumps at the 1,000 MAU line. My project crossed it in March. The next tier is $240/month. Then I turned on MFA, which is extra. Then I wanted SAML for a B2B customer, which is extra. Then log retention went up because I needed 30 days for a compliance thing, which is extra.</p> <p>$427. For a login button.</p> <p>I like Auth0 as a product. I have shipped it at two previous companies and it was fine. What I did not like was paying rent on a feature I could own.</p> <h2> What I actually needed </h2> <p>I made a list before I started, so I would not spend a weekend building features I did not use.</p> <ul> <li>Email + password login</li> <li>Magic link login</li> <li>Password reset</li> <li>Session management with refresh</li> <li>OAuth with Google and GitHub</li> <li>A way to call our API from agent scripts (this one was new)</li> </ul> <p>What I did not need, despite Auth0 charging for it:</p> <ul> <li>Multi tenant orgs</li> <li>SAML/SCIM (the B2B customer moved on)</li> <li>Passwordless WebAuthn (I want this, but not yet)</li> <li>50+ social providers</li> <li>Rules and hooks for custom login logic (I had one rule, it moved to my app)</li> </ul> <p>So the real question was: is there a library that covers the first list and lets me run it on my own Cloudflare Workers without rebuilding everything from scratch.</p> <h2> The shortlist </h2> <p>I looked at four things over maybe an hour.</p> <p>Lucia got archived <a href="https://github.com/lucia-auth/lucia/issues/1707" rel="noopener noreferrer">in March 2025</a>. I did not want to adopt something the author shut down, even if the code still works.</p> <p>Better Auth looked decent but ships a lot of plugins I did not want and the docs for its Cloudflare Workers story were thin when I checked.</p> <p>NextAuth/Auth.js works but is tightly coupled to Next.js, and I needed this to cover a separate agent SDK as well.</p> <p><a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a> was the new one I had not tried. It does auth for humans and AI agents in the same library, runs on Workers, and the README had a "migrating from Auth0" page. That is the one I picked.</p> <p><a href="https://kavachos.com" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7keamufc3btbwepy1c9y.png" alt="KavachOS" width="800" height="440"></a> </p> <h2> The 30 minute spike </h2> <p>I timed it. 32 minutes from <code>pnpm add kavachos</code> to a working login on localhost.</p> <h3> Install </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm add kavachos @kavachos/hono </code></pre> </div> <p>I use Hono on Workers. There are adapters for <a href="https://kavachos.com/docs/adapters/nextjs" rel="noopener noreferrer">Next.js</a>, <a href="https://kavachos.com/docs/adapters/express" rel="noopener noreferrer">Express</a>, <a href="https://kavachos.com/docs/adapters/fastify" rel="noopener noreferrer">Fastify</a>, and a few others.</p> <h3> The core config </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">kavachos</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">kavachos</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">honoAdapter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kavachos/hono</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">kavachos</span><span class="p">({</span> <span class="na">adapter</span><span class="p">:</span> <span class="nf">honoAdapter</span><span class="p">(),</span> <span class="na">database</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">30d</span><span class="dl">"</span><span class="p">,</span> <span class="na">rolling</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">providers</span><span class="p">:</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">12</span> <span class="p">},</span> <span class="na">magicLink</span><span class="p">:</span> <span class="p">{</span> <span class="na">tokenTTL</span><span class="p">:</span> <span class="dl">"</span><span class="s2">10m</span><span class="dl">"</span> <span class="p">},</span> <span class="na">google</span><span class="p">:</span> <span class="p">{</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="p">},</span> <span class="na">github</span><span class="p">:</span> <span class="p">{</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GITHUB_CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GITHUB_CLIENT_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">"</span><span class="s2">resend</span><span class="dl">"</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">RESEND_API_KEY</span><span class="o">!</span><span class="p">,</span> <span class="na">from</span><span class="p">:</span> <span class="dl">"</span><span class="s2">noreply@myproject.com</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Wire it up </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/index.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Hono</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">hono</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./auth</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Hono</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/auth</span><span class="dl">"</span><span class="p">,</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">routes</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/me</span><span class="dl">"</span><span class="p">,</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">required</span><span class="p">,</span> <span class="p">(</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">c</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="nx">c</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">user</span> <span class="p">});</span> <span class="p">});</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <p>That is everything the server needs. Login, signup, magic link, OAuth callbacks, session refresh, logout, password reset, email verification. All mounted under <code>/auth/*</code>.</p> <p>The frontend was about the same amount of code. A <code>useSession()</code> hook, a login form, a magic link form, an OAuth button component. Roughly 120 lines total across 4 files.</p> <h3> The schema </h3> <p>kavachOS ships migrations. I ran:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm kavachos migrate </code></pre> </div> <p>and it created the tables. <code>users</code>, <code>sessions</code>, <code>oauth_accounts</code>, <code>password_reset_tokens</code>, <code>magic_link_tokens</code>, <code>email_verification_tokens</code>. Six tables. I looked at them, they were boring in the right way.</p> <h2> The Auth0 migration </h2> <p>I had 12,000 users in Auth0. I needed to bring them over without forcing a password reset for everyone.</p> <p>Auth0 exports users as JSON. The password hashes are bcrypt, which is what kavachOS uses internally, so in theory a direct copy would work.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Export from Auth0 (this is an Auth0 built in job)</span> auth0 <span class="nb">users export</span> <span class="nt">--format</span> json <span class="nt">--output</span> users.json <span class="c"># Import into kavachOS</span> pnpm kavachos import <span class="nt">--from</span> auth0 <span class="nt">--file</span> users.json </code></pre> </div> <p>The second command does not exist. I wrote it that night after discovering the first one returns passwords as opaque hashes that Auth0 does not document the algorithm for. Or rather, they document it as "we use bcrypt" but the actual export format wraps the hash in a proprietary string.</p> <p>This was the first thing that broke.</p> <h2> What broke in prod </h2> <h3> The password hashes were not portable </h3> <p>Auth0's export includes a <code>passwordHash</code> field on each user. The format looks like a bcrypt string but it is prefixed with Auth0's own identifier. kavachOS would not match on login.</p> <p>Fix: I wrote a small shim in my auth config that recognizes the Auth0 prefix, strips it, and re-verifies against the underlying bcrypt. After a successful login the user's hash gets re-saved in the native format. Over a week, 80% of active users migrated silently. The rest I handled manually with a one time "we need you to reset your password" email.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">providers</span><span class="p">:</span> <span class="p">{</span> <span class="nl">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">verifyLegacy</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">hash</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">hash</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">$auth0$</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">actual</span> <span class="o">=</span> <span class="nx">hash</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/^</span><span class="se">\$</span><span class="sr">auth0</span><span class="se">\$</span><span class="sr">/</span><span class="p">,</span> <span class="dl">""</span><span class="p">);</span> <span class="k">return</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">actual</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> </code></pre> </div> <p>kavachOS has a <code>verifyLegacy</code> hook built in for this, which was nice. I did not have to patch the library.</p> <h3> Session cookies were on the wrong domain </h3> <p>I had cookies on <code>auth.myproject.com</code> from Auth0. kavachOS defaulted to <code>myproject.com</code>. This meant every logged in user got signed out at the cutover.</p> <p>I picked up on this at 2am when my own login session died. Fix was a 10 minute config change plus an apology email.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">session</span><span class="p">:</span> <span class="p">{</span> <span class="nl">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">30d</span><span class="dl">"</span><span class="p">,</span> <span class="nx">rolling</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">cookie</span><span class="p">:</span> <span class="p">{</span> <span class="nl">domain</span><span class="p">:</span> <span class="dl">"</span><span class="s2">.myproject.com</span><span class="dl">"</span><span class="p">,</span> <span class="nx">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lax</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> </code></pre> </div> <p>Worth reading <a href="https://kavachos.com/docs/sessions" rel="noopener noreferrer">the session config docs</a> before you deploy, not after.</p> <h3> Google OAuth redirect URI </h3> <p>Auth0 uses its own callback URL. My Google Cloud Console was configured for <code>https://my-tenant.us.auth0.com/login/callback</code>. kavachOS uses <code>https://myproject.com/auth/callback/google</code>.</p> <p>30 second fix in the Google console, but it cost me an hour of "why is Google OAuth returning redirect_uri_mismatch" before I remembered.</p> <h3> The agent thing worked first try </h3> <p>The one unexpected win. My project has a handful of agent scripts that run on cron and need to hit the API as a specific user. With Auth0 I was using Machine to Machine tokens, which cost extra and have their own quota.</p> <p>kavachOS has an agent identity primitive. You can mint an agent token, scope it to a user, give it permissions, and call the API. The docs are at <a href="https://kavachos.com/docs/agents" rel="noopener noreferrer">kavachos.com/docs/agents</a>. It took one line to wire up and replaced about $40/month of Auth0 M2M charges.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">agentToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">agents</span><span class="p">.</span><span class="nf">issue</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user_123</span><span class="dl">"</span><span class="p">,</span> <span class="na">permissions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">reports:read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">invoices:write</span><span class="dl">"</span><span class="p">],</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">90d</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>This was the thing that made the migration actually worth it, not just a cost optimization.</p> <h2> The cost </h2> <p>Before: $427/month<br> After: $0/month for the library, ~$4/month for Neon Postgres that I was already paying for, ~$3/month for Resend.</p> <p>If I ever want to stop running it myself, kavachOS has a managed cloud at <a href="https://kavachos.com" rel="noopener noreferrer">kavachos.com</a> with a generous free tier and metered pricing after that. I am not on it yet because running Workers + Postgres is cheap, but I like that the option exists.</p> <h2> Where Auth0 is still better </h2> <p>I want to be fair. Things Auth0 does well that I gave up:</p> <ul> <li>The dashboard. Auth0's admin UI is excellent. kavachOS has one but it is less polished.</li> <li>Enterprise SSO configuration. If you need to onboard a customer's Okta or Azure AD in an afternoon, Auth0's wizards are worth the money.</li> <li>Anomaly detection and breached password checks. kavachOS has the second, not the first.</li> <li>Log retention without a separate pipeline. I piped kavachOS logs to Axiom, which works, but it was a separate setup.</li> </ul> <p>If your company is at the stage where any of those matter more than $5K/year, stay on Auth0. I am not at that stage.</p> <h2> Would I do it again </h2> <p>Yes, and I did it again last week for another project. The second migration took 45 minutes, mostly because I already had the verifyLegacy shim written and the agent identity stuff working. If you are reading this and your auth bill looks wrong, the math has changed in the last year. There are real libraries now.</p> <p>If you try kavachOS, the docs I used most were <a href="https://kavachos.com/docs/quickstart" rel="noopener noreferrer">the quickstart</a>, <a href="https://kavachos.com/docs/migrations/auth0" rel="noopener noreferrer">the Auth0 migration guide</a>, and <a href="https://kavachos.com/docs/adapters/hono" rel="noopener noreferrer">the Hono adapter docs</a>. The repo is at <a href="https://github.com/kavachos/kavachos" rel="noopener noreferrer">github.com/kavachos/kavachos</a>.</p> <h2> Questions I expect </h2> <p><strong>Is kavachOS production ready?</strong> I am running it on a real project with real users. Your call.</p> <p><strong>Why not just use Supabase auth?</strong> I did not want my auth tied to my database host. kavachOS works with any Postgres.</p> <p><strong>What about self hosting on Render or Railway?</strong> Works fine. The library does not care.</p> <p><strong>Did you consider Clerk or WorkOS?</strong> Clerk is good but more expensive than Auth0 at my tier. WorkOS is B2B focused and I am not that.</p> <p><strong>What if kavachOS gets abandoned like Lucia?</strong> The project is self hostable, the license is MIT, and the database schema is boring. If upstream went away tomorrow I would fork it and keep going. That is the whole point of picking open source over a managed service.</p> <p>Following for the next one: I am writing these daily for the next two weeks. Tomorrow is magic link login in Next.js with no library, then with a library, with the actual diff. Hit follow if you want it.</p> <p>If you have an Auth0 horror story, drop it in the comments. I will probably do a compilation post.</p> <p><em><a href="https://thegdsks.com" rel="noopener noreferrer">Gagan Deep Singh</a> builds open source tools at <a href="https://glincker.com" rel="noopener noreferrer">Glincker</a>. Currently working on <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a> (open source auth for AI agents and humans) and <a href="https://askverdict.ai" rel="noopener noreferrer">AskVerdict</a> (multi-model AI verdicts).</em></p> <p><em>If this was useful, follow me on <a href="https://dev.to/thegdsks">Dev.to</a> or <a href="https://x.com/thegdsks" rel="noopener noreferrer">X</a> where I post weekly.</em> </p> authentication opensource javascript devops GDS K S Sat, 18 Apr 2026 20:45:52 +0000 https://dev.to/thegdsks/how-to-build-a-secure-password-reset-flow-in-nextjs-the-short-version-ja6 https://dev.to/thegdsks/how-to-build-a-secure-password-reset-flow-in-nextjs-the-short-version-ja6 <p>Last month I reviewed a friend's side project. He had 200 paying users, Stripe set up, a working dashboard. The password reset flow sent a reset token in a query string, stored it in plain text in Postgres, and never expired it. Anyone who read the database could take over any account, permanently.</p> <p>He had written it in 2 hours. It looked fine. That is the problem with reset flows. They look fine until someone reads them carefully.</p> <p>Here is a version that does not embarrass you, followed by the same thing in 12 lines using <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a>.</p> <h2> What a good reset flow actually does </h2> <p>Six things, in order:</p> <ol> <li>Accepts an email and always responds with the same 200, whether the email exists or not</li> <li>Generates a 32 byte random token, hashes it before storing</li> <li>Stores the hash with a 15 minute expiry and a one time use flag</li> <li>Sends the raw token to the user's inbox</li> <li>On submit, hashes the incoming token and compares against storage</li> <li>Marks the token used, writes a new password, rotates every active session</li> </ol> <p>If any one of those is missing you have a bug. Most tutorials cover 1 and 3. Almost nobody covers 6, which is why most apps stay logged in as the attacker after a reset.</p> <h2> The from scratch version </h2> <h3> The schema </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// db/schema.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">bigserial</span><span class="p">,</span> <span class="nx">pgTable</span><span class="p">,</span> <span class="nx">text</span><span class="p">,</span> <span class="nx">timestamp</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm/pg-core</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="nf">pgTable</span><span class="p">(</span><span class="dl">"</span><span class="s2">users</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nf">bigserial</span><span class="p">(</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">number</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">primaryKey</span><span class="p">(),</span> <span class="na">email</span><span class="p">:</span> <span class="nf">text</span><span class="p">(</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">).</span><span class="nf">notNull</span><span class="p">().</span><span class="nf">unique</span><span class="p">(),</span> <span class="na">passwordHash</span><span class="p">:</span> <span class="nf">text</span><span class="p">(</span><span class="dl">"</span><span class="s2">password_hash</span><span class="dl">"</span><span class="p">).</span><span class="nf">notNull</span><span class="p">(),</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">passwordResetTokens</span> <span class="o">=</span> <span class="nf">pgTable</span><span class="p">(</span><span class="dl">"</span><span class="s2">password_reset_tokens</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nf">bigserial</span><span class="p">(</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">number</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">primaryKey</span><span class="p">(),</span> <span class="na">userId</span><span class="p">:</span> <span class="nf">bigserial</span><span class="p">(</span><span class="dl">"</span><span class="s2">user_id</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">number</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">notNull</span><span class="p">(),</span> <span class="na">tokenHash</span><span class="p">:</span> <span class="nf">text</span><span class="p">(</span><span class="dl">"</span><span class="s2">token_hash</span><span class="dl">"</span><span class="p">).</span><span class="nf">notNull</span><span class="p">(),</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="nf">timestamp</span><span class="p">(</span><span class="dl">"</span><span class="s2">expires_at</span><span class="dl">"</span><span class="p">).</span><span class="nf">notNull</span><span class="p">(),</span> <span class="na">usedAt</span><span class="p">:</span> <span class="nf">timestamp</span><span class="p">(</span><span class="dl">"</span><span class="s2">used_at</span><span class="dl">"</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p>Note the <code>tokenHash</code>. If your database leaks, the leaked rows cannot be used to reset anyone's password. If you store the raw token, you have handed the attacker a working exploit.</p> <h3> The request endpoint </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/forgot-password/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">users</span><span class="p">,</span> <span class="nx">passwordResetTokens</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db/schema</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">eq</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">randomBytes</span><span class="p">,</span> <span class="nx">createHash</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sendResetEmail</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/email</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">rateLimit</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/rate-limit</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">email</span><span class="p">()</span> <span class="p">});</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">x-forwarded-for</span><span class="dl">"</span><span class="p">)</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">unknown</span><span class="dl">"</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nf">rateLimit</span><span class="p">(</span><span class="s2">`forgot:</span><span class="p">${</span><span class="nx">ip</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">max</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="na">window</span><span class="p">:</span> <span class="mi">60</span> <span class="p">}))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">users</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">email</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">()),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">raw</span> <span class="o">=</span> <span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64url</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tokenHash</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">raw</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">passwordResetTokens</span><span class="p">).</span><span class="nf">values</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">tokenHash</span><span class="p">,</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">sendResetEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">raw</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Four things that matter here:</p> <p>The endpoint always returns 200. An attacker probing with 10,000 emails learns nothing. If you return 404 for unknown emails, you have just built an account enumeration endpoint.</p> <p>The rate limit is on IP, 5 per minute. It will not stop a distributed attacker but it raises the cost enough that nobody bothers.</p> <p>On parse failure, still 200. A 400 leaks "this email was malformed" vs "this email was fine but not in the database".</p> <p>The raw token exists for exactly one HTTP response and one email send. It never hits the database.</p> <h3> The reset endpoint </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/reset-password/route.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">x-forwarded-for</span><span class="dl">"</span><span class="p">)</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">unknown</span><span class="dl">"</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nf">rateLimit</span><span class="p">(</span><span class="s2">`reset:</span><span class="p">${</span><span class="nx">ip</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">max</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">window</span><span class="p">:</span> <span class="mi">60</span> <span class="p">}))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Too many attempts</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">429</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">z</span> <span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">token</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">32</span><span class="p">),</span> <span class="na">password</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">12</span><span class="p">)</span> <span class="p">})</span> <span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid request</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">tokenHash</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">token</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">row</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">passwordResetTokens</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="nf">and</span><span class="p">(</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">passwordResetTokens</span><span class="p">.