1.9 KiB
1.9 KiB
Authentication Security Checklist
Use before deploying authentication features.
Configuration Security
- BETTER_AUTH_SECRET stored in Doppler (never committed)
- OAuth secrets in Doppler (Google, GitHub, etc.)
- BETTER_AUTH_URL matches production domain
- trustedOrigins configured correctly
- Session expiry configured (7 days default)
Database Security
- tenant_id included in users table
- tenant_id included in sessions table
- RLS policies created for users table
- RLS policies created for sessions table
- Email addresses unique constraint
- Passwords never stored in plain text (better-auth handles)
Multi-Tenant Isolation
- tenant_id extracted from JWT claims
- All auth queries filter by tenant_id
- Session data includes tenant context
- Test cases verify tenant isolation
Email Verification
- Email verification required for signup
- Verification tokens expire (15 minutes)
- Verification tokens single-use
- Email templates styled (Resend/SendGrid)
OAuth Configuration
- OAuth redirect URLs whitelisted
- OAuth scopes minimal (email, profile only)
- OAuth secrets in Doppler
- OAuth callback URLs HTTPS only
Session Management
- Redis/Upstash configured for sessions
- Session tokens stored securely (httpOnly cookies)
- Session refresh configured (1 day)
- Session expiry configured (7 days)
Protected Routes
- beforeLoad checks authentication
- Redirects to login with return URL
- Session data available in route context
- Logout clears session completely
Testing
- Signup flow tested
- Login flow tested
- Logout tested
- Email verification tested
- OAuth flow tested (if enabled)
- Magic link tested (if enabled)
- Passkey tested (if enabled)
- Multi-tenant isolation tested