How I built Rails 8.1 auth + HIPAA, Fintech & LTI 1.3 compliance into one source kit

#rails #ruby #saas #webdev

Every Rails project I worked on started the same way — two weeks rebuilding authentication, then another 4-6 weeks on compliance infrastructure (HIPAA audit logs, Fintech ledgers, LTI 1.3 for edtech clients).

So I packaged it all into a single source kit: RailsAuthSaaS.

What's included

Core Auth (every pack)

Email/password, magic links, email verification
2FA: TOTP + backup codes + QR code setup
OAuth: Google + GitHub (OmniAuth 2, CSRF-safe)
SAML 2.0 enterprise SSO with admin UI
Multi-tenancy, RBAC, remember me, rate limiting
Stripe billing, 14-day trial, seat management

HIPAA Module

Full audit log with date-range filtering
PHI access logging with mandatory justification field
CSV + JSON export for auditor evidence
Session timeout Rack middleware
BAA, DPA, security disclosure pages + /.well-known/security.txt

Fintech Module

Immutable double-entry ledger (DB check constraint: balance >= 0)
Transaction approval / rejection / reversal / chargeback workflow
KYC/AML hooks, PCI/SOC2 helpers

LTI 1.3 Module

Full OIDC login flow with nonce replay protection
Deep linking (signed JWT), Grade Services (AGS), Names & Roles (NRPS)
Tested with Canvas, Moodle, Blackboard

Tech stack

Rails 8.1, Ruby 3.3, PostgreSQL
Pundit, Stripe, ruby-saml, ROTP, OmniAuth 2
91 tests, 332 assertions, 0 failures ✅

Why source code instead of a gem?

Gems lock you into an API. With source code you own every line — customize anything, no vendor lock-in, no per-user SaaS fees.

ROI

One US Rails developer hour = $75–$150. This kit saves 80–200 hours of implementation work. At CHF 699 for the full Compliance Suite, payback is day 1.