</span><span class="nx">tokenHash</span><span class="p">,</span> <span class="nx">tokenHash</span><span class="p">),</span> <span class="nf">gt</span><span class="p">(</span><span class="nx">passwordResetTokens</span><span class="p">.</span><span class="nx">expiresAt</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">()),</span> <span class="nf">isNull</span><span class="p">(</span><span class="nx">passwordResetTokens</span><span class="p">.</span><span class="nx">usedAt</span><span class="p">),</span> <span class="p">),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">row</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid or expired link</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">},</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">passwordHash</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="mi">12</span><span class="p">);</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">transaction</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">users</span><span class="p">).</span><span class="nf">set</span><span class="p">({</span> <span class="nx">passwordHash</span> <span class="p">}).</span><span class="nf">where</span><span class="p">(</span><span class="nf">eq</span><span class="p">(</span><span class="nx">users</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">row</span><span class="p">.</span><span class="nx">userId</span><span class="p">));</span> <span class="k">await</span> <span class="nx">tx</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">passwordResetTokens</span><span class="p">)</span> <span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="na">usedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">()</span> <span class="p">})</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="nf">eq</span><span class="p">(</span><span class="nx">passwordResetTokens</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">row</span><span class="p">.</span><span class="nx">id</span><span class="p">));</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">rotateSession</span><span class="p">(</span><span class="nx">row</span><span class="p">.</span><span class="nx">userId</span><span class="p">);</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Three things that people miss:</p> <p>The transaction. If the password update succeeds but the token update fails, the token can be used again. Wrap them or do not bother.</p> <p><code>rotateSession</code>. Password reset must invalidate every active session for that user. If an attacker has a stolen session cookie, changing the password does not kick them out. Rotate.</p> <p>Same error for expired, used, and never existed. All three get a 400 with "invalid or expired link". No timing differences, no leaked state.</p> <h3> Rate limiting </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/rate-limit.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Redis</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@upstash/redis</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">redis</span> <span class="o">=</span> <span class="nx">Redis</span><span class="p">.</span><span class="nf">fromEnv</span><span class="p">();</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">rateLimit</span><span class="p">(</span> <span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">opts</span><span class="p">:</span> <span class="p">{</span> <span class="nl">max</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">window</span><span class="p">:</span> <span class="kr">number</span> <span class="p">},</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">count</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">incr</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">count</span> <span class="o">===</span> <span class="mi">1</span><span class="p">)</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">expire</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">opts</span><span class="p">.</span><span class="nb">window</span><span class="p">);</span> <span class="k">return</span> <span class="nx">count</span> <span class="o">&gt;</span> <span class="nx">opts</span><span class="p">.</span><span class="nx">max</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>On Cloudflare Workers, swap Redis for KV or Durable Objects. Same shape.</p> <h2> The kavachOS version </h2> <p>I wrote the code above maybe a dozen times in different projects before I gave up and wrote a library. That library is <a href="https://github.com/kavachos/kavachos" rel="noopener noreferrer">kavachOS</a>. Here is the same flow with it:</p> <h3> Install </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm add kavachos @kavachos/nextjs </code></pre> </div> <h3> Configure </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">kavachos</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">kavachos</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">nextjsAdapter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kavachos/nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">kavachos</span><span class="p">({</span> <span class="na">adapter</span><span class="p">:</span> <span class="nf">nextjsAdapter</span><span class="p">(),</span> <span class="na">database</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">"</span><span class="s2">resend</span><span class="dl">"</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">RESEND_API_KEY</span><span class="o">!</span><span class="p">,</span> <span class="na">from</span><span class="p">:</span> <span class="dl">"</span><span class="s2">noreply@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">passwordReset</span><span class="p">:</span> <span class="p">{</span> <span class="na">tokenTTL</span><span class="p">:</span> <span class="dl">"</span><span class="s2">15m</span><span class="dl">"</span><span class="p">,</span> <span class="na">oneTimeUse</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">rotateSessionsOnReset</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Mount the routes </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/[...kavachos]/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">GET</span><span class="p">,</span> <span class="nx">POST</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">handlers</span><span class="p">;</span> </code></pre> </div> <h3> The form </h3> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/auth/forgot/page.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kavachos/nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Forgot</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">requestReset</span><span class="p">,</span> <span class="nx">pending</span><span class="p">,</span> <span class="nx">status</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">form</span> <span class="na">action</span><span class="p">=</span><span class="si">{</span><span class="nx">requestReset</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">name</span><span class="p">=</span><span class="s">"email"</span> <span class="na">type</span><span class="p">=</span><span class="s">"email"</span> <span class="na">required</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">disabled</span><span class="p">=</span><span class="si">{</span><span class="nx">pending</span><span class="si">}</span><span class="p">&gt;</span>Send reset link<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">ok</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>If that email exists, a link is on the way.<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>That is the whole thing. The tokens are hashed, the expiry is 15 minutes, the rate limits are on, the sessions rotate on success, and the error messages are constant time. If you look at <a href="https://github.com/kavachos/kavachos/tree/main/packages/core/src/password-reset" rel="noopener noreferrer">the source</a>, it is almost exactly the code above, just packaged.</p> <p>Docs for the password reset flow are at <a href="https://kavachos.com/docs/password-reset" rel="noopener noreferrer">kavachos.com/docs/password-reset</a>. The Next.js adapter is at <a href="https://kavachos.com/docs/adapters/nextjs" rel="noopener noreferrer">kavachos.com/docs/adapters/nextjs</a>.</p> <h2> Three mistakes I keep finding in code reviews </h2> <h3> Storing tokens in plain text </h3> <p>One in three repos I have looked at does this. If the database leaks, every active reset link is live. Hash before storing. Always. The raw token should exist in exactly two places: the HTTP response that mails it out, and the user's inbox.</p> <h3> Using <code>Math.random()</code> for the token </h3> <p><code>Math.random()</code> is not cryptographic. It is a deterministic PRNG seeded from the process start time. Use <code>crypto.randomBytes(32)</code> on the server or <code>crypto.getRandomValues()</code> on the edge.</p> <h3> 24 hour expiries </h3> <p>If the user is going to click the link, they click it in 2 minutes. A 24 hour window exists to make the support team's job easier, but it gives an attacker who compromised an email backup all day to use the link. 15 minutes is fine. If the user misses the window they can click "forgot password" again.</p> <h2> Testing checklist before you ship </h2> <ul> <li> <code>POST /forgot-password</code> returns 200 for both known and unknown emails</li> <li>Response time for known and unknown emails is within 50ms (timing defense)</li> <li>Rate limit triggers at the 6th request from one IP per minute</li> <li>Token row contains <code>tokenHash</code>, not the raw value</li> <li>Expired tokens are rejected with the same 400 as invalid ones</li> <li>Used tokens are rejected with the same 400 as invalid ones</li> <li>After a successful reset, all sessions for that user are invalidated</li> <li>A log line is written for <code>reset_requested</code>, <code>reset_completed</code>, <code>reset_failed</code> </li> </ul> <p>That last point matters when a user emails you at midnight saying they never got the email. You will want those logs.</p> <h2> Questions I expect in the comments </h2> <p><strong>Why not JWTs for the token?</strong> A JWT is stateless. You cannot revoke it on use. If you use a JWT for reset, the same link works until the expiry for anyone who saved it. You lose the one time property. Use a database row.</p> <p><strong>Why 15 minutes?</strong> Because the user clicks within 2. The only thing a longer window does is give attackers more runway.</p> <p><strong>Is email actually secure enough for this?</strong> No, email is terrible. It is also what everyone has. Which is why the link expires in 15 minutes, is one time use, and rotates sessions on success. You are containing the blast radius, not preventing the attack.</p> <h2> What I will write next </h2> <p>I am doing one of these a day for the next two weeks. Next up: magic link login in Next.js, same rigor, with and without a library. Follow me here if you want the next one in your feed.</p> <p>Comment with the auth thing you have been putting off. If I get enough of the same one, I will write it up.</p> <p><em><a href="https://thegdsks.com" rel="noopener noreferrer">Gagan Deep Singh</a> builds open source tools at <a href="https://glincker.com" rel="noopener noreferrer">Glincker</a>. Currently working on <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a> (open source auth for AI agents and humans) and <a href="https://askverdict.ai" rel="noopener noreferrer">AskVerdict</a> (multi-model AI verdicts).</em></p> <p><em>If this was useful, follow me on <a href="https://dev.to/thegdsks">Dev.to</a> or <a href="https://x.com/thegdsks" rel="noopener noreferrer">X</a> where I post weekly.</em> </p> nextjs authentication webdev tutorial GDS K S Sat, 18 Apr 2026 20:42:22 +0000 https://dev.to/thegdsks/how-to-build-a-login-flow-in-nextjs-15-sessions-cookies-csrf-and-the-timing-attack-nobody-33pm https://dev.to/thegdsks/how-to-build-a-login-flow-in-nextjs-15-sessions-cookies-csrf-and-the-timing-attack-nobody-33pm <p>This is part 4. Today: login. Form, server endpoint, session cookie, CSRF, and a real look at timing defense. This is the endpoint attackers probe the most, so it is the one we harden the hardest.</p> <h2> The flow </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>+-------+ +--------------+ +----------+ |Browser| POST | Next.js | SELECT | Postgres | | | email | /api/auth/ | user by | users | | | password | login | email | | | |-----------&gt;| |-----------&gt;| | | | | |&lt;-----------| | | | | verify | +----------+ | | | password | | | | (bcrypt) | | | | | INSERT +----------+ | | | if ok, | session | sessions | | | | create |-----------&gt;| | | | | session |&lt;-----------| | | | | | +----------+ | | Set-Cookie| | | |&lt;-----------| | | | 302 / | | +-------+ +--------------+ </code></pre> </div> <p>And then, on every subsequent request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>+-------+ GET /dashboard +--------------+ |Browser| Cookie: session=abc123 | Next.js | | |---------------------------&gt;| middleware | | | | | SELECT | | | |--&gt;sessions | | | |&lt;--where token_hash=.. | | | | | |&lt;---- 200 with user context-| | +-------+ +--------------+ </code></pre> </div> <p>Two things to notice:</p> <p><strong>The session token on the wire is not stored in the database.</strong> We store its SHA-256 hash. This is the same pattern as reset tokens. If the database leaks, the leaked rows cannot be replayed as cookies.</p> <p><strong>The verify path is a single row lookup on a hash.</strong> Fast. No cryptographic operation per request, just an index hit.</p> <h2> The session table </h2> <p>Same note as last article: if you are using <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a>, <code>pnpm kavachos migrate</code> creates and maintains this table for you. I am showing the SQL so you know what is in your database either way.</p> <p>From article 02, for reference:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">sessions</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">bigint</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span><span class="p">,</span> <span class="n">token_hash</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span> <span class="k">unique</span><span class="p">,</span> <span class="n">expires_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">last_used_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">(),</span> <span class="n">user_agent</span> <span class="nb">text</span><span class="p">,</span> <span class="n">ip_address</span> <span class="n">inet</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_sessions_user</span> <span class="k">on</span> <span class="n">sessions</span><span class="p">(</span><span class="n">user_id</span><span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_sessions_expires</span> <span class="k">on</span> <span class="n">sessions</span><span class="p">(</span><span class="n">expires_at</span><span class="p">);</span> </code></pre> </div> <p>The <code>user_agent</code> and <code>ip_address</code> columns are for the "active sessions" screen on a user's account page ("signed in on iPhone in San Francisco"). They are not used for validation. Do not tie session validity to IP. Phone carriers rotate IPs and your users will hate you.</p> <h2> The login form </h2> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/auth/login/page.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRouter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Login</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">useRouter</span><span class="p">();</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">email</span><span class="p">,</span> <span class="nx">setEmail</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">password</span><span class="p">,</span> <span class="nx">setPassword</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">remember</span><span class="p">,</span> <span class="nx">setRemember</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">pending</span><span class="p">,</span> <span class="nx">setPending</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">error</span><span class="p">,</span> <span class="nx">setError</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">submit</span><span class="p">(</span><span class="nx">e</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">FormEvent</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">setPending</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="nf">setError</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/login</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">content-type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">remember</span> <span class="p">}),</span> <span class="p">});</span> <span class="nf">setPending</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">429</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="dl">"</span><span class="s2">Too many attempts. Try again in a minute.</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="dl">"</span><span class="s2">Email or password is incorrect.</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">"</span><span class="s2">/dashboard</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">form</span> <span class="na">onSubmit</span><span class="p">=</span><span class="si">{</span><span class="nx">submit</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"max-w-sm mx-auto mt-16 space-y-4"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-2xl font-semibold"</span><span class="p">&gt;</span>Sign in<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">label</span> <span class="na">className</span><span class="p">=</span><span class="s">"block"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm"</span><span class="p">&gt;</span>Email<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"email"</span> <span class="na">required</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">email</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setEmail</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"w-full rounded border p-2 mt-1"</span> <span class="na">autoComplete</span><span class="p">=</span><span class="s">"email"</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">label</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">label</span> <span class="na">className</span><span class="p">=</span><span class="s">"block"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm"</span><span class="p">&gt;</span>Password<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"password"</span> <span class="na">required</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">password</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setPassword</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"w-full rounded border p-2 mt-1"</span> <span class="na">autoComplete</span><span class="p">=</span><span class="s">"current-password"</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">label</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">label</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex items-center gap-2 text-sm"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"checkbox"</span> <span class="na">checked</span><span class="p">=</span><span class="si">{</span><span class="nx">remember</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setRemember</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">checked</span><span class="p">)</span><span class="si">}</span> <span class="p">/&gt;</span> Stay signed in for 30 days <span class="p">&lt;/</span><span class="nt">label</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">error</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-red-600 text-sm"</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">error</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">type</span><span class="p">=</span><span class="s">"submit"</span> <span class="na">disabled</span><span class="p">=</span><span class="si">{</span><span class="nx">pending</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"w-full rounded bg-black text-white py-2 disabled:opacity-50"</span> <span class="p">&gt;</span> <span class="si">{</span><span class="nx">pending</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">Signing in...</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Sign in</span><span class="dl">"</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex justify-between text-sm"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">a</span> <span class="na">href</span><span class="p">=</span><span class="s">"/auth/forgot"</span> <span class="na">className</span><span class="p">=</span><span class="s">"underline"</span><span class="p">&gt;</span>Forgot password?<span class="p">&lt;/</span><span class="nt">a</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">a</span> <span class="na">href</span><span class="p">=</span><span class="s">"/auth/register"</span> <span class="na">className</span><span class="p">=</span><span class="s">"underline"</span><span class="p">&gt;</span>Create account<span class="p">&lt;/</span><span class="nt">a</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>One error message for bad credentials: "Email or password is incorrect." Never "email not found" vs "password wrong". Same reason as register. Treat every signed-out-ish endpoint as hostile.</p> <p>The <code>autoComplete="current-password"</code> tells password managers to offer the existing stored password. This is the small UX detail that makes the difference between users loving password managers and fighting them.</p> <h2> The server endpoint </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/login/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">bcrypt</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">randomBytes</span><span class="p">,</span> <span class="nx">createHash</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">users</span><span class="p">,</span> <span class="nx">sessions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db/schema</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">eq</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">rateLimit</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/rate-limit</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">email</span><span class="p">().</span><span class="nf">max</span><span class="p">(</span><span class="mi">254</span><span class="p">),</span> <span class="na">password</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nf">max</span><span class="p">(</span><span class="mi">256</span><span class="p">),</span> <span class="na">remember</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">boolean</span><span class="p">().</span><span class="nf">optional</span><span class="p">(),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">FAKE_HASH</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">$2b$12$abcdefghijklmnopqrstuuAbCdEfGhIjKlMnOpQrStUvWxYz.abcdef</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">x-forwarded-for</span><span class="dl">"</span><span class="p">)</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">unknown</span><span class="dl">"</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nf">rateLimit</span><span class="p">(</span><span class="s2">`login:</span><span class="p">${</span><span class="nx">ip</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">max</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="na">window</span><span class="p">:</span> <span class="mi">60</span> <span class="p">}))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Too many attempts</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">429</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="dl">"</span><span class="s2">dummy</span><span class="dl">"</span><span class="p">,</span> <span class="nx">FAKE_HASH</span><span class="p">);</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid credentials</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">email</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">trim</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">users</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">email</span><span class="p">),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">hashToCompare</span> <span class="o">=</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">passwordHash</span> <span class="o">??