Complete Guide to Building Secure Authentication (Part 2)

BASIC REQUIREMENTS (Must Have - No Exceptions!)

Registration & Signup

• Email and password are required fields
• First name and last name are collected
• Password must be at least 12 characters long
• Password must include uppercase, lowercase, numbers, and special characters
• Show a real-time password strength indicator (weak/medium/strong)
• Show password requirements BEFORE user starts typing
• Send verification email that expires in 24 hours
• Users cannot login until they verify their email
• Delete unverified accounts after 48 hours automatically

Login System

• Login uses email and password only (no username)
• Password field is hidden by default with show/hide toggle button
• Lock account after 20 failed login attempts
• Send email notification when account is locked
• Account stays locked for 24 hours OR until admin unlocks it
• Show clear message: "Your account has been locked for security. Try again in 24 hours."

Password Reset

• "Forgot Password" link on login page
• Reset email expires in 24 hours
• After 8 reset attempts, delay email by 5 minutes
• New password must meet the same complexity requirements
• Send confirmation email after successful password change

Password Security

• NEVER store passwords in plain text
• Use bcrypt or Argon2 to hash passwords
• Prevent users from reusing their last 5 passwords
• All password fields hide text by default (show dots/asterisks)

Session Management

• Auto-logout after 30 minutes of inactivity (customers)
• Auto-logout after 15 minutes of inactivity (admins)
• Use secure cookies (httpOnly and secure flags)
• Destroy session completely on logout

ERROR MESSAGES (Critical for Security!)

What Users Should See:

• ✅ "The email or password is incorrect. Please try again."
• ✅ "This email is already registered. Please try logging in."
• ✅ "Your password must include at least one uppercase letter."
• ✅ "We're experiencing technical difficulties. Please try again shortly."

What Users Should NEVER See:

• ❌ "Error 4042: Database constraint violation"
• ❌ "Authentication failed (ERR_AUTH_001)"
• ❌ "Password hash comparison failed"
• ❌ "500 Internal Server Error"
• ❌ Any error codes, system codes, or technical jargon

RULE: If an error message mentions code, database, system, or technical terms - FIX IT IMMEDIATELY!

SECURITY FEATURES (Must Have)

Input Validation

• Validate and sanitize ALL user inputs
• Prevent SQL injection attacks
• Prevent XSS (Cross-Site Scripting) attacks
• Reject emails that don't match proper email format
• Reject passwords that don't meet complexity requirements

Rate Limiting

• Limit login attempts (lock after 20 failures)
• Limit password reset requests (delay after 8 attempts)
• Limit API calls per user to prevent abuse
• Add delays between failed attempts (exponential backoff)

Email Verification

• Email verification links expire in 24 hours
• Each verification link can only be used once
• Send new verification email if requested
• Clear message when link expires

Data Protection

• Use HTTPS/TLS 1.2+ for ALL connections
• Never send passwords in URLs or query parameters
• Don't reveal if an email exists in the system (same error message)
• Store sensitive data encrypted in the database

CUSTOMER EXPERIENCE (Keep It Simple!)

Customer Profile Page

• View and edit first name and last name
• View email (but can't edit without verification)
• Change password with current password required
• View recent login activity (date/time only)
• Logout button
• Delete account option (with confirmation)

What Customers Should NOT See:

• ❌ Admin features or settings
• ❌ Other users' information
• ❌ System logs or technical details
• ❌ Database errors or codes

ADMIN SECURITY (Extra Protection!)

Admin Account Setup

• Admins MUST use Multi-Factor Authentication (MFA)
• Admin MFA via 6-digit email code
• Admin accounts cannot be created through public signup
• First Super Admin created during initial setup
• dmin sessions timeout after 15 minutes (shorter than customers)

Admin Access Controls

• Require password re-entry for sensitive actions:
• Unlocking customer accounts
• Deactivating accounts
• Viewing detailed logs
• Send email alert to all Super Admins when any admin logs in
• Log every admin action with timestamp and IP address

Admin Dashboard Features

• View all customers (name, email, status, last login)
• Search and filter customers
• Unlock locked accounts (with justification note)
• Force logout customer sessions
• Deactivate/reactivate accounts
• View customer login history
• View system overview (total users, active sessions, failed logins)

What Admins Can/Should NOT Do:

• ❌ Reset customer passwords directly
• ❌ See customer passwords (not even admins!)
• ❌ Login as a customer
• ❌ Bypass MFA

EMAIL TEMPLATES NEEDED

Make sure your app sends these emails:

Customer Emails:

• Email verification (with link that expires in 24 hours)
• Welcome email after verification
• Password reset link (expires in 24 hours)
• Account locked notification
• Account unlocked by admin notification
• Password changed confirmation
• Account deleted confirmation

Admin Emails:

• Admin MFA code (6 digits, expires in 10 minutes)
• Admin login alert (to all Super Admins)
• Failed admin login attempts (after 5 failures)
• Background job failures
• Suspicious activity alerts

BACKGROUND JOBS (Automated Maintenance)

Set up these automatic tasks:

• Delete unverified accounts after 48 hours
• Clean up expired password reset tokens
• Clean up expired email verification tokens
• Clean up expired MFA codes
• Archive old logs (based on retention policy)
• Optional: Auto-unlock accounts after 24 hours
• Monitor email delivery failures

Background Job Monitoring:

By default, all background jobs added by the Replit agent works behind the scenes unattended, but in a production enviroment, you need to know their status, ideally from your app's dashboard.

• Display job status in admin dashboard
• Show last run time and status (success/failure)
• Alert admins when jobs fail
• Allow manual trigger (admins only)

LOGGING & MONITORING (Know What's Happening)

What to Log (Admin View Only):

• All login attempts (successful and failed)
• Account lockouts and unlocks
• Password reset requests
• Password changes
• Admin actions (who did what, when)
• Failed MFA attempts
• Email delivery failures
• Background job results

What NOT to Log:

• ❌ Actual passwords (never ever!)
• ❌ Full credit card numbers
• ❌ Social security numbers
• ❌ Other sensitive personal data

COMMON MISTAKES TO AVOID

Security Mistakes:

• ❌ Storing passwords in plain text → ✅ Always hash with bcrypt/Argon2
• ❌ Using weak password requirements → ✅ Enforce 12+ chars with complexity
• ❌ Not limiting login attempts → ✅ Lock after 20 failures
• ❌ Sending passwords in emails → ✅ Only send reset links, never passwords
• ❌ Not using HTTPS → ✅ Always use HTTPS/TLS
• ❌ Exposing technical errors to users → ✅ Show friendly messages
• ❌ Not validating user input → ✅ Validate and sanitize everything
• ❌ Allowing admins to reset customer passwords → ✅ Only unlock, customers reset themselves

User Experience Mistakes:

• ❌ Showing error codes to users → ✅ Use plain language
• ❌ Not explaining why password was rejected → ✅ Show specific requirements
• ❌ Making forms too complicated → ✅ Keep it simple (name, email, password)
• ❌ Not confirming actions → ✅ Send confirmation emails
• ❌ Confusing navigation → ✅ Clear buttons and labels

Admin Mistakes:

• ❌ Not protecting admin accounts → ✅ Require MFA for all admins
• ❌ Not logging admin actions → ✅ Log everything admins do
• ❌ Allowing admins to see passwords → ✅ Nobody sees passwords, ever
• ❌ Not requiring password re-entry → ✅ Sensitive actions need password