Authentication & Identity Integrations¶
How users prove they are who they say they are. Plus 2FA, SSO, and the password-hashing primitives. For the authorization layer (RBAC, who-can-do-what once they're in), see Security-Patterns.md.
Portfolio map¶
| Layer | Default |
|---|---|
| Local password auth | bcrypt (Node) / Argon2 (Rust) |
| Session token | JWT (signed, short-lived) + refresh token |
| Social login | Google + Microsoft (Passport.js or NextAuth) |
| MFA | TOTP (otpauth / pyotp / OTPAuth libraries) |
| Enterprise SSO | SAML — FamilyChat, GoGreen-DOC-AI |
OAuth providers¶
Google OAuth 2.0¶
Used in: ~30 apps. The default social login.
Pattern: "Sign in with Google" → ID token → look up or provision user → issue local JWT.
Microsoft OAuth (Microsoft Identity Platform / Entra ID)¶
Used in: ~25 apps. Paired with Google in nearly every social-login flow.
Facebook OAuth¶
Used in: Ecom-Sales, GogreenSellerAI, MyPollingApp.
Apple OAuth (Sign in with Apple)¶
Used in: FamilyChat. Required by Apple's app-store rules when other social logins are offered.
LinkedIn OAuth¶
Used in: Recruiting_AI (specifically as a candidate-data-import path, not just login).
GitHub OAuth¶
Not used as a sign-in path in the portfolio. GitHub API access for OpenSentinel and GoGreen-SmartForms uses fine-grained PATs / GitHub App, not user OAuth.
NextAuth.js (now Auth.js)¶
What it is. Authentication framework for Next.js. Handles OAuth providers, credentials, magic links, JWT/session cookies, the /api/auth/* routes, callback signing.
Used in: EverythingBeer, GoGreenSourcingAI, MyPollingApp, Realestate-all-docker, TimeSheetAI.
Adapter: @auth/prisma-adapter (TimeSheetAI uses this — sessions persisted in Postgres).
Why we use it. It's the answer when the framework is Next.js and you don't want to wire OAuth callbacks by hand.
Passport.js¶
What it is. Express-era authentication middleware. Strategy-per-provider — passport-google-oauth20, passport-microsoft, passport-facebook, etc.
Used in: Boomer_AI, ChoreAndMoreTracker (custom Rust port), Ecom-Sales, GogreenSellerAI.
Why over NextAuth: Express apps. Passport's strategy ecosystem is enormous; NextAuth doesn't fit non-Next.js stacks.
Laravel Sanctum¶
What it is. Laravel's first-party API token auth. Personal access tokens, SPA cookie-based sessions.
Used in: Voting_NewAndImproved.
JWT (JSON Web Tokens)¶
What it is. RFC 7519 — a signed (HS256 or RS256) JSON payload that the client carries in Authorization: Bearer .... Stateless: server validates the signature, no session lookup.
Used in: essentially every API-driven app — AscendOne, Automotive, Boomer_AI, ChoreAndMoreTracker, Ecom-Sales, FamilyChat, GoGreen-AI-Concierge, GoGreen-DOC-AI, GoGreen-Workflow-Hub, GoGreenPaperlessInitiative, GoGreenMarketing, GogreenSellerAI, NaggingWifeAI, PolyMarketAI, Recruiting_AI, Sales_AI_App, SellMeAPen_CLCD-1, Tutor_AI.
Pattern:
- Short-lived access token (15 min) in Authorization header.
- Long-lived refresh token in HTTP-only cookie.
- Refresh endpoint rotates both on every refresh.
Libraries:
- jsonwebtoken (Node).
- python-jose + bcrypt (Python — Automotive).
- jsonwebtoken (Rust — ChoreAndMoreTracker).
Common mistake to avoid. Don't put PII in JWTs — they're not encrypted, just signed. Anyone with the token can read its body.
SAML / SSO¶
What it is. Enterprise federated single-sign-on. The IdP (Okta, Azure AD, Google Workspace) issues a signed XML assertion, your app trusts it.
Used in:
- FamilyChat — enterprise tenants log in via SAML.
- GoGreen-DOC-AI — pysaml2 for SAML/SSO.
- GoGreen-SmartForms — pysaml2.
TOTP / 2FA¶
What it is. Time-based one-time password (RFC 6238). The shared secret + current Unix timestamp generates a 6-digit code; Google Authenticator / Authy / 1Password produce them.
Libraries seen:
- otpauth (Node — generic).
- pyotp (Python — GoGreen-DOC-AI).
- OTPAuth (Node — TimeSheetAI).
Used in: GoGreen-DOC-AI, GoGreenPaperlessInitiative, TimeSheetAI, SellMeAPen_CLCD-1.
Pattern: during enrollment, server generates a secret + QR code; user scans with their authenticator app; future logins require the 6-digit code in addition to password.
Persona (KYC / ID verification)¶
What it is. Identity verification API — driver's-license/passport scan, selfie liveness, cross-checks.
Used in: Recruiting_AI-Docker (src/services/persona.service.ts).
ID Analyzer¶
What it is. Competitor to Persona — same shape (scan + liveness + risk score) via a REST API.
Used in: Recruiting_AI-Docker (src/services/idVerification.service.ts).
Why both. A/B / fallback. Both wired through src/routes/idVerification.ts.
Password hashing¶
| Algorithm | Where |
|---|---|
| bcrypt | All Node apps (bcrypt, bcryptjs). |
| Argon2 | ChoreAndMoreTracker (Rust — argon2 crate). State-of-the-art. |
| PBKDF2 | Not used — bcrypt is a direct upgrade. |
| scrypt | Not used. |
Why Argon2 in ChoreAndMoreTracker but bcrypt elsewhere. Argon2 is stronger but Node's libraries are slower/awkward; the Rust app naturally has Argon2. New Node code could move to argon2 (npm) — bcrypt is still fine.
CSRF protection¶
What it is. Cross-Site Request Forgery — a malicious site tricks the user's browser into making a state-changing request to your site, leveraging the user's existing cookies.
Mitigations seen:
- Double-submit cookie — most NextAuth apps.
- Synchronizer token — Laravel apps (Maximus, PRT, Voting).
- SameSite cookies — universal (SameSite=Strict for auth cookies, Lax for general).
Explicit "CSRF protection" implementation: SellMeAPen_CLCD-1 lists this as a feature.
Comparison alternatives (not used)¶
| Service | Notes |
|---|---|
| Auth0 | Managed identity SaaS. Closest to "use it for everything." Self-hosted Postgres + NextAuth/Passport.js wins on cost. |
| Clerk | Great DX for Next.js. NextAuth is good enough; Clerk is paid. |
| Supabase Auth | Tied to Supabase Postgres. Portfolio is self-hosted Postgres. |
| Firebase Auth | Google-controlled identity. Not used. |
| AWS Cognito | Cloud-native. Not used. |
| Lucia | Lightweight Auth.js alternative. Not adopted. |
| WorkOS | Enterprise SSO-as-a-service. SAML directly (pysaml2) wins on cost for the few enterprise tenants. |
Decision guide¶
Next.js app, want quick OAuth? NextAuth + Google + Microsoft.
Express app, want strategy ecosystem? Passport.js.
Laravel app? Sanctum + Socialite.
Need MFA? otpauth / pyotp + QR enrollment.
Need enterprise SSO? pysaml2 / passport-saml.
Need KYC / identity verification? Persona or ID Analyzer.
Need to hash passwords? bcrypt (Node), Argon2 (Rust / new code).