</span> <span class="nx">FAKE_HASH</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">passwordOk</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="nx">hashToCompare</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span> <span class="o">||</span> <span class="o">!</span><span class="nx">passwordOk</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid credentials</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nx">emailVerified</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Please verify your email before signing in</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">},</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">rawToken</span> <span class="o">=</span> <span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64url</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tokenHash</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">rawToken</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">expiresAt</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="p">(</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">remember</span> <span class="p">?</span> <span class="mi">30</span> <span class="p">:</span> <span class="mi">1</span><span class="p">)</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">sessions</span><span class="p">).</span><span class="nf">values</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">tokenHash</span><span class="p">,</span> <span class="nx">expiresAt</span><span class="p">,</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nx">ip</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">user-agent</span><span class="dl">"</span><span class="p">)</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">session</span><span class="dl">"</span><span class="p">,</span> <span class="nx">rawToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lax</span><span class="dl">"</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="na">expires</span><span class="p">:</span> <span class="nx">expiresAt</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This endpoint is doing five things. Let me walk through the non-obvious ones.</p> <h3> The fake hash </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">hashToCompare</span> <span class="o">=</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">passwordHash</span> <span class="o">??</span> <span class="nx">FAKE_HASH</span><span class="p">;</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="nx">hashToCompare</span><span class="p">);</span> </code></pre> </div> <p>This is the timing defense nobody covers. bcrypt.compare takes ~50ms at cost factor 12. If you skip it when the user does not exist, you have a timing oracle: attackers can tell which emails are registered by measuring how long the endpoint takes. 50ms is plenty to detect over the network.</p> <p>The fix is to always run <code>bcrypt.compare</code>, even when the user does not exist. The <code>FAKE_HASH</code> is a valid bcrypt string that will never match anything (I generated it once with <code>bcrypt.hash("nothing", 12)</code> and hardcoded it). The comparison takes the same ~50ms whether the user exists or not.</p> <p>Measure this with <code>time</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">time </span>curl <span class="nt">-s</span> <span class="nt">-X</span> POST http://localhost:3000/api/auth/login <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"existing@example.com","password":"wrong"}'</span> real 0m0.082s <span class="nv">$ </span><span class="nb">time </span>curl <span class="nt">-s</span> <span class="nt">-X</span> POST http://localhost:3000/api/auth/login <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"nonexistent@example.com","password":"wrong"}'</span> real 0m0.079s </code></pre> </div> <p>3ms of noise. Good.</p> <p>Without the fake hash:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">time </span>curl <span class="nt">-s</span> <span class="nt">-X</span> POST http://localhost:3000/api/auth/login <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"existing@example.com","password":"wrong"}'</span> real 0m0.081s <span class="nv">$ </span><span class="nb">time </span>curl <span class="nt">-s</span> <span class="nt">-X</span> POST http://localhost:3000/api/auth/login <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"nonexistent@example.com","password":"wrong"}'</span> real 0m0.022s </code></pre> </div> <p>60ms difference. An attacker can now enumerate your user base with a wordlist.</p> <h3> The session cookie </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">res</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">session</span><span class="dl">"</span><span class="p">,</span> <span class="nx">rawToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lax</span><span class="dl">"</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="na">expires</span><span class="p">:</span> <span class="nx">expiresAt</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Four flags that all matter.</p> <p><code>httpOnly: true</code> means JavaScript on the page cannot read the cookie. This is your main defense against XSS-based session theft. An attacker who achieves script execution can still do damage, but they cannot grab the session token and walk away with it.</p> <p><code>secure: true</code> means the cookie only goes over HTTPS. On localhost you need to flip this off during development or use <code>https://localhost</code> with a self-signed cert.</p> <p><code>sameSite: "lax"</code> means the cookie is sent on navigation from other sites but not on cross-site POSTs. This is most of your CSRF defense for free. The alternative is <code>"strict"</code>, which also blocks cross-site GETs and breaks the "click a link from Gmail to your app" flow.</p> <p><code>expires: expiresAt</code> matches the session row. The cookie expires at the same time the server-side row does, so the browser does not keep sending a cookie the server will reject anyway.</p> <h3> The email verification gate </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nx">emailVerified</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Please verify your email before signing in</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">},</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>If you decide to enforce email verification (you should, most of the time), this is where it goes. The error is distinguishable from "invalid credentials" because the user has already proven they know the password at this point. Telling them the specific problem is fine.</p> <p>If you want to allow limited access before verification (some apps let users in but gate features), move the check out of login into the middleware that guards the feature.</p> <h2> The session middleware </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createHash</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sessions</span><span class="p">,</span> <span class="nx">users</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db/schema</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">eq</span><span class="p">,</span> <span class="nx">gt</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">session</span><span class="dl">"</span><span class="p">)?.</span><span class="nx">value</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">/auth/login</span><span class="dl">"</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">tokenHash</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">token</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">row</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">sessions</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="nf">and</span><span class="p">(</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">sessions</span><span class="p">.</span><span class="nx">tokenHash</span><span class="p">,</span> <span class="nx">tokenHash</span><span class="p">),</span> <span class="nf">gt</span><span class="p">(</span><span class="nx">sessions</span><span class="p">.</span><span class="nx">expiresAt</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">()),</span> <span class="p">),</span> <span class="na">with</span><span class="p">:</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">row</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">/auth/login</span><span class="dl">"</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">));</span> <span class="nx">res</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">"</span><span class="s2">session</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">;</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">db</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">sessions</span><span class="p">)</span> <span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="na">lastUsedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">()</span> <span class="p">})</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="nf">eq</span><span class="p">(</span><span class="nx">sessions</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">row</span><span class="p">.</span><span class="nx">id</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">x-user-id</span><span class="dl">"</span><span class="p">,</span> <span class="nc">String</span><span class="p">(</span><span class="nx">row</span><span class="p">.</span><span class="nx">userId</span><span class="p">));</span> <span class="k">return</span> <span class="nx">res</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/dashboard/:path*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/api/me/:path*</span><span class="dl">"</span><span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>One thing worth calling out: the middleware updates <code>last_used_at</code> on every request. This is what powers the "last active 5 minutes ago" display on the account page. If you are worried about write amplification on a high traffic app, batch the updates or throttle to once per minute per session.</p> <h2> Logout </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/logout/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createHash</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sessions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db/schema</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">eq</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">session</span><span class="dl">"</span><span class="p">)?.</span><span class="nx">value</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tokenHash</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">token</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">sessions</span><span class="p">).</span><span class="nf">where</span><span class="p">(</span><span class="nf">eq</span><span class="p">(</span><span class="nx">sessions</span><span class="p">.</span><span class="nx">tokenHash</span><span class="p">,</span> <span class="nx">tokenHash</span><span class="p">));</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="dl">"</span><span class="s2">session</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Delete the session row, delete the cookie. Both. If you only delete the cookie, the session is still valid server-side, which means an attacker holding a stolen cookie can keep using it after the user hits "log out".</p> <h2> CSRF </h2> <p>SameSite=Lax on the cookie handles most CSRF. The edge case it does not handle is a GET that changes state (you should not have those) or a POST from a form on your own origin that was manipulated by XSS (XSS is its own problem).</p> <p>If you want extra defense, add a double-submit CSRF token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// On any state-changing endpoint, check:</span> <span class="kd">const</span> <span class="nx">csrfCookie</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">csrf</span><span class="dl">"</span><span class="p">)?.</span><span class="nx">value</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">csrfHeader</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">x-csrf-token</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">csrfCookie</span> <span class="o">||</span> <span class="nx">csrfCookie</span> <span class="o">!==</span> <span class="nx">csrfHeader</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">csrf</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Set the cookie on session create, have your frontend read it (not HttpOnly) and attach it as a header on every mutating fetch. This is belt-and-suspenders protection and most apps do not need it, but if you are handling money or health data, add it.</p> <h2> Testing from the terminal </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Login with valid credentials</span> <span class="nv">$ </span>curl <span class="nt">-i</span> <span class="nt">-c</span> cookies.txt <span class="nt">-X</span> POST http://localhost:3000/api/auth/login <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"alice@example.com","password":"Correct-Horse-1"}'</span> HTTP/1.1 200 OK set-cookie: <span class="nv">session</span><span class="o">=</span>abc123...<span class="p">;</span> <span class="nv">Path</span><span class="o">=</span>/<span class="p">;</span> <span class="nv">Expires</span><span class="o">=</span>...<span class="p">;</span> HttpOnly<span class="p">;</span> Secure<span class="p">;</span> <span class="nv">SameSite</span><span class="o">=</span>Lax content-type: application/json <span class="o">{</span><span class="s2">"ok"</span>:true<span class="o">}</span> <span class="c"># Hit a protected route</span> <span class="nv">$ </span>curl <span class="nt">-i</span> <span class="nt">-b</span> cookies.txt http://localhost:3000/api/me HTTP/1.1 200 OK content-type: application/json <span class="o">{</span><span class="s2">"user"</span>:<span class="o">{</span><span class="s2">"id"</span>:1,<span class="s2">"email"</span>:<span class="s2">"alice@example.com"</span><span class="o">}}</span> <span class="c"># Logout</span> <span class="nv">$ </span>curl <span class="nt">-i</span> <span class="nt">-b</span> cookies.txt <span class="nt">-X</span> POST http://localhost:3000/api/auth/logout HTTP/1.1 200 OK set-cookie: <span class="nv">session</span><span class="o">=</span><span class="p">;</span> <span class="nv">Path</span><span class="o">=</span>/<span class="p">;</span> Max-Age<span class="o">=</span>0 content-type: application/json <span class="o">{</span><span class="s2">"ok"</span>:true<span class="o">}</span> <span class="c"># Hit the protected route again</span> <span class="nv">$ </span>curl <span class="nt">-i</span> <span class="nt">-b</span> cookies.txt http://localhost:3000/api/me HTTP/1.1 302 Found location: /auth/login </code></pre> </div> <p>Check the sessions table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>psql <span class="nv">$DATABASE_URL</span> <span class="nt">-c</span> <span class="s2">"select user_id, expires_at, last_used_at from sessions;"</span> user_id | expires_at | last_used_at <span class="nt">---------</span>+--------------------------+------------------------ 1 | 2026-05-18 14:30:22+00 | 2026-04-18 14:32:10+00 </code></pre> </div> <p>And after logout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>psql <span class="nv">$DATABASE_URL</span> <span class="nt">-c</span> <span class="s2">"select count(*) from sessions where user_id = 1;"</span> count <span class="nt">-------</span> 0 </code></pre> </div> <h2> The same thing in kavachOS </h2> <h3> Install, migrate, configure </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm add kavachos @kavachos/nextjs pnpm kavachos migrate </code></pre> </div> <p>The <code>migrate</code> command creates the <code>users</code>, <code>sessions</code>, and all the other tables this series is covering. You do not write the SQL, and you do not own the upgrade path when a new column is added.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">kavachos</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">kavachos</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">nextjsAdapter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kavachos/nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">kavachos</span><span class="p">({</span> <span class="na">adapter</span><span class="p">:</span> <span class="nf">nextjsAdapter</span><span class="p">(),</span> <span class="na">database</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1d</span><span class="dl">"</span><span class="p">,</span> <span class="na">rememberMeExpiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">30d</span><span class="dl">"</span><span class="p">,</span> <span class="na">rolling</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">cookie</span><span class="p">:</span> <span class="p">{</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lax</span><span class="dl">"</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">},</span> <span class="na">providers</span><span class="p">:</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">12</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> The login form </h3> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kavachos/nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Login</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">signIn</span><span class="p">,</span> <span class="nx">pending</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">form</span> <span class="na">action</span><span class="p">=</span><span class="si">{</span><span class="nx">signIn</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">name</span><span class="p">=</span><span class="s">"email"</span> <span class="na">type</span><span class="p">=</span><span class="s">"email"</span> <span class="na">required</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">name</span><span class="p">=</span><span class="s">"password"</span> <span class="na">type</span><span class="p">=</span><span class="s">"password"</span> <span class="na">required</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">label</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">name</span><span class="p">=</span><span class="s">"remember"</span> <span class="na">type</span><span class="p">=</span><span class="s">"checkbox"</span> <span class="p">/&gt;</span> Stay signed in for 30 days <span class="p">&lt;/</span><span class="nt">label</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">disabled</span><span class="p">=</span><span class="si">{</span><span class="nx">pending</span><span class="si">}</span><span class="p">&gt;</span>Sign in<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">error</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>Email or password is incorrect.<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> The middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">export</span> <span class="p">{</span> <span class="nx">auth</span> <span class="k">as</span> <span class="nx">middleware</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">/dashboard/:path*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/api/me/:path*</span><span class="dl">"</span><span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>Done. The fake hash comparison, the SameSite=Lax cookie, the session rotation on password change, the <code>last_used_at</code> updates, all there. Docs at <a href="https://kavachos.com/docs/login" rel="noopener noreferrer">kavachos.com/docs/login</a>.</p> <h2> Four things I see go wrong </h2> <p><strong>Returning "email not found" or "wrong password".</strong> Always the same error. You are giving attackers free information otherwise.</p> <p><strong>No fake hash on the no-user branch.</strong> The timing leak is real and measurable over the open internet.</p> <p><strong>Using <code>SameSite=None</code> because someone copied a config from Stack Overflow.</strong> <code>None</code> requires <code>Secure</code> and opens the cookie up to cross-site sending. Default to <code>Lax</code>.</p> <p><strong>Storing the raw session token in the database.</strong> Hash it. Always. This is the same rule as reset tokens, magic link tokens, everything.</p> <h2> Up next </h2> <p>Article 05: password reset. You already know most of the shape from register and login. The twist is session rotation on success and how to make the email survive spam filters.</p> <p>Follow me here so the next one shows up in your feed.</p> <p>If you have a login flow bug you cannot figure out, drop the symptom in the comments. I have probably seen it.</p> <p><em><a href="https://thegdsks.com" rel="noopener noreferrer">Gagan Deep Singh</a> builds open source tools at <a href="https://glincker.com" rel="noopener noreferrer">Glincker</a>. Currently working on <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a> (open source auth for AI agents and humans) and <a href="https://askverdict.ai" rel="noopener noreferrer">AskVerdict</a> (multi-model AI verdicts).</em></p> <p><em>If this was useful, follow me on <a href="https://dev.to/thegdsks">Dev.to</a> or <a href="https://x.com/thegdsks" rel="noopener noreferrer">X</a> where I post weekly.</em></p> nextjs authentication webdev tutorial GDS K S Sat, 18 Apr 2026 20:35:52 +0000 https://dev.to/thegdsks/how-to-build-a-register-user-flow-in-nextjs-15-frontend-backend-database-email-50b5 https://dev.to/thegdsks/how-to-build-a-register-user-flow-in-nextjs-15-frontend-backend-database-email-50b5 <p>This is part 3 of the series on building an auth system from scratch. Today: the register user flow. By the end you will have a working signup page, a server endpoint, a users table, and a verification email getting delivered.</p> <h2> The flow, end to end </h2> <p>Here is what happens when a user hits "Create account":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>+-------+ +------------+ +-----------+ +--------+ |Browser| POST | Next.js | INSERT| Postgres | SEND |Resend | | |-------&gt;|/api/ |------&gt;| users |-----&gt;| | | | |auth/ | | (verify=F| | | | |&lt;-------|register |&lt;------| id=123) |&lt;-----| | | | 200 | | +-----------+ +--------+ +-------+ +------------+ | | | GET /dashboard | 302 to /check-email v v (not signed in yet) (shows "check your inbox" screen) </code></pre> </div> <p>And then, separately, when the user clicks the verification link:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>+-------+ +------------+ +-----------+ |Email | GET | Next.js | UPDATE| Postgres | |client |--token--&gt;|/api/ |------&gt;| users | | | |auth/verify | | verify=T | | |&lt;---------| |&lt;------| | | | 302 to +------------+ +-----------+ | | /login | +-------+ | | set session cookie v (now signed in) </code></pre> </div> <p>Note the two separate round trips. We do not sign the user in until the email is verified. If you sign them in at registration, you effectively have no email verification because a bot can register a throwaway address, get a session, and cause damage before the email lands.</p> <h2> The database table </h2> <p>A quick note before the SQL. The DIY sections of this series show the schema you would build yourself. If you are using <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a>, you will never write this SQL by hand. <code>pnpm kavachos migrate</code> ships a vetted version of these tables and keeps them upgraded. I am still showing the schema because reading it is how you understand what is happening under your auth library, whether that library is mine or someone else's.</p> <p>From article 02, for reference:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">users</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">email</span> <span class="n">citext</span> <span class="k">not</span> <span class="k">null</span> <span class="k">unique</span><span class="p">,</span> <span class="n">password_hash</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">email_verified</span> <span class="nb">boolean</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="k">false</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">(),</span> <span class="n">updated_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">create</span> <span class="k">table</span> <span class="n">email_verification_tokens</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">bigint</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span><span class="p">,</span> <span class="n">token_hash</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span> <span class="k">unique</span><span class="p">,</span> <span class="n">expires_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">used_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_evt_user_unused</span> <span class="k">on</span> <span class="n">email_verification_tokens</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">where</span> <span class="n">used_at</span> <span class="k">is</span> <span class="k">null</span><span class="p">;</span> </code></pre> </div> <p>Three things worth calling out:</p> <p><strong><code>citext</code> for email.