Skip to main content

Overview

InsForge implements a modern, secure authentication system using JWT tokens with RSA signing, OAuth provider integration, and database-backed session management.

Technology Stack

Core Components

ComponentTechnologyPurpose
Token FormatJWT with HS256Stateless authentication tokens
Signing AlgorithmHMAC-SHA256Symmetric key signing with shared secret
AuthenticationStateless JWTNo server-side session storage
Password Hashingbcryptjs (10 rounds)Secure password storage
OAuth ProvidersGoogle, GitHub, Microsoft, Discord, and moreSocial authentication
Token ExpiryFixed7 days for user tokens, never for anon tokens

Authentication Flow

Password-Based Authentication

InsForge supports both code and link methods for email verification and password reset.
  • code method: user receives a 6-digit code and submits it through the app.
  • link method: user clicks an email link that always opens an InsForge backend endpoint first.
  • redirectTo must be included in allowedRedirectUrls before link-based flows can use it.
  • If allowedRedirectUrls is empty, InsForge allows all redirects for smoother development UX. Do not rely on that behavior in production.
For link-based email verification:
  • The email link opens GET /api/auth/email/verify-link?token=...
  • InsForge verifies the token on the backend
  • InsForge redirects the browser to the stored redirectTo
  • Query params:
    • insforge_status: success or error
    • insforge_type: always verify_email
    • insforge_error: present only on error
  • Recommended: use your sign-in page as redirectTo, then show a success message and ask the user to sign in with their email and password
For link-based password reset:
  • The email link opens GET /api/auth/email/reset-password-link?token=...
  • InsForge validates the token on the backend
  • InsForge redirects the browser to the stored redirectTo
  • Query params:
    • token: present only when reset is ready
    • insforge_status: ready or error
    • insforge_type: always reset_password
    • insforge_error: present only on error
  • Your app should render the reset form only when insforge_status=ready and token is present

Session Recovery

InsForge uses short-lived access tokens plus refresh tokens.
  • Web clients store the refresh token in an httpOnly cookie
  • For browser apps, call auth.getCurrentUser() during startup. The SDK will use the httpOnly refresh cookie automatically when it can refresh the session
  • Server, mobile, and other non-browser clients do not get that automatic cookie-based refresh and should call the refresh endpoint explicitly

OAuth Flow

JWT Token Structure

Token Payload

{
  "sub": "user_id_uuid",
  "email": "user@example.com",
  "role": "authenticated",
  "iat": 1704067200,
  "exp": 1704672000,
  "iss": "insforge",
  "aud": "insforge-api"
}

Token Claims

ClaimDescriptionExample
subSubject (User ID)UUID format
emailUser’s emailuser@example.com
roleUser role/permissionsauthenticated, admin
iatIssued at timestampUnix timestamp
expExpiration timestampUnix timestamp
issToken issuerinsforge
audIntended audienceinsforge-api

Security Features

HS256 Signing

Tokens signed with HMAC-SHA256 using shared secret key

bcrypt Hashing

Passwords hashed with bcryptjs using 10 salt rounds

OAuth State

CSRF protection via state parameter in OAuth flows

Stateless Auth

JWT tokens with built-in expiry, no server-side sessions

Token Rotation

Support for refresh token rotation (coming soon)

Rate Limiting

Protection against brute force attacks

API Endpoints

Authentication Endpoints

MethodEndpointPurpose
POST/api/auth/usersRegister new user
POST/api/auth/sessionsLogin with email/password
GET/api/auth/sessions/currentGet current user (requires auth)
POST/api/auth/email/send-verificationSend verification code or link
POST/api/auth/email/verifyVerify email with 6-digit code
POST/api/auth/email/send-reset-passwordSend password reset code or link
POST/api/auth/email/exchange-reset-password-tokenExchange reset code for reset token
POST/api/auth/email/reset-passwordReset password with token
POST/api/auth/admin/sessionsAdmin login (local development)
POST/api/auth/admin/sessions/exchangeExchange authorization code (cloud platform)

OAuth Endpoints

MethodEndpointPurpose
GET/api/auth/oauth/:providerInitiate OAuth flow for built-in providers
GET/api/auth/oauth/:provider/callbackBuilt-in OAuth callback handler
GET/api/auth/oauth/custom/:keyInitiate OAuth flow for custom providers
GET/api/auth/oauth/custom/:key/callbackCustom OAuth callback handler

Admin Endpoints

MethodEndpointPurpose
GET/api/auth/usersList all users (admin only)
DELETE/api/auth/usersDelete users (admin only)

OAuth Provider Configuration

InsForge supports multiple OAuth providers including Google, GitHub, Microsoft, Discord, LinkedIn, Facebook and more coming soon.

