Authentication at Boottify — Lucia v3, OAuth, 2FA, and Session Guards | Boottify

Authentication is the front door. Here's how Boottify keeps it secure without making it painful.

THE STACK

Lucia v3 — Session-based auth with cookie management
Arctic — OAuth 2.0 for Google and GitHub login
TOTP — Time-based one-time passwords for 2FA with backup codes
WebAuthn — Passkey support with cross-platform authenticator attachment

SESSION MANAGEMENT

Sessions use a session cookie validated by validateRequest(). The SessionGuard component enforces idle timeouts — warnings at 2 minutes and 1 minute before expiry. No more "you've been logged out" surprises.

ROLE HIERARCHY

Role	Access
OWNER	Full platform control
ADMIN	System administration
MANAGER	Team/project management
DEVELOPER	Development access
CLIENT	Orders and billing only

RECENT IMPROVEMENTS

Email verification blocking — unverified users can't access protected routes
TOTP and OAuth secrets encrypted at rest
Session enumeration fixed
Wizard persistence for onboarding flow

Auth is one of those things you only notice when it breaks. At Boottify, it doesn't break.

Authentication at Boottify — Lucia v3, OAuth, 2FA, and Session Guards

THE STACK

SESSION MANAGEMENT

ROLE HIERARCHY

RECENT IMPROVEMENTS

In This Article

Actions

Related Articles

Boottify's Testing Philosophy — TDD, Playwright, and Systematic Debugging

TypeScript at Scale — 248K Lines Without a Single 'any'

Kubernetes Infrastructure at Boottify — K3s, Traefik, and Let's Encrypt

Comments

THE STACK

SESSION MANAGEMENT

ROLE HIERARCHY

RECENT IMPROVEMENTS

Enjoyed this article?

In This Article

Actions

Related Articles

Boottify's Testing Philosophy — TDD, Playwright, and Systematic Debugging

TypeScript at Scale — 248K Lines Without a Single 'any'

Kubernetes Infrastructure at Boottify — K3s, Traefik, and Let's Encrypt

Comments