</strong> Postgres has a case-insensitive text type. With it, <code>Alice@Example.com</code> and <code>alice@example.com</code> collide on the unique constraint. Without it, you get duplicate accounts. Enable the extension once with <code>CREATE EXTENSION citext;</code>.</p> <p><strong><code>on delete cascade</code> on the token.</strong> If a user is deleted, their verification tokens go with them. You do not want orphaned rows.</p> <p><strong>Partial index on unused tokens.</strong> The lookup is always "find the unused token for this user". A partial index is smaller and faster than a full one.</p> <h2> The frontend form </h2> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/auth/register/page.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRouter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Register</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">useRouter</span><span class="p">();</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">email</span><span class="p">,</span> <span class="nx">setEmail</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">password</span><span class="p">,</span> <span class="nx">setPassword</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">pending</span><span class="p">,</span> <span class="nx">setPending</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">error</span><span class="p">,</span> <span class="nx">setError</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">rules</span> <span class="o">=</span> <span class="p">{</span> <span class="na">minLength</span><span class="p">:</span> <span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;=</span> <span class="mi">12</span><span class="p">,</span> <span class="na">hasNumber</span><span class="p">:</span> <span class="sr">/</span><span class="se">[</span><span class="sr">0-9</span><span class="se">]</span><span class="sr">/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">password</span><span class="p">),</span> <span class="na">hasLower</span><span class="p">:</span> <span class="sr">/</span><span class="se">[</span><span class="sr">a-z</span><span class="se">]</span><span class="sr">/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">password</span><span class="p">),</span> <span class="na">hasUpper</span><span class="p">:</span> <span class="sr">/</span><span class="se">[</span><span class="sr">A-Z</span><span class="se">]</span><span class="sr">/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">password</span><span class="p">),</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">valid</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">values</span><span class="p">(</span><span class="nx">rules</span><span class="p">).</span><span class="nf">every</span><span class="p">(</span><span class="nb">Boolean</span><span class="p">);</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">submit</span><span class="p">(</span><span class="nx">e</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">FormEvent</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">setError</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">setPending</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/auth/register</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">content-type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}),</span> <span class="p">});</span> <span class="nf">setPending</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">429</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="dl">"</span><span class="s2">Too many attempts. Try again in a minute.</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="dl">"</span><span class="s2">Something went wrong. Try again.</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">"</span><span class="s2">/auth/check-email</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">form</span> <span class="na">onSubmit</span><span class="p">=</span><span class="si">{</span><span class="nx">submit</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"max-w-sm mx-auto mt-16 space-y-4"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-2xl font-semibold"</span><span class="p">&gt;</span>Create account<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">label</span> <span class="na">className</span><span class="p">=</span><span class="s">"block"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm"</span><span class="p">&gt;</span>Email<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"email"</span> <span class="na">required</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">email</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setEmail</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"w-full rounded border p-2 mt-1"</span> <span class="na">autoComplete</span><span class="p">=</span><span class="s">"email"</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">label</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">label</span> <span class="na">className</span><span class="p">=</span><span class="s">"block"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">span</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-sm"</span><span class="p">&gt;</span>Password<span class="p">&lt;/</span><span class="nt">span</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">type</span><span class="p">=</span><span class="s">"password"</span> <span class="na">required</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">password</span><span class="si">}</span> <span class="na">onChange</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setPassword</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"w-full rounded border p-2 mt-1"</span> <span class="na">autoComplete</span><span class="p">=</span><span class="s">"new-password"</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">label</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">ul</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-xs space-y-1"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Rule</span> <span class="na">ok</span><span class="p">=</span><span class="si">{</span><span class="nx">rules</span><span class="p">.</span><span class="nx">minLength</span><span class="si">}</span><span class="p">&gt;</span>At least 12 characters<span class="p">&lt;/</span><span class="nc">Rule</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Rule</span> <span class="na">ok</span><span class="p">=</span><span class="si">{</span><span class="nx">rules</span><span class="p">.</span><span class="nx">hasLower</span><span class="si">}</span><span class="p">&gt;</span>A lowercase letter<span class="p">&lt;/</span><span class="nc">Rule</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Rule</span> <span class="na">ok</span><span class="p">=</span><span class="si">{</span><span class="nx">rules</span><span class="p">.</span><span class="nx">hasUpper</span><span class="si">}</span><span class="p">&gt;</span>An uppercase letter<span class="p">&lt;/</span><span class="nc">Rule</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Rule</span> <span class="na">ok</span><span class="p">=</span><span class="si">{</span><span class="nx">rules</span><span class="p">.</span><span class="nx">hasNumber</span><span class="si">}</span><span class="p">&gt;</span>A number<span class="p">&lt;/</span><span class="nc">Rule</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">ul</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">error</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nt">p</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-red-600 text-sm"</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">error</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">type</span><span class="p">=</span><span class="s">"submit"</span> <span class="na">disabled</span><span class="p">=</span><span class="si">{</span><span class="o">!</span><span class="nx">valid</span> <span class="o">||</span> <span class="nx">pending</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"w-full rounded bg-black text-white py-2 disabled:opacity-50"</span> <span class="p">&gt;</span> <span class="si">{</span><span class="nx">pending</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">Creating...</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Create account</span><span class="dl">"</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">Rule</span><span class="p">({</span> <span class="nx">ok</span><span class="p">,</span> <span class="nx">children</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">ok</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">li</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="nx">ok</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">text-green-600</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">text-zinc-500</span><span class="dl">"</span><span class="si">}</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">ok</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">✓</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">○</span><span class="dl">"</span><span class="si">}</span> <span class="si">{</span><span class="nx">children</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>A few notes on the form itself.</p> <p>The <code>autoComplete="new-password"</code> tells browsers and password managers that this is a new password, which prevents them from autofilling an existing password and also prompts 1Password / Bitwarden / the browser to offer to generate a strong password.</p> <p>The password rules are rendered as you type. I know there is a whole debate about password rules (NIST now says long is better than complex), but shipping "12 chars minimum, mixed case, a number" keeps the bulk of obvious bad passwords out without being annoying.</p> <p>Never return a specific error for "email already exists" from the server, and never show it on the frontend. That is account enumeration.</p> <h2> The server endpoint </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/register/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">bcrypt</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">randomBytes</span><span class="p">,</span> <span class="nx">createHash</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">users</span><span class="p">,</span> <span class="nx">emailVerificationTokens</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db/schema</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">eq</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sendVerificationEmail</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/email</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">rateLimit</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/rate-limit</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">email</span><span class="p">().</span><span class="nf">max</span><span class="p">(</span><span class="mi">254</span><span class="p">),</span> <span class="na">password</span><span class="p">:</span> <span class="nx">z</span> <span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="mi">12</span><span class="p">)</span> <span class="p">.</span><span class="nf">max</span><span class="p">(</span><span class="mi">256</span><span class="p">)</span> <span class="p">.</span><span class="nf">regex</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">a-z</span><span class="se">]</span><span class="sr">/</span><span class="p">)</span> <span class="p">.</span><span class="nf">regex</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">A-Z</span><span class="se">]</span><span class="sr">/</span><span class="p">)</span> <span class="p">.</span><span class="nf">regex</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">0-9</span><span class="se">]</span><span class="sr">/</span><span class="p">),</span> <span class="p">});</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">x-forwarded-for</span><span class="dl">"</span><span class="p">)</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">unknown</span><span class="dl">"</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nf">rateLimit</span><span class="p">(</span><span class="s2">`register:</span><span class="p">${</span><span class="nx">ip</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">max</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">window</span><span class="p">:</span> <span class="mi">60</span> <span class="p">}))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">email</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">trim</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">passwordHash</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="mi">12</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">existing</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">users</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="nx">email</span><span class="p">),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">existing</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">user</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span> <span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">users</span><span class="p">)</span> <span class="p">.</span><span class="nf">values</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">passwordHash</span><span class="p">,</span> <span class="na">emailVerified</span><span class="p">:</span> <span class="kc">false</span> <span class="p">})</span> <span class="p">.</span><span class="nf">returning</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">users</span><span class="p">.</span><span class="nx">id</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">raw</span> <span class="o">=</span> <span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64url</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tokenHash</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">raw</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">emailVerificationTokens</span><span class="p">).</span><span class="nf">values</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">tokenHash</span><span class="p">,</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">),</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">sendVerificationEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">raw</span><span class="p">);</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The thing people miss on this endpoint: every branch returns the same 200. Rate limit hit? 200. Email malformed? 200. User already exists? 200. The only thing that changes is whether an email gets sent.</p> <p>This is uncomfortable the first time you write it. You feel like you are hiding errors. You are. From attackers. The legitimate user gets the experience they expect: they click "Create account", they get told to check their email, and either they registered a new account or they already had one (in which case they can go log in or use the password reset flow).</p> <p>Put an "if you already have an account, log in" link on the confirmation page and this flow handles both paths gracefully.</p> <h2> The verification email </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/email.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Resend</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">resend</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">resend</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Resend</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">RESEND_API_KEY</span><span class="o">!</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">APP_URL</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_URL</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">https://example.com</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">sendVerificationEmail</span><span class="p">(</span><span class="nx">to</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">rawToken</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">link</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">APP_URL</span><span class="p">}</span><span class="s2">/auth/verify?token=</span><span class="p">${</span><span class="nx">rawToken</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">await</span> <span class="nx">resend</span><span class="p">.</span><span class="nx">emails</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">from</span><span class="p">:</span> <span class="dl">"</span><span class="s2">hello@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="nx">to</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Confirm your email</span><span class="dl">"</span><span class="p">,</span> <span class="na">html</span><span class="p">:</span> <span class="s2">` &lt;p&gt;Hi,&lt;/p&gt; &lt;p&gt;Click the link below to confirm your email and activate your account.&lt;/p&gt; &lt;p&gt;&lt;a href="</span><span class="p">${</span><span class="nx">link</span><span class="p">}</span><span class="s2">"&gt;Confirm email&lt;/a&gt;&lt;/p&gt; &lt;p&gt;This link expires in 24 hours. If you did not create an account, ignore this email.&lt;/p&gt; `</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="s2">`Confirm your email: </span><span class="p">${</span><span class="nx">link</span><span class="p">}</span><span class="s2">\n\nThis link expires in 24 hours. If you did not create an account, ignore this email.`</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Always include a plain text part. Gmail scores emails that only have HTML a little worse for spam, and some corporate clients only show the text version.</p> <p>The "If you did not create an account" line is critical. If someone else used this email to register, the real owner needs a way to know and a reason to ignore it.</p> <h2> The verification endpoint </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/verify/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createHash</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">db</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">users</span><span class="p">,</span> <span class="nx">emailVerificationTokens</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/db/schema</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">and</span><span class="p">,</span> <span class="nx">eq</span><span class="p">,</span> <span class="nx">gt</span><span class="p">,</span> <span class="nx">isNull</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">token</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">/auth/verify-failed</span><span class="dl">"</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">),</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">tokenHash</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">token</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">row</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">emailVerificationTokens</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="nf">and</span><span class="p">(</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">emailVerificationTokens</span><span class="p">.</span><span class="nx">tokenHash</span><span class="p">,</span> <span class="nx">tokenHash</span><span class="p">),</span> <span class="nf">gt</span><span class="p">(</span><span class="nx">emailVerificationTokens</span><span class="p">.</span><span class="nx">expiresAt</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">()),</span> <span class="nf">isNull</span><span class="p">(</span><span class="nx">emailVerificationTokens</span><span class="p">.</span><span class="nx">usedAt</span><span class="p">),</span> <span class="p">),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">row</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">/auth/verify-failed</span><span class="dl">"</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">),</span> <span class="p">);</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">transaction</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">tx</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">users</span><span class="p">)</span> <span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="na">emailVerified</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="nf">eq</span><span class="p">(</span><span class="nx">users</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">row</span><span class="p">.</span><span class="nx">userId</span><span class="p">));</span> <span class="k">await</span> <span class="nx">tx</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">emailVerificationTokens</span><span class="p">)</span> <span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="na">usedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">()</span> <span class="p">})</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="nf">eq</span><span class="p">(</span><span class="nx">emailVerificationTokens</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">row</span><span class="p">.</span><span class="nx">id</span><span class="p">));</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">/auth/login?verified=1</span><span class="dl">"</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>Same pattern as the reset flow. Hash the incoming token, look it up, check expiry and used state, update in a transaction.</p> <p>We redirect to <code>/login?verified=1</code> rather than signing the user in automatically. You can argue either way. Signing them in is more convenient but means holding a valid verification link becomes equivalent to holding a password. Redirecting to login makes them prove they know the password. I default to the redirect.</p> <h2> Testing from the terminal </h2> <p>Before you ship, smoke test with curl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Register a new user</span> <span class="nv">$ </span>curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:3000/api/auth/register <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"alice@example.com","password":"Correct-Horse-1"}'</span> HTTP/1.1 200 OK content-type: application/json <span class="o">{</span><span class="s2">"ok"</span>:true<span class="o">}</span> <span class="c"># Try to register the same email again. Same 200.</span> <span class="nv">$ </span>curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:3000/api/auth/register <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"alice@example.com","password":"Different-Horse-2"}'</span> HTTP/1.1 200 OK content-type: application/json <span class="o">{</span><span class="s2">"ok"</span>:true<span class="o">}</span> <span class="c"># Try a malformed email. Still 200.</span> <span class="nv">$ </span>curl <span class="nt">-i</span> <span class="nt">-X</span> POST http://localhost:3000/api/auth/register <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"email":"not-an-email","password":"Correct-Horse-1"}'</span> HTTP/1.1 200 OK content-type: application/json <span class="o">{</span><span class="s2">"ok"</span>:true<span class="o">}</span> <span class="c"># Fire the rate limit.</span> <span class="nv">$ </span><span class="k">for </span>i <span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>1 10<span class="si">)</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="nt">-X</span> POST http://localhost:3000/api/auth/register <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">email</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">burst</span><span class="k">${</span><span class="nv">i</span><span class="k">}</span><span class="s2">@example.com</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">Correct-Horse-1</span><span class="se">\"</span><span class="s2">}"</span> <span class="nb">echo </span><span class="k">done</span> </code></pre> </div> <p>If any of those return anything other than 200, you have an enumeration leak. Fix it before moving on.