AuthSystem is a production-style authentication backend created to show how real session management, token security, and abuse prevention work behind the scenes. It doesn’t wrap an auth-as-a-service SDK.
What I Built
I designed and built the entire authentication layer from scratch. I used Node.js and Express with PostgreSQL, employing raw SQL via pg without any ORM. For ephemeral token and session storage, I used Redis. BullMQ handles queued transactional email. I implemented every part of the account lifecycle: registration through email verification, login, refresh, logout, password change/reset, and profile management.
Key Features
- JWT access and refresh token rotation with theft detection. Refresh tokens are grouped into "families." If someone replays a token that has already rotated, it invalidates the whole family and requires re-login.
- Hashed, single-use, TTL-expiring tokens for email verification and password reset. These are stored in Redis and verified using atomic
GETDELto prevent replay or race conditions. - Account lockout and tiered, per-IP rate limiting provide two independent defenses against brute force attacks. These features are layered rather than duplicated.
- Cache-aside profile reads in Redis come with clear invalidation on every write path, backed by a TTL safety net.
- Forced logout across all devices happens on password change or reset. This uses a reverse index that maps each user to their active session families.
- RBAC-ready. The role is embedded in access tokens for route gating based on roles.
Tech Stack
Node.js, Express, PostgreSQL (raw SQL), Redis, BullMQ, JWT, bcrypt, Brevo (transactional email), express-rate-limit.