Custom OAuth Providers

Admins can add custom OIDC-compatible OAuth providers from the dashboard at Auth Methods without writing backend code. Required for custom provider setup:
  • name (display label)
  • key (unique lowercase key, e.g. okta-company)
  • discovery endpoint (.well-known/openid-configuration URL)
  • client ID
  • client secret (stored through the existing secret-management flow)
PKCE is always enabled for custom provider flows. Custom providers are stored in auth.custom_oauth_configs and handled by dedicated routes under /api/auth/oauth/custom/*, keeping built-in provider behavior isolated. Users authenticated through custom providers are linked into the same auth.users and auth.user_providers model.

Example: Google OAuth 2.0

  • Authorization URL: https://accounts.google.com/o/oauth2/v2/auth
  • Token URL: https://oauth2.googleapis.com/token
  • Scopes: openid, email, profile
  • Required: Client ID, Client Secret, Redirect URI

Example: GitHub OAuth

  • Authorization URL: https://github.com/login/oauth/authorize
  • Token URL: https://github.com/login/oauth/access_token
  • Scopes: read:user, user:email
  • Required: Client ID, Client Secret, Redirect URI

Token Validation

Validation Steps

  1. Format Check: Verify JWT structure (header.payload.signature)
  2. Signature Verification: Validate with RSA public key
  3. Expiry Check: Ensure token hasn’t expired
  4. Issuer/Audience: Verify iss and aud claims
  5. User Lookup: Check user exists in auth.users table
  6. User Status: Ensure user account is active

Middleware Flow

// Simplified validation flow (stateless)
async function validateToken(token) {
  // 1. Decode and verify JWT
  const decoded = jwt.verify(token, publicKey, {
    algorithms: ['RS256'],
    issuer: 'insforge',
    audience: 'insforge-api'
  });
  
  // 2. Check user exists (optional)
  const user = await db.query(
    'SELECT * FROM auth.users WHERE id = $1',
    [decoded.sub]
  );
  
  // 3. Return user context from JWT
  return {
    userId: decoded.sub,
    email: decoded.email,
    role: decoded.role
  };
}

Security Best Practices

HTTPS Only

Always use HTTPS in production to protect tokens in transit

Secure Storage

Store tokens in httpOnly cookies or secure storage

Short Expiry

Use short-lived access tokens with refresh tokens

Revocation

Implement token revocation for compromised accounts

Password Policy

Enforce strong password requirements

2FA Support

Two-factor authentication (coming soon)

Environment Variables

VariableDescriptionExample
JWT_SECRETRSA private key or secretBase64 encoded key
GOOGLE_CLIENT_IDGoogle OAuth client IDxxx.apps.googleusercontent.com
GOOGLE_CLIENT_SECRETGoogle OAuth secretSecret string
GITHUB_CLIENT_IDGitHub OAuth client IDGitHub app ID
GITHUB_CLIENT_SECRETGitHub OAuth secretSecret string
TOKEN_EXPIRYToken lifetime7d, 24h, 3600

SDK References

Choose the authentication SDK guide for your platform:

TypeScript

Web and Node.js applications with full OAuth and session management

Swift

iOS, macOS, tvOS, and watchOS with Sign in with Apple support

Kotlin

Android applications with Google Sign-In integration

Flutter

Cross-platform mobile apps for iOS and Android

UI Components (TypeScript)

For web applications, we also provide pre-built authentication UI components:

React

React + Vite apps

Next.js

Next.js with SSR

Custom UI

Build your own