</p> <p>Check the database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>psql <span class="nv">$DATABASE_URL</span> <span class="nt">-c</span> <span class="s2">"select id, email, email_verified from users;"</span> <span class="nb">id</span> | email | email_verified <span class="nt">----</span>+------------------+---------------- 1 | alice@example.com| f </code></pre> </div> <p>And the tokens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>psql <span class="nv">$DATABASE_URL</span> <span class="nt">-c</span> <span class="s2">"select user_id, expires_at, used_at from email_verification_tokens;"</span> user_id | expires_at | used_at <span class="nt">---------</span>+--------------------------+--------- 1 | 2026-04-19 14:30:22+00 | null </code></pre> </div> <p>Now click the link in your email (or look in the Resend dashboard if you have not hooked up a real inbox):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-i</span> <span class="s2">"http://localhost:3000/api/auth/verify?token=THE_RAW_TOKEN_FROM_THE_EMAIL"</span> HTTP/1.1 302 Found location: /auth/login?verified<span class="o">=</span>1 </code></pre> </div> <p>Check the database again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>psql <span class="nv">$DATABASE_URL</span> <span class="nt">-c</span> <span class="s2">"select email_verified from users where id = 1;"</span> email_verified <span class="nt">----------------</span> t </code></pre> </div> <p>That is the whole flow.</p> <h2> The same thing in kavachOS </h2> <p>If you do not want to write any of the code above, the <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a> version is:</p> <h3> Install </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm add kavachos @kavachos/nextjs pnpm kavachos migrate </code></pre> </div> <h3> Configure </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">kavachos</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">kavachos</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">nextjsAdapter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kavachos/nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">kavachos</span><span class="p">({</span> <span class="na">adapter</span><span class="p">:</span> <span class="nf">nextjsAdapter</span><span class="p">(),</span> <span class="na">database</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="o">!</span><span class="p">,</span> <span class="na">providers</span><span class="p">:</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">12</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">{</span> <span class="na">uppercase</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">lowercase</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">number</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="na">emailVerification</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">tokenTTL</span><span class="p">:</span> <span class="dl">"</span><span class="s2">24h</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">"</span><span class="s2">resend</span><span class="dl">"</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">RESEND_API_KEY</span><span class="o">!</span><span class="p">,</span> <span class="na">from</span><span class="p">:</span> <span class="dl">"</span><span class="s2">hello@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Mount the routes </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/[...kavachos]/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">GET</span><span class="p">,</span> <span class="nx">POST</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">handlers</span><span class="p">;</span> </code></pre> </div> <h3> Use the register hook </h3> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// app/auth/register/page.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@kavachos/nextjs</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Register</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">register</span><span class="p">,</span> <span class="nx">pending</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">form</span> <span class="na">action</span><span class="p">=</span><span class="si">{</span><span class="nx">register</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">name</span><span class="p">=</span><span class="s">"email"</span> <span class="na">type</span><span class="p">=</span><span class="s">"email"</span> <span class="na">required</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">input</span> <span class="na">name</span><span class="p">=</span><span class="s">"password"</span> <span class="na">type</span><span class="p">=</span><span class="s">"password"</span> <span class="na">required</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">disabled</span><span class="p">=</span><span class="si">{</span><span class="nx">pending</span><span class="si">}</span><span class="p">&gt;</span>Create account<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">error</span> <span class="o">&amp;&amp;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">form</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>That is the whole thing. Email verification is on by default. The rate limits, the constant-time responses, the one-time-use tokens, all there. Docs at <a href="https://kavachos.com/docs/register" rel="noopener noreferrer">kavachos.com/docs/register</a>.</p> <h2> Three things I see go wrong in review </h2> <p><strong>Returning different statuses for known vs unknown emails.</strong> The fix is always 200. I know it feels wrong. Do it anyway.</p> <p><strong>Using <code>Math.random()</code> for the token.</strong> It is not cryptographic. It is a deterministic PRNG seeded from process start time. Use <code>crypto.randomBytes(32)</code>.</p> <p><strong>No rate limit on register.</strong> Register is one of the most abused endpoints because it costs you money (email sends) and attracts spam accounts. A hard limit of 3 per IP per minute is reasonable for humans and expensive for bots.</p> <h2> What is next </h2> <p>Article 04: the login flow. Session cookies, CSRF, remember me, and how to measure whether your timing is leaking. If you have been following along with the starter repo, run <code>git checkout 04-login</code> after article 4 ships.</p> <p>Comment with your hardest register bug. I will write it up as a bonus piece.</p> <p><em><a href="https://thegdsks.com" rel="noopener noreferrer">Gagan Deep Singh</a> builds open source tools at <a href="https://glincker.com" rel="noopener noreferrer">Glincker</a>. Currently working on <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a> (open source auth for AI agents and humans) and <a href="https://askverdict.ai" rel="noopener noreferrer">AskVerdict</a> (multi-model AI verdicts).</em></p> <p><em>If this was useful, follow me on <a href="https://dev.to/thegdsks">Dev.to</a> or <a href="https://x.com/thegdsks" rel="noopener noreferrer">X</a> where I post weekly.</em></p> nextjs authentication webdev tutorial GDS K S Sat, 18 Apr 2026 20:30:50 +0000 https://dev.to/thegdsks/the-8-tables-behind-a-real-auth-system-postgres-schema-explained-column-by-column-4g6o https://dev.to/thegdsks/the-8-tables-behind-a-real-auth-system-postgres-schema-explained-column-by-column-4g6o <p>This is day 2 of the series. Yesterday I showed the architecture diagram. Today we are looking at the database that sits underneath it. Every table, every column, every index, and the reason each one exists.</p> <p>If you are following with <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a>, <code>pnpm kavachos migrate</code> creates all of this for you, and you can skim the article to understand what is in your database. If you are building it yourself, this is your schema.</p> <h2> The shape at a glance </h2> <p>Eight tables. One user-centric join key. No fancy polymorphic associations. No stored procedures. It stays boring on purpose.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> +-----------+ | users | +-----+-----+ | +-------------+---------+---------+----------------+-----------+ | | | | | | v v v v v v +----------+ +----------+ +--------+ +-----------+ +-----------+ +-----------+ | sessions | | oauth_ | | reset | | magic_ | | email_ | | agent_ | | | | accounts| | tokens| | link_ | | verif_ | | tokens | | | | | | | | tokens | | tokens | | | +----------+ +----------+ +--------+ +-----------+ +-----------+ +-----------+ +-----------+ | passkeys | +-----------+ </code></pre> </div> <p>Every table has a <code>user_id</code> foreign key back to <code>users</code> and an <code>on delete cascade</code>. If you delete a user, everything goes. No orphans. No manual cleanup jobs.</p> <h2> Postgres, and the extensions you want on </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="n">extension</span> <span class="n">if</span> <span class="k">not</span> <span class="k">exists</span> <span class="nv">"uuid-ossp"</span><span class="p">;</span> <span class="k">create</span> <span class="n">extension</span> <span class="n">if</span> <span class="k">not</span> <span class="k">exists</span> <span class="nv">"citext"</span><span class="p">;</span> <span class="k">create</span> <span class="n">extension</span> <span class="n">if</span> <span class="k">not</span> <span class="k">exists</span> <span class="nv">"pgcrypto"</span><span class="p">;</span> </code></pre> </div> <p>Three of them, and each earns its keep.</p> <p><strong>citext</strong>: case-insensitive text. The moment you use it for email, <code>Alice@Example.com</code> and <code>alice@example.com</code> collide on the unique constraint. Without it, you will discover the bug when a customer complains that they cannot log in with the same email they signed up with because they capitalized it differently.</p> <p><strong>pgcrypto</strong>: gives you <code>gen_random_uuid()</code> for default UUID values, and <code>digest()</code> if you ever want to hash in the database (I do not, but it is there).</p> <p><strong>uuid-ossp</strong>: only if you want <code>uuid_generate_v4()</code> the old way. pgcrypto covers this, you can skip uuid-ossp if you want. I include it because older migrations assume it.</p> <h2> The <code>users</code> table </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">users</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">email</span> <span class="n">citext</span> <span class="k">not</span> <span class="k">null</span> <span class="k">unique</span><span class="p">,</span> <span class="n">password_hash</span> <span class="nb">text</span><span class="p">,</span> <span class="n">email_verified</span> <span class="nb">boolean</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="k">false</span><span class="p">,</span> <span class="n">failed_login_attempts</span> <span class="nb">int</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="mi">0</span><span class="p">,</span> <span class="n">locked_until</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">last_login_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">(),</span> <span class="n">updated_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_users_email</span> <span class="k">on</span> <span class="n">users</span> <span class="p">(</span><span class="n">email</span><span class="p">);</span> </code></pre> </div> <p>A few decisions worth explaining.</p> <p><strong><code>bigserial</code> over <code>uuid</code>.</strong> A <code>bigserial</code> is 8 bytes, an indexed lookup is fast, and it sorts cleanly by creation order. A UUID is 16 bytes, the primary key index is larger, and on older Postgres versions random UUIDs cause B-tree bloat. If you are going to expose IDs in URLs, use a separate <code>public_id</code> column that is a UUID or a slug, and keep <code>id</code> as a bigserial for joins. Best of both.</p> <p><strong><code>password_hash</code> is nullable.</strong> A user who signs up via Google OAuth never sets a password. A nullable <code>password_hash</code> means no password login is possible for that user until they explicitly set one. If you make it NOT NULL you need a sentinel value and now you have a bug waiting to happen.</p> <p><strong><code>failed_login_attempts</code> and <code>locked_until</code>.</strong> These support account lockout after N failed attempts in a window. Some teams hate this (users get locked out and complain). I default to "lock after 10 failures in 10 minutes" which is almost invisible to humans and useful against credential stuffing.</p> <p><strong><code>citext</code> on email.</strong> Already covered. Do it.</p> <h2> The <code>sessions</code> table </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">sessions</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">bigint</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span><span class="p">,</span> <span class="n">token_hash</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span> <span class="k">unique</span><span class="p">,</span> <span class="n">expires_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">last_used_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">(),</span> <span class="n">user_agent</span> <span class="nb">text</span><span class="p">,</span> <span class="n">ip_address</span> <span class="n">inet</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_sessions_user</span> <span class="k">on</span> <span class="n">sessions</span> <span class="p">(</span><span class="n">user_id</span><span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_sessions_expires</span> <span class="k">on</span> <span class="n">sessions</span> <span class="p">(</span><span class="n">expires_at</span><span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_sessions_last_used</span> <span class="k">on</span> <span class="n">sessions</span> <span class="p">(</span><span class="n">last_used_at</span><span class="p">);</span> </code></pre> </div> <p><strong><code>token_hash</code>, not <code>token</code>.</strong> Same rule as every other token in this schema. You store the SHA-256 of the cookie value. If the database leaks, the leaked rows are useless.</p> <p><strong><code>user_agent</code> and <code>ip_address</code> are for display only.</strong> Do not tie session validity to either. Phone carriers rotate IPs, browsers update user agents, you will end up signing users out at random.</p> <p><strong><code>inet</code> type for <code>ip_address</code>.</strong> Postgres has a native IP type. It handles IPv4 and IPv6, it indexes correctly, and it is smaller than the equivalent text column. No reason to use text here.</p> <p><strong>The index on <code>last_used_at</code>.</strong> You will want this the first time a user opens the "active sessions" screen and sees 40 rows. An index lets you order by recency cheaply.</p> <h2> The <code>oauth_accounts</code> table </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">oauth_accounts</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">bigint</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span><span class="p">,</span> <span class="n">provider</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">provider_uid</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">access_token</span> <span class="nb">text</span><span class="p">,</span> <span class="n">refresh_token</span> <span class="nb">text</span><span class="p">,</span> <span class="n">expires_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="k">scope</span> <span class="nb">text</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">(),</span> <span class="n">updated_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">(),</span> <span class="k">unique</span> <span class="p">(</span><span class="n">provider</span><span class="p">,</span> <span class="n">provider_uid</span><span class="p">)</span> <span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_oauth_user</span> <span class="k">on</span> <span class="n">oauth_accounts</span> <span class="p">(</span><span class="n">user_id</span><span class="p">);</span> </code></pre> </div> <p><strong>The <code>(provider, provider_uid)</code> unique constraint.</strong> This is the identity of the OAuth account. A Google account with sub <code>1234</code> is the same account no matter how many times it connects. Without this constraint you can end up creating duplicate users every time someone clicks "Sign in with Google".</p> <p><strong><code>access_token</code> and <code>refresh_token</code> as text, not encrypted.</strong> I know some people want to encrypt these at rest. If you do, use application-level encryption with a KMS-managed key, not Postgres encryption (which is disk-level and does not help against a compromised database user). For most side projects, the risk calculus does not justify the operational cost.</p> <p><strong>Why <code>scope</code> as text instead of an array?</strong> You can, but you almost never query for "all accounts with scope X". Storing the original space-separated scope string is simpler and preserves what the provider actually granted.</p> <h2> The <code>password_reset_tokens</code> table </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">password_reset_tokens</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">bigint</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span><span class="p">,</span> <span class="n">token_hash</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span> <span class="k">unique</span><span class="p">,</span> <span class="n">expires_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">used_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_prt_user_unused</span> <span class="k">on</span> <span class="n">password_reset_tokens</span> <span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">where</span> <span class="n">used_at</span> <span class="k">is</span> <span class="k">null</span><span class="p">;</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_prt_expires</span> <span class="k">on</span> <span class="n">password_reset_tokens</span> <span class="p">(</span><span class="n">expires_at</span><span class="p">);</span> </code></pre> </div> <p><strong>Partial index on unused tokens.</strong> The lookup during a reset is "find the unused token for this user that matches this hash". A partial index where <code>used_at is null</code> is smaller and faster than a full one, because used tokens never participate in the lookup.</p> <p><strong><code>token_hash</code> is unique.</strong> The odds of a random 32-byte token colliding are effectively zero, but the unique constraint gives you a free integrity check and a better error message if your random number generator ever breaks.</p> <p><strong><code>used_at</code> is nullable.</strong> On successful reset, set it to <code>now()</code>. The verification query checks <code>used_at is null</code>, so a single row can be used exactly once. This is the whole one-time-use property.</p> <h2> The <code>magic_link_tokens</code> table </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">magic_link_tokens</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">bigint</span> <span class="k">references</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span><span class="p">,</span> <span class="n">email</span> <span class="n">citext</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">token_hash</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span> <span class="k">unique</span><span class="p">,</span> <span class="n">expires_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">used_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_mlt_email</span> <span class="k">on</span> <span class="n">magic_link_tokens</span> <span class="p">(</span><span class="n">email</span><span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_mlt_expires</span> <span class="k">on</span> <span class="n">magic_link_tokens</span> <span class="p">(</span><span class="n">expires_at</span><span class="p">);</span> </code></pre> </div> <p><strong><code>user_id</code> is nullable.</strong> A magic link can be sent to an email that does not yet have an account. On click, the system either signs in the existing user or creates a new one. Nullable <code>user_id</code> lets you create the token before the user exists.</p> <p><strong><code>email</code> is stored directly.</strong> Redundant if the user exists, but necessary for the new-user case. Keep it.</p> <h2> The <code>email_verification_tokens</code> table </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">email_verification_tokens</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">bigint</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span><span class="p">,</span> <span class="n">token_hash</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span> <span class="k">unique</span><span class="p">,</span> <span class="n">expires_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">used_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_evt_user_unused</span> <span class="k">on</span> <span class="n">email_verification_tokens</span> <span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">where</span> <span class="n">used_at</span> <span class="k">is</span> <span class="k">null</span><span class="p">;</span> </code></pre> </div> <p>This table is almost identical to <code>password_reset_tokens</code>. Two observations.</p> <p>Why not combine them into one <code>tokens</code> table with a <code>type</code> column? You can, and some libraries do. I keep them separate because the access patterns differ (reset tokens expire in 15 minutes, verification tokens in 24 hours), the cleanup jobs run at different cadences, and splitting them keeps each table small and easy to reason about. A <code>type</code> column also means every query has a <code>where type = ...</code> clause, which is easy to forget.</p> <p><strong>The 24 hour expiry is intentional.</strong> A password reset window needs to be short because the blast radius is high. An email verification window is lower risk (the worst case is a user cannot activate their account) so the window is longer.</p> <h2> The <code>passkeys</code> table </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">passkeys</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">bigint</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span><span class="p">,</span> <span class="n">credential_id</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span> <span class="k">unique</span><span class="p">,</span> <span class="n">public_key</span> <span class="n">bytea</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">counter</span> <span class="nb">bigint</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="mi">0</span><span class="p">,</span> <span class="n">transports</span> <span class="nb">text</span><span class="p">[],</span> <span class="n">name</span> <span class="nb">text</span><span class="p">,</span> <span class="n">last_used_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_passkeys_user</span> <span class="k">on</span> <span class="n">passkeys</span> <span class="p">(</span><span class="n">user_id</span><span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_passkeys_cred</span> <span class="k">on</span> <span class="n">passkeys</span> <span class="p">(</span><span class="n">credential_id</span><span class="p">);</span> </code></pre> </div> <p><strong><code>credential_id</code> is the WebAuthn identifier.</strong> It comes back from the browser during registration. We store it as base64url text. The unique constraint prevents the same key from being registered twice.</p> <p><strong><code>public_key</code> as <code>bytea</code>.</strong> The key material is binary. Use the native bytea type, not text. It is smaller and does not require decoding on every verification.</p> <p><strong><code>counter</code> starts at 0 and increments on each use.</strong> The WebAuthn spec uses this as a cloning detection signal. If an assertion comes in with a counter lower than the last-seen value, the authenticator has been cloned. Handle that case by invalidating the credential.</p> <p><strong><code>transports</code> as <code>text[]</code>.</strong> The browser tells you which transports the authenticator supports (usb, nfc, ble, internal, hybrid). Storing them lets you pass the right set back to the browser on the next authentication, which speeds up the UX.</p> <p><strong><code>name</code> is user-supplied.</strong> Let users name their passkeys ("Work laptop", "Phone"). When they lose a device, this is how they find the right row to revoke.</p> <h2> The <code>agent_tokens</code> table </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">agent_tokens</span> <span class="p">(</span> <span class="n">id</span> <span class="n">bigserial</span> <span class="k">primary</span> <span class="k">key</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">bigint</span> <span class="k">not</span> <span class="k">null</span> <span class="k">references</span> <span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">on</span> <span class="k">delete</span> <span class="k">cascade</span><span class="p">,</span> <span class="n">token_hash</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span> <span class="k">unique</span><span class="p">,</span> <span class="n">name</span> <span class="nb">text</span><span class="p">,</span> <span class="n">permissions</span> <span class="nb">text</span><span class="p">[]</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="s1">'{}'</span><span class="p">,</span> <span class="n">expires_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">last_used_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">revoked_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">not</span> <span class="k">null</span> <span class="k">default</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_agent_user</span> <span class="k">on</span> <span class="n">agent_tokens</span> <span class="p">(</span><span class="n">user_id</span><span class="p">);</span> <span class="k">create</span> <span class="k">index</span> <span class="n">idx_agent_active</span> <span class="k">on</span> <span class="n">agent_tokens</span> <span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">where</span> <span class="n">revoked_at</span> <span class="k">is</span> <span class="k">null</span><span class="p">;</span> </code></pre> </div> <p>This is the new one. The agent token system is how scripts, cron jobs, and AI agents authenticate on behalf of a user. Article 11 goes deep on this.</p> <p><strong><code>permissions</code> as a text array.</strong> Something like <code>{reports:read, invoices:write}</code>. Granular enough to be useful, simple enough to reason about. You can upgrade to a real scope/policy engine later.</p> <p><strong><code>expires_at</code> is nullable.</strong> Some agent tokens live forever (long-running bots). Most should have an expiry. Treat nullable as "no expiry" and document it clearly.</p> <p><strong><code>revoked_at</code> is separate from <code>expires_at</code>.</strong> Revocation is explicit. Expiry is passive. Different signals, different columns.</p> <h2> Drizzle schema (TypeScript) </h2> <p>If you are using Drizzle ORM, here is the whole thing in one file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// db/schema.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">bigserial</span><span class="p">,</span> <span class="nx">bigint</span><span class="p">,</span> <span class="nx">boolean</span><span class="p">,</span> <span class="nx">inet</span><span class="p">,</span> <span class="nx">integer</span><span class="p">,</span> <span class="nx">pgTable</span><span class="p">,</span> <span class="nx">text</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="nx">bytea</span><span class="p">,</span> <span class="nx">unique</span><span class="p">,</span> <span class="nx">index</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm/pg-core</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">citext</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./citext</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="nf">pgTable</span><span class="p">(</span> <span class="dl">"</span><span class="s2">users</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nf">bigserial</span><span class="p">(</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">number</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">primaryKey</span><span class="p">(),</span> <span class="na">email</span><span class="p">:</span> <span class="nf">citext</span><span class="p">(</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">).</span><span class="nf">notNull</span><span class="p">().</span><span class="nf">unique</span><span class="p">(),</span> <span class="na">passwordHash</span><span class="p">:</span> <span class="nf">text</span><span class="p">(</span><span class="dl">"</span><span class="s2">password_hash</span><span class="dl">"</span><span class="p">),</span> <span class="na">emailVerified</span><span class="p">:</span> <span class="nf">boolean</span><span class="p">(</span><span class="dl">"</span><span class="s2">email_verified</span><span class="dl">"</span><span class="p">).</span><span class="nf">notNull</span><span class="p">().</span><span class="k">default</span><span class="p">(</span><span class="kc">false</span><span class="p">),</span> <span class="na">failedLoginAttempts</span><span class="p">:</span> <span class="nf">integer</span><span class="p">(</span><span class="dl">"</span><span class="s2">failed_login_attempts</span><span class="dl">"</span><span class="p">).</span><span class="nf">notNull</span><span class="p">().</span><span class="k">default</span><span class="p">(</span><span class="mi">0</span><span class="p">),</span> <span class="na">lockedUntil</span><span class="p">:</span> <span class="nf">timestamp</span><span class="p">(</span><span class="dl">"</span><span class="s2">locked_until</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">withTimezone</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="na">lastLoginAt</span><span class="p">:</span> <span class="nf">timestamp</span><span class="p">(</span><span class="dl">"</span><span class="s2">last_login_at</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">withTimezone</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="na">createdAt</span><span class="p">:</span> <span class="nf">timestamp</span><span class="p">(</span><span class="dl">"</span><span class="s2">created_at</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">withTimezone</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}).</span><span class="nf">notNull</span><span class="p">().</span><span class="nf">defaultNow</span><span class="p">(),</span> <span class="na">updatedAt</span><span class="p">:</span> <span class="nf">timestamp</span><span class="p">(</span><span class="dl">"</span><span class="s2">updated_at</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">withTimezone</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}).</span><span class="nf">notNull</span><span class="p">().</span><span class="nf">defaultNow</span><span class="p">(),</span> <span class="p">},</span> <span class="p">(</span><span class="nx">t</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">emailIdx</span><span class="p">:</span> <span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">idx_users_email</span><span class="dl">"</span><span class="p">).</span><span class="nf">on</span><span class="p">(</span><span class="nx">t</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="p">}),</span> <span class="p">);</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">sessions</span> <span class="o">=</span> <span class="nf">pgTable</span><span class="p">(</span> <span class="dl">"</span><span class="s2">sessions</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nf">bigserial</span><span class="p">(</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">number</span><span class="dl">"</span> <span class="p">}).</span><span class="nf">primaryKey</span><span class="p">(),</span> <span class="na">userId</span><span class="p">:</span> <span class="nf">bigint</span><span class="p">(</span><span class="dl">"</span><span class="s2">user_id</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">number</span><span class="dl">"</span> <span class="p">})</span> <span class="p">.</span><span class="nf">notNull</span><span class="p">()</span> <span class="p">.</span><span class="nf">references</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">users</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">{</span> <span class="na">onDelete</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cascade</span><span class="dl">"</span> <span class="p">}),</span> <span class="na">tokenHash</span><span class="p">:</span> <span class="nf">text</span><span class="p">(</span><span class="dl">"</span><span class="s2">token_hash</span><span class="dl">"</span><span class="p">).</span><span class="nf">notNull</span><span class="p">().</span><span class="nf">unique</span><span class="p">(),</span> <span class="na">expiresAt</span><span class="p">:</span> <span class="nf">timestamp</span><span class="p">(</span><span class="dl">"</span><span class="s2">expires_at</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">withTimezone</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}).</span><span class="nf">notNull</span><span class="p">(),</span> <span class="na">lastUsedAt</span><span class="p">:</span> <span class="nf">timestamp</span><span class="p">(</span><span class="dl">"</span><span class="s2">last_used_at</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">withTimezone</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}).</span><span class="nf">notNull</span><span class="p">().</span><span class="nf">defaultNow</span><span class="p">(),</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nf">text</span><span class="p">(</span><span class="dl">"</span><span class="s2">user_agent</span><span class="dl">"</span><span class="p">),</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nf">inet</span><span class="p">(</span><span class="dl">"</span><span class="s2">ip_address</span><span class="dl">"</span><span class="p">),</span> <span class="na">createdAt</span><span class="p">:</span> <span class="nf">timestamp</span><span class="p">(</span><span class="dl">"</span><span class="s2">created_at</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">withTimezone</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}).</span><span class="nf">notNull</span><span class="p">().</span><span class="nf">defaultNow</span><span class="p">(),</span> <span class="p">},</span> <span class="p">(</span><span class="nx">t</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">userIdx</span><span class="p">:</span> <span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">idx_sessions_user</span><span class="dl">"</span><span class="p">).</span><span class="nf">on</span><span class="p">(</span><span class="nx">t</span><span class="p">.</span><span class="nx">userId</span><span class="p">),</span> <span class="na">expiresIdx</span><span class="p">:</span> <span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">idx_sessions_expires</span><span class="dl">"</span><span class="p">).</span><span class="nf">on</span><span class="p">(</span><span class="nx">t</span><span class="p">.</span><span class="nx">expiresAt</span><span class="p">),</span> <span class="na">lastUsedIdx</span><span class="p">:</span> <span class="nf">index</span><span class="p">(</span><span class="dl">"</span><span class="s2">idx_sessions_last_used</span><span class="dl">"</span><span class="p">).</span><span class="nf">on</span><span class="p">(</span><span class="nx">t</span><span class="p">.</span><span class="nx">lastUsedAt</span><span class="p">),</span> <span class="p">}),</span> <span class="p">);</span> <span class="c1">// ...same pattern for the other 6 tables, omitted for space</span> </code></pre> </div> <p>The Drizzle <code>citext</code> helper is a tiny file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// db/citext.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">customType</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">drizzle-orm/pg-core</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">citext</span> <span class="o">=</span> <span class="nx">customType</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">({</span> <span class="na">dataType</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="dl">"</span><span class="s2">citext</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Full schema with all 8 tables is in the starter repo at <a href="https://github.com/kavachos/nextjs-auth-from-scratch" rel="noopener noreferrer">github.com/kavachos/nextjs-auth-from-scratch</a> on the <code>02-schema</code> branch.</p> <h2> Running the migrations </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>pnpm drizzle-kit generate ✓ Your SQL migrations file saved to drizzle/0000_initial.sql <span class="nv">$ </span>pnpm drizzle-kit push Pulling schema from database... Changes applied: <span class="nb">users</span> <span class="o">[</span>+] 9 columns sessions <span class="o">[</span>+] 8 columns oauth_accounts <span class="o">[</span>+] 10 columns password_reset_tokens <span class="o">[</span>+] 6 columns magic_link_tokens <span class="o">[</span>+] 7 columns email_verification_tokens[+] 6 columns passkeys <span class="o">[</span>+] 9 columns agent_tokens <span class="o">[</span>+] 9 columns </code></pre> </div> <p>Verify it all landed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>psql <span class="nv">$DATABASE_URL</span> <span class="nt">-c</span> <span class="s2">"</span><span class="se">\d</span><span class="s2">t"</span> List of relations Schema | Name | Type | Owner <span class="nt">--------</span>+---------------------------+-------+-------- public | agent_tokens | table | postgres public | email_verification_tokens | table | postgres public | magic_link_tokens | table | postgres public | oauth_accounts | table | postgres public | passkeys | table | postgres public | password_reset_tokens | table | postgres public | sessions | table | postgres public | <span class="nb">users</span> | table | postgres <span class="o">(</span>8 rows<span class="o">)</span> </code></pre> </div> <p>And the indexes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>psql <span class="nv">$DATABASE_URL</span> <span class="nt">-c</span> <span class="s2">"</span><span class="se">\d</span><span class="s2">i"</span> List of relations Schema | Name | Type | Table <span class="nt">--------</span>+-------------------------------+-------+--------- public | idx_agent_active | index | agent_tokens public | idx_agent_user | index | agent_tokens public | idx_evt_user_unused | index | email_verification_tokens public | idx_mlt_email | index | magic_link_tokens public | idx_mlt_expires | index | magic_link_tokens public | idx_oauth_user | index | oauth_accounts public | idx_passkeys_cred | index | passkeys public | idx_passkeys_user | index | passkeys public | idx_prt_expires | index | password_reset_tokens public | idx_prt_user_unused | index | password_reset_tokens public | idx_sessions_expires | index | sessions public | idx_sessions_last_used | index | sessions public | idx_sessions_user | index | sessions public | idx_users_email | index | <span class="nb">users</span> <span class="o">(</span>14 rows<span class="o">)</span> </code></pre> </div> <h2> Cleanup: the expiry janitor </h2> <p>Tokens accumulate. Sessions accumulate. Without cleanup, the tables grow and lookups slow down.</p> <p>Run this once a day on a cron:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">delete</span> <span class="k">from</span> <span class="n">password_reset_tokens</span> <span class="k">where</span> <span class="n">expires_at</span> <span class="o">&lt;</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">interval</span> <span class="s1">'7 days'</span><span class="p">;</span> <span class="k">delete</span> <span class="k">from</span> <span class="n">magic_link_tokens</span> <span class="k">where</span> <span class="n">expires_at</span> <span class="o">&lt;</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">interval</span> <span class="s1">'7 days'</span><span class="p">;</span> <span class="k">delete</span> <span class="k">from</span> <span class="n">email_verification_tokens</span> <span class="k">where</span> <span class="n">expires_at</span> <span class="o">&lt;</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">interval</span> <span class="s1">'30 days'</span><span class="p">;</span> <span class="k">delete</span> <span class="k">from</span> <span class="n">sessions</span> <span class="k">where</span> <span class="n">expires_at</span> <span class="o">&lt;</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">interval</span> <span class="s1">'1 day'</span><span class="p">;</span> </code></pre> </div> <p>Why the extra grace period? If a user comes back with an expired link, you want to show them "this link expired" rather than "this link does not exist". Keeping expired rows around for a week gives you the ability to distinguish those cases in the query.</p> <p>Agent tokens and passkeys do not get cleaned up automatically. They are explicit user artifacts and should only go when the user asks or when the user itself is deleted.</p> <h2> The same thing in kavachOS </h2> <p>If you do not want to own any of this, the kavachOS version is one command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>pnpm add kavachos @kavachos/nextjs <span class="nv">$ </span>pnpm kavachos migrate Running migrations against <span class="nv">$DATABASE_URL</span> ✓ 0001_users ✓ 0002_sessions ✓ 0003_oauth_accounts ✓ 0004_password_reset_tokens ✓ 0005_magic_link_tokens ✓ 0006_email_verification_tokens ✓ 0007_passkeys ✓ 0008_agent_tokens ✓ 0009_indexes Done. 8 tables, 14 indexes. </code></pre> </div> <p>The schema <a href="https://github.com/kavachos/kavachos/tree/main/packages/core/migrations" rel="noopener noreferrer">kavachOS ships</a> is close to this article, with two differences: it uses <code>uuid</code> for <code>id</code> columns by default (so tenants in multi-tenant deployments do not share key spaces) and it ships its own cleanup job as a scheduled worker. Docs: <a href="https://kavachos.com/docs/schema" rel="noopener noreferrer">kavachos.com/docs/schema</a>.</p> <p>If you want to add custom columns to <code>users</code> (like <code>full_name</code>, <code>avatar_url</code>, <code>tenant_id</code>), kavachOS supports that through a schema extension mechanism. You do not fork the library.</p> <h2> Three things I would change if I had to do this again </h2> <p><strong>I would use <code>bigint</code> everywhere instead of <code>bigserial</code>.</strong> Postgres 10+ has identity columns (<code>generated always as identity</code>) which are cleaner than sequences and easier to work with in multi-master setups. I default to <code>bigserial</code> because most tutorials do, but identity columns are better if you are starting fresh.</p> <p><strong>I would put <code>locked_until</code> on a separate <code>user_security</code> table.</strong> It is a hot-updated column and separating it keeps the main <code>users</code> row static. Minor optimization, only matters at scale.</p> <p><strong>I would denormalize <code>email_verified</code> out of <code>users</code> into an event log.</strong> Having a boolean that represents "the current state of a verification process" means you lose the history. A small <code>user_events</code> table that records every verification attempt, lockout, and password change is invaluable when debugging and cheap to maintain.</p> <p>None of these are blocking. The schema above ships and runs for years.</p> <h2> What is next </h2> <p>Tomorrow: the register flow, which uses exactly this schema. Then the login flow with the timing attack defense nobody covers in other tutorials.</p> <p>Comment with the column you think I got wrong. I like database arguments.</p> <p><em><a href="https://thegdsks.com" rel="noopener noreferrer">Gagan Deep Singh</a> builds open source tools at <a href="https://glincker.com" rel="noopener noreferrer">Glincker</a>. Currently working on <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a> (open source auth for AI agents and humans) and <a href="https://askverdict.ai" rel="noopener noreferrer">AskVerdict</a> (multi-model AI verdicts).</em></p> <p><em>If this was useful, follow me on <a href="https://dev.to/thegdsks">Dev.to</a> or <a href="https://x.com/thegdsks" rel="noopener noreferrer">X</a> where I post weekly.</em></p> postgres authentication database webdev GDS K S Sat, 18 Apr 2026 20:12:58 +0000 https://dev.to/thegdsks/ive-built-auth-six-times-heres-the-system-i-would-build-today-5cpf https://dev.to/thegdsks/ive-built-auth-six-times-heres-the-system-i-would-build-today-5cpf <p>I am writing this series because I have built authentication from scratch six times, and every time I got it about 80 percent right and discovered the last 20 percent at 2am when a user said something weird happened.</p> <p>The point is not to talk you into rolling your own auth. Most of the time you should not. The point is that if you are going to, or if you are trying to read the source of a library that does it for you, you should see all the moving parts laid out. Once you see them, you can decide whether to maintain them yourself or let <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a> do it.</p> <h2> What we are building </h2> <p>A Next.js 15 app with Postgres. Email and password, magic link, Google and GitHub OAuth, passkeys, rate limiting, session rotation, password reset, email verification, and an agent token system for AI scripts that call your API on behalf of users.</p> <p>By the end of the series you will have either:</p> <ol> <li>Built the whole thing yourself and know exactly what every line does</li> <li>Looked at the "and the same thing in kavachOS" sections and decided your weekend is worth more than an auth rewrite</li> </ol> <p>Both are fine. I do both depending on the project.</p> <h2> The series in one diagram </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> +-------------------+ | Browser / App | +---------+---------+ | | HTTPS v +----------------------------+ | Next.js app (App Router) | | /app/auth/* UI pages | | /api/auth/* endpoints | +------+---------------+-----+ | | session | | outbound email cookie | v | +---------+ | | Resend | v +---------+ +--------+---------+ | Postgres | | users | | sessions | | oauth_accounts | | reset_tokens | | magic_tokens | | verify_tokens | | passkeys | | agent_tokens | +--------+---------+ | | read via v +------------------+ | Redis / KV | | rate limits | | active session | | lookups | +------------------+ </code></pre> </div> <p>That is the whole thing. Nine tables, one cache, two network dependencies (Postgres and email), one frontend. Every article in the series fills in one box.</p> <h2> What each article covers </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>#</th> <th>Article</th> <th>What ships</th> </tr> </thead> <tbody> <tr> <td>01</td> <td>You are here</td> <td>Architecture, schema preview, series map</td> </tr> <tr> <td>02</td> <td>Database schema</td> <td>SQL for all 8 tables, index choices, the drizzle schema</td> </tr> <tr> <td>03</td> <td>Register user</td> <td>Signup form, password rules, hash choice, email verification trigger</td> </tr> <tr> <td>04</td> <td>Login</td> <td>Form, session cookie, CSRF token, remember me, timing defense</td> </tr> <tr> <td>05</td> <td>Password reset</td> <td>Token generation, one time use, session rotation on success</td> </tr> <tr> <td>06</td> <td>Email verification</td> <td>Sending, verifying, re-sending, bounce handling</td> </tr> <tr> <td>07</td> <td>Magic link login</td> <td>Passwordless token flow with 10 minute expiry</td> </tr> <tr> <td>08</td> <td>OAuth (Google, GitHub)</td> <td>PKCE, state, callback validation, account linking</td> </tr> <tr> <td>09</td> <td>Passkeys</td> <td>WebAuthn registration and assertion with a password fallback</td> </tr> <tr> <td>10</td> <td>Rate limiting</td> <td>Login attempts, email enumeration defense, CAPTCHA gating</td> </tr> <tr> <td>11</td> <td>Agent tokens / MCP OAuth</td> <td>Minting scoped tokens for scripts and AI agents</td> </tr> <tr> <td>12</td> <td>Deploy</td> <td>Cloudflare Workers with D1 and Durable Objects</td> </tr> </tbody> </table></div> <h2> The tables at a glance </h2> <p>I will spend article 02 on each of these. If you are following with kavachOS rather than building by hand, you do not write the DDL: <code>pnpm kavachos migrate</code> creates and maintains all of these for you. Article 02 still exists because it is worth knowing what is in your database, whichever library you use.</p> <p>Here is the preview so you have the shape in your head:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>users sessions +--------------+ +------------------+ | id |&lt;-----+ | id | | email | +-----| user_id | | password_hash| | token_hash | | email_verif. | | expires_at | | created_at | | last_used_at | +--------------+ +------------------+ oauth_accounts password_reset_tokens +--------------+ +------------------+ | id | | id | | user_id |------+ +---| user_id | | provider | | | | token_hash | | provider_uid | | | | expires_at | | access_token | | | | used_at | +--------------+ | | +------------------+ | | magic_link_tokens | | email_verification_tokens +--------------+ | | +------------------+ | id | | | | id | | user_id |------+ +---| user_id | | email | | | | token_hash | | token_hash | | | | expires_at | | expires_at | | | | used_at | +--------------+ | | +------------------+ | | passkeys | | agent_tokens +--------------+ | | +------------------+ | id | | | | id | | user_id |------+ +---| user_id | | credential_id| | token_hash | | public_key | | permissions[] | | counter | | expires_at | +--------------+ +------------------+ </code></pre> </div> <p>If you squint, it is 8 tables with one join key. That is on purpose. Boring schemas age well.</p> <h2> The security properties the system has to maintain </h2> <p>Every article will reference this list. Tape it to your monitor.</p> <ol> <li> <strong>No account enumeration.</strong> <code>/login</code>, <code>/forgot-password</code>, <code>/register</code> return the same response for "user exists" and "user does not exist". Timing differences on those endpoints should be under 50ms.</li> <li> <strong>No token reuse.</strong> Every reset link, magic link, and verification link is one time use. The check is a <code>used_at IS NULL</code> clause, not an application-level flag.</li> <li> <strong>Short expiries.</strong> Reset and magic link tokens expire in 15 minutes. Email verification in 24 hours. Sessions can run long (30 days) because they are revocable.</li> <li> <strong>Hashed token storage.</strong> Every token in the database is the SHA-256 of the raw value. The raw value exists only in the email or URL.</li> <li> <strong>Session rotation on privilege change.</strong> Password reset, email change, and OAuth unlink all invalidate every existing session for that user.</li> <li> <strong>Rate limits on every unauthenticated endpoint.</strong> Login, forgot-password, register, magic link request, verification resend.</li> <li> <strong>CSRF on session-carrying endpoints.</strong> Double submit cookie or SameSite=Lax + custom header.</li> <li> <strong>Structured audit logs.</strong> <code>auth.register.success</code>, <code>auth.login.failure</code>, <code>auth.session.rotated</code>, and so on. You will want these the first time a user claims they did not do something.</li> </ol> <h2> The trade-off you are making by doing this yourself </h2> <p>Writing this code is not that hard. Maintaining it is. Every one of these articles represents 2 to 6 hours of initial implementation plus a long tail of reading advisories, upgrading libraries, and handling weird bugs.</p> <p>The rough math:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>DIY auth initial build: 60 hours of focused work annual maintenance: 30 to 80 hours incident cost: unknown, but nonzero Managed (Auth0, Clerk) initial build: 4 hours annual cost: $1,000 to $50,000 depending on MAU incident cost: their team handles it Open source library (kavachOS, Better Auth) initial build: 4 to 8 hours annual maintenance: 5 to 15 hours (upgrades) incident cost: you handle it, but the code is readable </code></pre> </div> <p>If you are a solo dev with a side project, the library path is usually right. If you are at a company with a security team that wants to own the code, DIY is reasonable. If you are between those, a managed service buys you time.</p> <p>I use <a href="https://kavachos.com" rel="noopener noreferrer">kavachOS</a> because I want to own the code but not write it. Your answer will depend on your context.</p> <h2> How to follow along </h2> <p>Pick one of these three paths:</p> <p><strong>Path A: read along, do not build.</strong> You will still get value from seeing how the pieces fit.</p> <p><strong>Path B: build with me from scratch.</strong> Clone the starter repo at <a href="https://github.com/kavachos/nextjs-auth-from-scratch" rel="noopener noreferrer">github.com/kavachos/nextjs-auth-from-scratch</a>. Each article has a matching branch.</p> <p><strong>Path C: build with kavachOS and skim the DIY parts.</strong> Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm create next-app@latest my-auth-app <span class="nt">--typescript</span> <span class="nt">--app</span> <span class="nt">--tailwind</span> <span class="nb">cd </span>my-auth-app pnpm add kavachos @kavachos/nextjs </code></pre> </div> <p>Then follow the "kavachOS version" section at the bottom of each article.</p> <h2> What you need installed </h2> <p>Before article 02, have these ready:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node <span class="nt">--version</span> <span class="c"># 20 or higher</span> pnpm <span class="nt">--version</span> <span class="c"># 9 or higher</span> psql <span class="nt">--version</span> <span class="c"># 15 or higher, or a Neon/Supabase URL</span> </code></pre> </div> <p>A Resend account (or any SMTP provider) for email. An Upstash Redis instance or Cloudflare KV namespace for rate limits. That is it.</p> <h2> Why I am writing this as a series instead of one mega post </h2> <p>Two reasons.</p> <p>One, auth is broken up into real sub-problems that each deserve their own treatment. Jamming all of it into one 40,000 word post means nobody reads it.</p> <p>Two, I want to write for 12 days straight. Forcing publication at this cadence means I cannot perfect anything, which is good. The first draft of a system is more honest than the polished one.</p> <h2> Next up </h2> <p>Article 02: the database schema. Every table, every index, every column nobody thinks about until they get a support ticket at midnight. We will also look at why <code>text</code> beats <code>varchar</code> on Postgres, why <code>id</code> should be a <code>bigserial</code> and not a <code>uuid</code> in most cases, and how to make your <code>email</code> column case-insensitive without hating yourself.</p> <p>See you tomorrow.</p> <p>Comment with the article you would most like me to skip ahead to. If enough people ask for the same one, I will reorder the series.</p> <p>Tags: #authentication #webdev #nextjs #tutorial</p> authentication webdev nextjs tutorial GDS K S Wed, 15 Apr 2026 17:10:53 +0000 https://dev.to/thegdsks/checking-tls-cert-expiry-across-your-infrastructure-2bf3 https://dev.to/thegdsks/checking-tls-cert-expiry-across-your-infrastructure-2bf3 <p>A cert expired on one of our staging services last month. Nobody noticed for two hours because our monitoring only checked HTTP 200s, and the TLS error happened before HTTP even got involved. The load balancer just refused connections silently.</p> <p>Staging, so low impact. But it got me thinking about how I was checking certs across all our services. The honest answer: I mostly wasn't.</p> <h2> the script I used to have </h2> <p>I had a bash script that looked roughly like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">HOSTS</span><span class="o">=</span><span class="s2">"api.example.com staging.example.com admin.example.com"</span> <span class="k">for </span>host <span class="k">in</span> <span class="nv">$HOSTS</span><span class="p">;</span> <span class="k">do </span><span class="nv">expiry</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> | openssl s_client <span class="nt">-connect</span> <span class="s2">"</span><span class="nv">$host</span><span class="s2">:443"</span> 2&gt;/dev/null <span class="se">\</span> | openssl x509 <span class="nt">-noout</span> <span class="nt">-enddate</span> 2&gt;/dev/null <span class="se">\</span> | <span class="nb">cut</span> <span class="nt">-d</span><span class="o">=</span> <span class="nt">-f2</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$host</span><span class="s2">: </span><span class="nv">$expiry</span><span class="s2">"</span> <span class="k">done</span> </code></pre> </div> <p>It worked. Sort of. The output was a list of dates in openssl's format (<code>Jun 15 12:00:00 2026 GMT</code>), which is fine for a human glancing at it but annoying to parse if you want to do anything programmatic. And if a host was unreachable, the script would hang for the TCP timeout before moving on.</p> <p>I also had no easy way to say "tell me which ones expire within 30 days." I'd just eyeball the dates.</p> <h2> what I switched to </h2> <p>I've been building a cert tool called <a href="https://github.com/glincker/sslx" rel="noopener noreferrer">sslx</a> and one of the commands that turned out to be the most useful is <code>expiry</code>. It checks multiple hosts in one go:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>sslx expiry api.example.com staging.example.com admin.example.com <span class="go"> Host Expires Days Status ──────────────────────────────────────────────────────────────── ✓ api.example.com:443 2026-08-12 119 OK ✓ staging.example.com:443 2026-04-22 7 WARNING ✓ admin.example.com:443 2026-05-30 45 OK </span></code></pre> </div> <p>The status column does the date math for me. OK means more than 30 days. WARNING is 30 days or less. CRITICAL is 7 days or less. EXPIRED is, well, expired.</p> <p>The exit code is 1 if anything is expired or within 7 days. That's the part that makes it useful in automation.</p> <h2> putting it in a cron job </h2> <p>Here's what I actually run now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/cron.d/cert-check (runs daily at 9am)</span> 0 9 <span class="k">*</span> <span class="k">*</span> <span class="k">*</span> gagan sslx expiry <span class="se">\</span> api.prod.example.com <span class="se">\</span> web.prod.example.com <span class="se">\</span> staging.example.com <span class="se">\</span> admin.example.com <span class="se">\</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"cert expiring soon"</span> | mail <span class="nt">-s</span> <span class="s2">"cert warning"</span> ops@example.com </code></pre> </div> <p>Because the exit code is non-zero when something is expiring, the <code>||</code> branch triggers and sends an email. Simple. No parsing dates in bash, no jq gymnastics.</p> <p>For something more structured, you can use JSON output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sslx expiry api.example.com <span class="nt">--json</span> | jq <span class="s1">'.[] | select(.days_remaining &lt; 30)'</span> </code></pre> </div> <h2> in CI/CD pipelines </h2> <p>I also added an expiry check to our deployment pipeline. We verify the target environment's certs aren't about to expire before deploying. After the staging thing I figured why not:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy.yml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">check target certs</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sslx expiry ${{ vars.DEPLOY_HOST }} || {</span> <span class="s">echo "::error::TLS cert expiring soon on ${{ vars.DEPLOY_HOST }}"</span> <span class="s">exit 1</span> <span class="s">}</span> </code></pre> </div> <p>If the cert is expiring within a week, the deploy fails. We'd rather catch it there than find out at 2am.</p> <h2> checking local cert files too </h2> <p>The same tool handles local cert files, not just live hosts. If you have certs sitting on disk (maybe pulled from a vault, or generated for local dev), you can inspect them the same way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>sslx inspect cert.pem <span class="go"> ╭─ Certificate 1 of 1 ────────────────────────────────────╮ │ Subject: CN=*.example.com │ │ Issuer: CN=Let's Encrypt Authority X3 │ │ │ │ Valid: 2026-01-15 → 2026-04-15 │ │ Expires: ██░░░░░░░░ 12 days remaining [!] │ │ │ │ Key: ECDSA P-256 (256 bit) │ │ SANs: *.example.com, example.com │ ╰─────────────────────────────────────────────────────────╯ </span></code></pre> </div> <p>That progress bar is surprisingly useful. Red at a glance.</p> <p>You can also pipe certs from other tools. This one comes up a lot with kubernetes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret tls-cert <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.tls\.crt}'</span> <span class="se">\</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="se">\</span> | sslx inspect - </code></pre> </div> <h2> what I'm not doing here </h2> <p>I'm not replacing proper cert management. If you're using cert-manager or ACME renewals, those handle rotation automatically and you probably don't need to manually track expiry dates.</p> <p>But I've found there's always a handful of certs that don't fit neatly into the automated renewal pipeline. Internal services with self-signed certs. Third party integrations where someone uploaded a cert manually six months ago. Staging environments that nobody quite owns.</p> <p>Those are the ones that expire at the worst time. And those are the ones worth checking daily with a simple cron job.</p> <h2> install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cargo <span class="nb">install </span>sslx <span class="c"># or</span> brew <span class="nb">install </span>glincker/tap/sslx </code></pre> </div> <p>Single binary, no dependencies. Works on Linux, macOS, and Windows.</p> <p><a href="https://github.com/glincker/sslx" rel="noopener noreferrer">github.com/glincker/sslx</a></p> github opensource development javascript GDS K S Wed, 15 Apr 2026 17:07:02 +0000 https://dev.to/thegdsks/i-stopped-memorizing-openssl-flags-3h9p https://dev.to/thegdsks/i-stopped-memorizing-openssl-flags-3h9p <p>Every few weeks I need to do something with a certificate. Check when it expires. Look at what SANs are on it. Generate a self-signed one for local dev. Create a CSR. Convert between formats.</p> <p>And every single time, I google the openssl command.</p> <p>It's not that the commands are hard. It's that they're inconsistent enough that I can never quite remember them. Is it <code>openssl x509 -in</code> or <code>openssl x509 -text</code>? Do I need <code>-noout</code>? What about the <code>s_client</code> pipeline thing where I have to pipe through two commands just to see a cert from a live server?</p> <p>I've been writing software for years. I can hold a lot of random CLI syntax in my head. But openssl never sticks. The subcommands follow no pattern I can internalize, and the flags feel like they were designed by committee across two decades. Which, to be fair, they were.</p> <h2> what I actually do with certificates </h2> <p>When I thought about it, my cert tasks fall into maybe 10 categories:</p> <ul> <li>Look at a cert file</li> <li>Connect to a server and see its TLS setup</li> <li>Check if a cert is expiring soon (across multiple hosts)</li> <li>Generate a self-signed cert for development</li> <li>Create a CSR</li> <li>Convert between PEM/DER/PKCS12</li> <li>Check if a cert and private key match</li> <li>Grade a server's TLS configuration</li> <li>Decode a JWT (yeah, this comes up more than I expected)</li> <li>Verify a certificate chain</li> </ul> <p>That's it. I'm not running a certificate authority. I'm not doing low level crypto operations. I'm doing the same 10 things over and over, and reaching for a tool that does 200 things, most of which I'll never touch.</p> <h2> the openssl tax </h2> <p>Here's what some of these look like in openssl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># check when a remote cert expires</span> <span class="nb">echo</span> | openssl s_client <span class="nt">-connect</span> host:443 2&gt;/dev/null | openssl x509 <span class="nt">-noout</span> <span class="nt">-enddate</span> <span class="c"># generate a self-signed cert with EC key and SANs</span> openssl req <span class="nt">-x509</span> <span class="nt">-newkey</span> ec <span class="nt">-pkeyopt</span> ec_paramgen_curve:P-256 <span class="se">\</span> <span class="nt">-keyout</span> key.pem <span class="nt">-out</span> cert.pem <span class="nt">-days</span> 365 <span class="nt">-nodes</span> <span class="nt">-batch</span> <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/CN=localhost"</span> <span class="c"># check if cert and key match</span> diff &lt;<span class="o">(</span>openssl x509 <span class="nt">-noout</span> <span class="nt">-modulus</span> <span class="nt">-in</span> cert.pem<span class="o">)</span> <span class="se">\</span> &lt;<span class="o">(</span>openssl rsa <span class="nt">-noout</span> <span class="nt">-modulus</span> <span class="nt">-in</span> key.pem<span class="o">)</span> </code></pre> </div> <p>I call it a tax because it's time I spend repeatedly, on something that should be simple, and the complexity doesn't buy me anything. I don't need openssl's full power. I need the 10 things.</p> <h2> so I built the 10 things </h2> <p>I wrote a tool called <a href="https://github.com/glincker/sslx" rel="noopener noreferrer">sslx</a>. Same tasks, less typing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># check when a remote cert expires</span> sslx expiry host <span class="c"># generate a self-signed cert</span> sslx generate <span class="nt">--cn</span> localhost <span class="c"># check if cert and key match</span> sslx match cert.pem key.pem </code></pre> </div> <p>The pattern is: <code>sslx &lt;verb&gt; &lt;target&gt;</code>. That's it. No subcommand soup, no flags you need to memorize. The verbs are the same words you'd use if you were describing the task out loud.</p> <p>Here's the full comparison:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>What you're doing</th> <th>openssl</th> <th>sslx</th> </tr> </thead> <tbody> <tr> <td>Look at a cert</td> <td><code>openssl x509 -in cert.pem -text -noout</code></td> <td><code>sslx inspect cert.pem</code></td> </tr> <tr> <td>TLS handshake</td> <td>`openssl s_client -connect host:443 2&gt;/dev/null \</td> <td>openssl x509 -text`</td> </tr> <tr> <td>Self-signed cert</td> <td> <code>openssl req -x509 -newkey ec ...</code> (6 flags)</td> <td><code>sslx generate --cn localhost</code></td> </tr> <tr> <td>Check expiry</td> <td>`echo \</td> <td>openssl s_client ... \</td> </tr> <tr> <td>Cert+key match</td> <td>{% raw %}<code>diff &lt;(openssl x509 ...) &lt;(openssl rsa ...)</code> </td> <td><code>sslx match cert.pem key.pem</code></td> </tr> <tr> <td>PEM to DER</td> <td><code>openssl x509 -in cert.pem -outform DER -out cert.der</code></td> <td><code>sslx convert cert.pem --to der</code></td> </tr> <tr> <td>TLS grade</td> <td><em>(go to ssllabs.com)</em></td> <td><code>sslx grade host</code></td> </tr> <tr> <td>Decode JWT</td> <td><em>(go to jwt.io)</em></td> <td><code>sslx decode &lt;token&gt;</code></td> </tr> </tbody> </table></div> <h2> what the output looks like </h2> <p>This is probably the part that sold me on actually using it daily. openssl gives you a wall of ASN.1 text. sslx gives you the parts you care about:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>sslx grade github.com <span class="go"> ╭──────────────────────────────────────────╮ │ github.com:443 Grade: A+ │ ╰──────────────────────────────────────────╯ ✓ Protocol TLS 1.3 ✓ Cipher TLS13_AES_128_GCM_SHA256 (AEAD) ✓ Certificate Valid, 49 days remaining ✓ Key ECDSA P-256 (256 bit) ✓ Hostname github.com in SANs ✓ Chain Complete (3 certs) ✓ ALPN HTTP/2 supported </span></code></pre> </div> <p>Or checking expiry across a bunch of hosts at once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>sslx expiry google.com github.com cloudflare.com stripe.com <span class="go"> Host Expires Days Status ──────────────────────────────────────────────────────────────── ✓ google.com:443 2026-06-15 61 OK ✓ github.com:443 2026-06-03 49 OK ✓ cloudflare.com:443 2026-06-10 56 OK ✓ stripe.com:443 2026-09-01 139 OK </span></code></pre> </div> <p>The expiry command returns exit code 1 if anything expires within 7 days. I have this in a cron job now.</p> <h2> CI/CD and scripting </h2> <p>Everything supports <code>--json</code> for when you need machine readable output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sslx grade example.com <span class="nt">--json</span> | jq <span class="s1">'.grade'</span> sslx inspect cert.pem <span class="nt">--json</span> | jq <span class="s1">'.certificates[0].sans'</span> </code></pre> </div> <p>And you can pipe certs from stdin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>cert.pem | sslx inspect - kubectl get secret tls-cert <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.tls\.crt}'</span> | <span class="nb">base64</span> <span class="nt">-d</span> | sslx inspect - </code></pre> </div> <p>That second one is real. I use it to check certs stored in k8s secrets without writing temp files.</p> <h2> the technical bits, briefly </h2> <p>It's written in Rust, single binary, no runtime dependencies. Uses rustls instead of linking against system OpenSSL, so it works the same everywhere. About 4MB.</p> <p>It's fast too, though I don't think that matters much for a cert tool. <code>sslx inspect</code> on a local cert takes about 2ms.</p> <p>Install with cargo or homebrew:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cargo <span class="nb">install </span>sslx <span class="c"># or</span> brew <span class="nb">install </span>glincker/tap/sslx </code></pre> </div> <h2> what it doesn't do </h2> <p>sslx is not a replacement for openssl the library. It doesn't do symmetric encryption, PKCS operations, S/MIME, or any of the hundred other things openssl can do. If you need those, use openssl.</p> <p>It replaces the 10 cert/TLS commands I kept googling. Nothing more.</p> <p><a href="https://github.com/glincker/sslx" rel="noopener noreferrer">github.com/glincker/sslx</a></p> <p>If you have opinions about what commands are missing or how the output should look, open an issue. I'm using this daily so I actually read them.</p> rust cli security productivity GDS K S Wed, 15 Apr 2026 04:58:17 +0000 https://dev.to/thegdsks/your-terminal-is-mass-here-are-280-tools-to-fix-it-4bc5 https://dev.to/thegdsks/your-terminal-is-mass-here-are-280-tools-to-fix-it-4bc5 <p>I mass-replaced every classic Unix tool in my dotfiles. It took a few years of stumbling into alternatives, and at some point I realized the list was absurdly long. So I organized it.</p> <h2> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/thegdsks" rel="noopener noreferrer"> thegdsks </a> / <a href="https://github.com/thegdsks/awesome-modern-cli" rel="noopener noreferrer"> awesome-modern-cli </a> </h2> <h3> A curated list of modern alternatives to classic command-line tools. Faster, prettier, smarter replacements for the Unix utilities you use every day. </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div> <div class="markdown-heading"> <h1 class="heading-element">Awesome Modern CLI</h1> </div> <p>A curated list of modern alternatives to classic command-line tools.</p> <p>The terminal is having a renaissance. Faster, prettier, smarter tools are replacing the Unix classics you've used for decades. This list helps you find them.</p> <p><a href="https://github.com/thegdsks/awesome-modern-cli/CONTRIBUTING.md" rel="noopener noreferrer">Contribute</a></p> </div> <div class="markdown-heading"> <h3 class="heading-element">Highlights</h3> </div> <p> <a href="https://github.com/sharkdp/bat" rel="noopener noreferrer"><b>bat</b></a> - A <code>cat</code> clone with syntax highlighting and Git integration <br><br> <a rel="noopener noreferrer nofollow" href="https://camo.githubusercontent.com/6afa2b6da8f06618b280178dc5828939242e6bf6183a385ea3734e8dbf8114c7/68747470733a2f2f696d6775722e636f6d2f724773646e44652e706e67"><img src="https://camo.githubusercontent.com/6afa2b6da8f06618b280178dc5828939242e6bf6183a385ea3734e8dbf8114c7/68747470733a2f2f696d6775722e636f6d2f724773646e44652e706e67" width="600"></a> </p> <p> <a href="https://github.com/eza-community/eza" rel="noopener noreferrer"><b>eza</b></a> - A modern replacement for <code>ls</code> with colors, icons, and git integration <br><br> <a rel="noopener noreferrer nofollow" href="https://raw.githubusercontent.com/eza-community/eza/main/docs/images/screenshots.png"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Feza-community%2Feza%2Fmain%2Fdocs%2Fimages%2Fscreenshots.png" width="600"></a> </p> <p> <a href="https://github.com/dandavison/delta" rel="noopener noreferrer"><b>delta</b></a> - A syntax-highlighting pager for git, diff, and grep output <br><br> <a rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/52205/86275526-76792100-bba1-11ea-9e78-6be9baa80b29.png"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F52205%2F86275526-76792100-bba1-11ea-9e78-6be9baa80b29.png" width="600"></a> </p> <p> <a href="https://github.com/jesseduffield/lazygit" rel="noopener noreferrer"><b>lazygit</b></a> - A simple terminal UI for git commands <br><br> <a rel="noopener noreferrer nofollow" href="https://raw.githubusercontent.com/jesseduffield/lazygit/assets/staging.gif"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fjesseduffield%2Flazygit%2Fassets%2Fstaging.gif" width="600"></a> </p> <p> <a href="https://github.com/aristocratos/btop" rel="noopener noreferrer"><b>btop</b></a> - A resource monitor with beautiful TUI and extensive features <br><br> <a rel="noopener noreferrer nofollow" href="https://raw.githubusercontent.com/aristocratos/btop/main/Img/normal.png"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Faristocratos%2Fbtop%2Fmain%2FImg%2Fnormal.png" width="600"></a> </p> <p> <a href="https://github.com/junegunn/fzf" rel="noopener noreferrer"><b>fzf</b></a> - A general-purpose command-line fuzzy finder <br><br> <a rel="noopener noreferrer nofollow" href="https://raw.githubusercontent.com/junegunn/i/master/fzf-preview.png"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fjunegunn%2Fi%2Fmaster%2Ffzf-preview.png" width="600"></a> </p> <p> <a href="https://github.com/ajeetdsouza/zoxide" rel="noopener noreferrer"><b>zoxide</b></a> - A smarter <code>cd</code> command that learns your habits <br><br> <a rel="noopener noreferrer nofollow" href="https://raw.githubusercontent.com/ajeetdsouza/zoxide/main/contrib/tutorial.webp"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fajeetdsouza%2Fzoxide%2Fmain%2Fcontrib%2Ftutorial.webp" width="600"></a> </p> <p> <a href="https://github.com/jesseduffield/lazydocker" rel="noopener noreferrer"><b>lazydocker</b></a> - The lazier way to manage everything Docker <br><br> <a rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/8456633/59972109-8e9c8480-95cc-11e9-8350-38f7f86ba76d.png"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fuser-images.githubusercontent.com%2F8456633%2F59972109-8e9c8480-95cc-11e9-8350-38f7f86ba76d.png" width="600"></a> </p> <p> <a href="https://github.com/starship/starship" rel="noopener noreferrer"><b>starship</b></a> - Minimal, blazing-fast, and infinitely customizable prompt for any shell <br><br> <a rel="noopener noreferrer nofollow" href="https://raw.githubusercontent.com/starship/starship/master/media/demo.gif"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fstarship%2Fstarship%2Fmaster%2Fmedia%2Fdemo.gif" width="600"></a> </p> <p> <a href="https://github.com/sharkdp/hyperfine" rel="noopener noreferrer"><b>hyperfine</b></a> - A command-line benchmarking tool with statistical analysis <br><br> <a rel="noopener noreferrer nofollow" href="https://camo.githubusercontent.com/8629d3eaba0870a727fb1a8ffee7289f757cf1f92b3f18c109ff1855bc815e5c/68747470733a2f2f692e696d6775722e636f6d2f7a31394f5978452e676966"><img src="https://camo.githubusercontent.com/8629d3eaba0870a727fb1a8ffee7289f757cf1f92b3f18c109ff1855bc815e5c/68747470733a2f2f692e696d6775722e636f6d2f7a31394f5978452e676966" width="600"></a> </p> <p> <a href="https://github.com/orf/gping" rel="noopener noreferrer"><b>gping</b></a> - Ping, but with a graph <br><br> <a rel="noopener noreferrer nofollow" href="https://raw.githubusercontent.com/orf/gping/master/images/readme-example.gif"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Forf%2Fgping%2Fmaster%2Fimages%2Freadme-example.gif" width="600"></a> </p> <p> <a href="https://github.com/BurntSushi/ripgrep" rel="noopener noreferrer"><b>ripgrep</b></a> -…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/thegdsks/awesome-modern-cli" rel="noopener noreferrer">View on GitHub</a></div> </div> </h2> <h2> How it started </h2> <p>Two years ago I watched someone share their screen and their <code>cat</code> output had syntax highlighting. Colored, with line numbers, git diff markers in the gutter. I asked what it was. "bat."</p> <p>That was it. One tool. Then I found ripgrep, and grep felt broken. Then fd, and find felt like writing a legal contract. Then eza, and plain <code>ls</code> looked like a DOS prompt from 1993.</p> <p>Before I knew it, half my shell aliases pointed to Rust binaries I'd installed from cargo or brew, and the other half were Go tools I found on some random HN thread at 2am.</p> <h2> The "where do I find all of these" problem </h2> <p>I kept bookmarking individual GitHub repos. Then I'd forget them. Then I'd rediscover them six months later and install them again.</p> <p>When I searched for a single list, the options were:</p> <ul> <li> <strong>modern-unix</strong> (33k stars) - gorgeous, but only 30 tools and hasn't been updated since 2024</li> <li> <strong>awesome-cli-apps</strong> (19k stars) - 500 entries, no way to tell what replaces what</li> <li> <strong>awesome-rust</strong> (57k stars) - CLI tools buried between web frameworks and game engines</li> </ul> <p>Nobody had organized these by "I use grep, what's better?" So I did it.</p> <h2> What I found: 282 tools across 44 categories </h2> <p>The full list is here: <a href="https://github.com/thegdsks/awesome-modern-cli" rel="noopener noreferrer">awesome-modern-cli</a></p> <p>But let me walk you through the categories that surprised me the most.</p> <h2> The replacements everyone knows </h2> <p>You've probably heard of these. If not, stop reading this article and go install them right now.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>You type</th> <th>You should type</th> <th>What changes</th> </tr> </thead> <tbody> <tr> <td><code>cat file.py</code></td> <td><code>bat file.py</code></td> <td>Syntax highlighting, line numbers, git markers</td> </tr> <tr> <td><code>grep -r "TODO" .</code></td> <td><code>rg "TODO"</code></td> <td>5-10x faster, respects .gitignore by default</td> </tr> <tr> <td><code>find . -name "*.ts"</code></td> <td><code>fd ".ts"</code></td> <td>Simpler syntax, way faster, colored output</td> </tr> <tr> <td><code>ls -la</code></td> <td><code>eza -la --icons</code></td> <td>Colors, icons, git status per file</td> </tr> <tr> <td><code>du -sh *</code></td> <td><code>dust</code></td> <td>Visual bar chart of disk usage</td> </tr> <tr> <td><code>cd projects/app</code></td> <td><code>z app</code></td> <td>Learns your habits, jumps anywhere</td> </tr> <tr> <td><code>diff file1 file2</code></td> <td><code>delta</code></td> <td>Syntax-aware, side-by-side, git integration</td> </tr> </tbody> </table></div> <p>If you already use all of these, you're the target audience for the rest of this article.</p> <h2> The replacements nobody talks about </h2> <p>Here's where it gets interesting. These are the tools I found while building the list that made me go "how did I not know about this?"</p> <h3> television - fzf but faster </h3> <p>Everyone knows fzf. It's the fuzzy finder that made <code>ctrl+r</code> usable. But <a href="https://github.com/alexpasmantier/television" rel="noopener noreferrer">television</a> is a Rust rewrite of the same concept that's noticeably faster on large inputs. If you pipe 100k lines into it, you feel the difference.</p> <h3> scooter - interactive find and replace </h3> <p>Every time I need to rename a variable across files, I end up writing some sed/perl one-liner that I have to google the syntax for. <a href="https://github.com/thomasschafer/scooter" rel="noopener noreferrer">scooter</a> gives you a TUI where you type the search, type the replacement, see a live preview of every change across every file, and hit enter. That's it.</p> <h3> trippy - ping meets traceroute </h3> <p><a href="https://github.com/fujiapple852/trippy" rel="noopener noreferrer">trippy</a> combines ping and traceroute into a single TUI with a live graph. You see every hop, the latency at each one, and packet loss. All updating in real time. I used to run <code>mtr</code> for this, but trippy's interface is cleaner.</p> <h3> jnv - interactive jq </h3> <p>If you use jq, you know the pain of writing a filter, running it, getting an error, tweaking, running again. <a href="https://github.com/ynqa/jnv" rel="noopener noreferrer">jnv</a> gives you a split-screen TUI where you type jq expressions and see the output update live. Sounds simple. Saved me more time than I'd like to admit.</p> <h3> rainfrog - database TUI </h3> <p><a href="https://github.com/achristmascarl/rainfrog" rel="noopener noreferrer">rainfrog</a> is a terminal database client for Postgres, MySQL, and SQLite. Think pgAdmin, but in your terminal. Browse tables, run queries, see results. I was using psql with a bunch of <code>\d</code> commands before this.</p> <h2> The Rust thing </h2> <p>I wasn't planning to track implementation languages. I added it because I was curious and then the numbers got weird.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Language</th> <th>Tools</th> <th>Percentage</th> </tr> </thead> <tbody> <tr> <td>Rust</td> <td>146</td> <td>52%</td> </tr> <tr> <td>Go</td> <td>46</td> <td>16%</td> </tr> <tr> <td>Python</td> <td>17</td> <td>6%</td> </tr> <tr> <td>C/C++</td> <td>16</td> <td>6%</td> </tr> <tr> <td>Zig</td> <td>3</td> <td>1%</td> </tr> <tr> <td>Other</td> <td>54</td> <td>19%</td> </tr> </tbody> </table></div> <p>Over half the list is Rust. Not because I went looking for Rust tools. Just because when you search for "modern X replacement" for any Unix command, the top result is usually a Rust project.</p> <p>There's something about the CLI space that attracts Rust developers. Maybe it's the single-binary distribution. Maybe it's the performance. Maybe the Rust community just has a thing for rewriting Unix tools. Whatever it is, the result is that the terminal is becoming a Rust runtime whether you intended it or not.</p> <h2> The categories that shouldn't exist but do </h2> <p>Some of these categories made me question my life choices when I realized there were enough tools to fill them.</p> <p><strong>Terminal emulators (5 entries)</strong> - We have five GPU-accelerated terminal emulators in 2026. Alacritty, Ghostty, WezTerm, Rio, and Warp. Your terminal now requires a GPU. Let that sink in.</p> <p><strong>Database TUIs (7 entries)</strong> - Seven different ways to browse your database from the terminal. We have more TUI database clients than most companies have databases.</p> <p><strong>Fuzzy finders (3 entries)</strong> - Three competing fuzzy finders. Because apparently fzf, the tool that changed how everyone uses their shell, needed competition.</p> <p><strong>Kubernetes TUIs (2 entries)</strong> - k9s and kdash. For when you want to manage your orchestration layer for your container runtime from a terminal user interface. We've come full circle from mainframes.</p> <h2> What I actually use daily </h2> <p>My honest daily setup, not the aspirational "I should use all of these" list:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ~/.zshrc (the relevant parts)</span> <span class="nb">alias cat</span><span class="o">=</span><span class="s2">"bat"</span> <span class="nb">alias ls</span><span class="o">=</span><span class="s2">"eza --icons"</span> <span class="nb">alias </span><span class="nv">find</span><span class="o">=</span><span class="s2">"fd"</span> <span class="nb">alias grep</span><span class="o">=</span><span class="s2">"rg"</span> <span class="nb">alias du</span><span class="o">=</span><span class="s2">"dust"</span> <span class="nb">alias </span><span class="nv">diff</span><span class="o">=</span><span class="s2">"delta"</span> <span class="nb">alias </span><span class="nv">top</span><span class="o">=</span><span class="s2">"btop"</span> <span class="nb">alias cd</span><span class="o">=</span><span class="s2">"z"</span> <span class="c"># these aren't aliases, just tools I reach for</span> <span class="c"># lazygit - for anything git</span> <span class="c"># fzf - ctrl+r and piping</span> <span class="c"># just - project task runner</span> <span class="c"># bat - reading files</span> <span class="c"># hyperfine - benchmarking scripts</span> </code></pre> </div> <p>That's 12 tools out of 282. The other 270 are for when you need something specific. The list is a reference, not a shopping list.</p> <h2> How I organized it </h2> <p>The organizational principle is simple: <strong>what are you replacing?</strong></p> <p>If you use <code>grep</code> and want something better, go to the "Text Search" section. If you use <code>top</code> and want something prettier, go to "System Monitoring." Every entry tells you:</p> <ol> <li>What it's called</li> <li>Where to find it</li> <li>What it does in one sentence</li> <li>What language it's written in</li> </ol> <p>No star counts (they go stale). No screenshots in the list itself (there's a highlight reel at the top for that). Just the information you need to decide if you want to try it.</p> <p>Everything is alphabetically sorted within sections so you can scan quickly.</p> <h2> The list </h2> <p><a href="https://github.com/thegdsks/awesome-modern-cli" rel="noopener noreferrer">github.com/thegdsks/awesome-modern-cli</a></p> <p>282 tools. 44 categories. CC0 licensed. If I missed something, open an issue or PR.</p> <p>I'm keeping it updated, and the CI runs a link checker weekly so nothing goes stale without me noticing.</p> <p><em><a href="https://thegdsks.com" rel="noopener noreferrer">Gagan Deep Singh</a> builds open source tools. Currently working on <a href="https://github.com/thegdsks/sslx" rel="noopener noreferrer">sslx</a>, a modern alternative to OpenSSL's CLI.</em></p> showdev cli terminal opensource GDS K S Mon, 13 Apr 2026 20:50:19 +0000 https://dev.to/thegdsks/your-vs-code-extensions-are-a-supply-chain-attack-surface-3gp4 https://dev.to/thegdsks/your-vs-code-extensions-are-a-supply-chain-attack-surface-3gp4 <p>Last week a VS Code extension called <code>specstudio.code-wakatime-activity-tracker</code> was caught dropping a Zig-compiled binary onto developer machines. It looked like WakaTime. It tracked your activity alright, just not in the way you expected.</p> <p>This is part of a campaign researchers are calling GlassWorm. And it's not the first incident. It won't be the last.</p> <p>I went through my own extensions after reading about it. I had 47 installed. I could confidently vouch for maybe 20 of them. The rest? I installed them months ago, never checked who published them, never looked at what permissions they had. I'm guessing your situation is similar.</p> <h2> What your editor can actually access </h2> <p>Before we get into the attack, look at this. This is what VS Code (and every extension running inside it) has access to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────┐ │ VS Code │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │ │ │ Extension│ │ Extension│ │ Extension │ │ │ │ Theme │ │ Formatter│ │ "WakaTime" │ │ │ └────┬─────┘ └────┬─────┘ └──────┬───────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌──────────────────────────────────────────┐ │ │ │ SAME PERMISSION LEVEL │ │ │ │ No sandbox. No isolation. Full access. │ │ │ └──────────────────────────────────────────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ ├───────────────────────────────────────────────────┤ │ ~/.ssh/* ~/.env ~/.aws/ │ │ ~/.gitconfig Terminal Source code │ │ API keys DB creds Git tokens │ └───────────────────────────────────────────────────┘ </code></pre> </div> <p>There is no sandbox. A color theme extension has the same system access as a full debugger. The marketplace review process catches obvious malware but it's not a security audit. Extensions with 50,000 installs have been caught doing shady things.</p> <h2> How GlassWorm works </h2> <p>Here's the kill chain. Each step is designed to avoid detection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Step 1: INSTALL User installs "code-wakatime-activity-tracker" Looks legit: decent reviews, familiar branding │ ▼ Step 2: DROP Extension downloads a Zig-compiled binary (Zig = not in most antivirus signature DBs) │ ▼ Step 3: PERSIST Binary registers as a background process Survives VS Code closing │ ▼ Step 4: HARVEST Scans for: ├── .env, .env.local, .env.production ├── *.pem, *.key (SSL/SSH keys) ├── .git/config (remote URLs → company ID) └── ~/.aws/credentials │ ▼ Step 5: EXFILTRATE Sends harvested data to C2 server Encrypted, looks like normal HTTPS traffic │ ▼ Step 6: (WORST CASE) INJECT Receives instructions to modify source files Could inject backdoors into YOUR commits </code></pre> </div> <p>That last step is the one that should keep you up at night. It's not just stealing secrets. It could be modifying your code before you push it. Your CI passes. Your review looks clean. The backdoor was there before you committed.</p> <h2> The audit: my results </h2> <p>I scored each of my 47 extensions on a simple trust matrix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> VERIFIED PUBLISHER Yes No ┌─────────────┬──────────────┐ Yes │ KEEP │ INSPECT │ OPEN SOURCE │ (20 exts) │ (4 exts) │ ├─────────────┼──────────────┤ No │ INSPECT │ REMOVE │ │ (7 exts) │ (16 exts) │ └─────────────┴──────────────┘ Result: 47 → 31 extensions Removed: 16 | Flagged for inspection: 11 </code></pre> </div> <p>The 16 I removed fell into three buckets:</p> <ul> <li>Duplicates of built-in VS Code features (VS Code has gotten better, some extensions are unnecessary now)</li> <li>Extensions I installed for a specific project months ago and never used again</li> <li>Extensions from unverified publishers with no source code</li> </ul> <h2> Step-by-step: audit yours in 30 minutes </h2> <h3> 1. Dump your extension list </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>code <span class="nt">--list-extensions</span> <span class="o">&gt;</span> my-extensions.txt <span class="nb">wc</span> <span class="nt">-l</span> my-extensions.txt <span class="c"># how many do you have?</span> </code></pre> </div> <h3> 2. Run the trust check </h3> <p>For each extension, run it through this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Extension: _______________ ┌──────────────────────────────────────────┐ │ Verified publisher? [ ] Y [ ] N │ │ Open source / GitHub link? [ ] Y [ ] N │ │ Updated in last 6 months? [ ] Y [ ] N │ │ Install/rating ratio normal? [ ] Y [ ] N │ │ Do I actually use this? [ ] Y [ ] N │ ├──────────────────────────────────────────┤ │ 5/5 = KEEP │ │ 3-4 = INSPECT (check source, permissions)│ │ 0-2 = REMOVE │ └──────────────────────────────────────────┘ </code></pre> </div> <h3> 3. Kill auto-updates </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">settings.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"extensions.autoUpdate"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"extensions.autoCheckUpdates"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This is the single most impactful change. A legitimate extension can be compromised through a malicious update pushed to the marketplace. If auto-update is on, that update is on your machine before you hear about it.</p> <h3> 4. Set up a credential file watcher </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS - alerts you if anything touches sensitive files</span> <span class="c"># Save as ~/watch-creds.sh and add to login items</span> <span class="c">#!/bin/bash</span> <span class="nv">WATCH_PATHS</span><span class="o">=</span><span class="s2">"</span><span class="nv">$HOME</span><span class="s2">/.ssh </span><span class="nv">$HOME</span><span class="s2">/.aws </span><span class="nv">$HOME</span><span class="s2">/.env"</span> fswatch <span class="nt">-r</span> <span class="nv">$WATCH_PATHS</span> <span class="se">\</span> <span class="nt">--event</span> Created <span class="se">\</span> <span class="nt">--event</span> Updated <span class="se">\</span> <span class="nt">--event</span> Renamed | <span class="k">while </span><span class="nb">read </span>file<span class="p">;</span> <span class="k">do </span>osascript <span class="nt">-e</span> <span class="se">\</span> <span class="s2">"display notification </span><span class="se">\"</span><span class="nv">$file</span><span class="se">\"</span><span class="s2"> with title </span><span class="se">\"</span><span class="s2">Credential File Touched</span><span class="se">\"</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">date</span><span class="si">)</span><span class="s2">: </span><span class="nv">$file</span><span class="s2">"</span> <span class="o">&gt;&gt;</span> ~/credential-access.log <span class="k">done</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Linux equivalent using inotifywait</span> inotifywait <span class="nt">-m</span> <span class="nt">-r</span> ~/.ssh ~/.aws <span class="nt">-e</span> modify <span class="nt">-e</span> create | <span class="k">while </span><span class="nb">read dir </span>event file<span class="p">;</span> <span class="k">do </span>notify-send <span class="s2">"Credential Alert"</span> <span class="s2">"</span><span class="nv">$dir$file</span><span class="s2"> was </span><span class="nv">$event</span><span class="s2">"</span> <span class="k">done</span> </code></pre> </div> <p>Not bulletproof. A sophisticated attacker works around file watchers. But most attacks are unsophisticated, and this catches those.</p> <h2> What I kept (and why) </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Extension</th> <th>Publisher</th> <th>Open Source</th> <th>Trust Signal</th> </tr> </thead> <tbody> <tr> <td>ESLint</td> <td>Microsoft</td> <td>Yes</td> <td>Microsoft-published, millions of installs</td> </tr> <tr> <td>Prettier</td> <td>Prettier</td> <td>Yes</td> <td>Core team maintains it</td> </tr> <tr> <td>GitLens</td> <td>GitKraken</td> <td>Yes</td> <td>Verified company, public security policy</td> </tr> <tr> <td>Error Lens</td> <td>usernamehw</td> <td>Yes</td> <td>I've read the source, it's small</td> </tr> <tr> <td>Tailwind IntelliSense</td> <td>Tailwind Labs</td> <td>Yes</td> <td>First-party from the Tailwind team</td> </tr> <tr> <td>Thunder Client</td> <td>Ranga Vadhineni</td> <td>Partial</td> <td>Verified publisher, 5+ year track record</td> </tr> </tbody> </table></div> <p>The pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TRUST = verified_publisher + open_source + active_maintenance + real_identity </code></pre> </div> <p>If any of those four is missing, you need a good reason to keep it.</p> <h2> VS Code vs browser extensions: the gap </h2> <p>Here's what bothers me. Chrome figured this out years ago.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser Extensions (Chrome) VS Code Extensions ┌───────────────────────┐ ┌───────────────────────┐ │ Declares permissions │ │ Full system access │ │ upfront ("tabs", │ │ by default. No │ │ "storage", etc.) │ │ permission manifest. │ │ │ │ │ │ Runs in sandboxed │ │ Runs in Node.js with │ │ process │ │ your user permissions │ │ │ │ │ │ Limited API surface │ │ Can spawn processes, │ │ │ │ read any file, open │ │ │ │ network connections │ │ │ │ │ │ Reviewed + signed │ │ Basic automated scan │ └───────────────────────┘ └───────────────────────┘ </code></pre> </div> <p>VS Code's extension model was built in 2015 when the threat model was different. We need:</p> <ol> <li><p><strong>Permission scoping.</strong> Extensions should declare exactly what files and APIs they access. A JSON formatter should not touch your terminal.</p></li> <li><p><strong>Sandboxing.</strong> Extensions should run in isolated processes. Browser extensions already work this way. It's solvable.</p></li> <li><p><strong>Code signing.</strong> Require publishers to sign their code. Make it auditable.</p></li> </ol> <p>Until those things happen, the responsibility is on us.</p> <h2> Quick reference card </h2> <p>Save this somewhere:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────┐ │ VS CODE EXTENSION SECURITY CHEAT SHEET │ ├──────────────────────────────────────────────────┤ │ │ │ BEFORE INSTALLING │ │ ☐ Check publisher verification (blue checkmark) │ │ ☐ Check GitHub repo link exists │ │ ☐ Check last update date (&lt; 6 months) │ │ ☐ Read recent reviews for red flags │ │ │ │ AFTER INSTALLING │ │ ☐ Disable auto-update (settings.json) │ │ ☐ Review changelogs before manual updates │ │ ☐ Set up credential file monitoring │ │ │ │ QUARTERLY │ │ ☐ Run: code --list-extensions | wc -l │ │ ☐ Remove unused extensions │ │ ☐ Re-check publisher status on remaining ones │ │ │ │ RED FLAGS │ │ ✗ No source code link │ │ ✗ Publisher name doesn't match extension name │ │ ✗ Thousands of installs but &lt; 10 ratings │ │ ✗ Recently transferred to new publisher │ │ ✗ Requests network access for offline-only task │ │ │ └──────────────────────────────────────────────────┘ </code></pre> </div> <p><em><a href="https://thegdsks.com" rel="noopener noreferrer">Gagan Deep Singh</a> builds open source tools at <a href="https://glincker.com" rel="noopener noreferrer">Glincker</a>. Currently working on <a href="https://profclaw.ai" rel="noopener noreferrer">profClaw</a> (AI agent engine) and <a href="https://askverdict.ai" rel="noopener noreferrer">AskVerdict</a> (multi-model AI verdicts).</em></p> <p><em>If this was useful, follow me on <a href="https://dev.to/thegdsks">Dev.to</a> or <a href="https://x.com/thegdsks" rel="noopener noreferrer">X</a> where I post weekly.</em></p> security vscode webdev productivity