This project is a dual-backend authentication system using a React (Vite + TS) frontend with Node.js (Express) and Go backends. It aims to provide a secure, modular, and scalable authentication mechanism that can switch between backend services and display real-time system status to the user.
| Layer | Tech Stack |
|---|---|
| Frontend | React + TypeScript (Vite) |
| Backend | Node.js (Express), Go (net/http) |
| Auth | JWT (httpOnly cookies), Argon2/Bcrypt |
| Misc | ULID, Helmet, CORS, Rate-Limit |
-
Login Attempt
User enters credentials into the login form.
A POST request is sent to/api/loginon the first available backend (3000 for Node, 8080 for Go).
If credentials match (username + password), a JWT is generated and sent as an httpOnly cookie. -
JWT Cookie Handling
JWTs are stored in httpOnly cookies to protect against XSS.
Cookies include:secure(true in production)sameSite: 'lax'maxAge: 3600(1 hour)
-
Auto-Login / Protected Routes
On mount, the frontend pings/api/protectedon both backends.
If a valid token is present, the user is redirected to/page1.
If not, the user remains on the login page. -
Status Bar
Frontend pings both ports and checks which backend is responding.
Shows the active service and backend info (language, framework, port, hash algo, jwt method, ULID usage, environment).
| Measure | Implemented In | Description |
|---|---|---|
| Argon2id Hashing | Node (argon2) | Passwords hashed using Argon2id before comparison |
| Plain comparison | Go | Go backend uses dummy plaintext (can be replaced with Argon2id/Bcrypt) |
| JWT with Expiry | Both | Token expires in 1 hour |
| Secure httpOnly Cookie | Both | Prevents client-side JS access to the token |
| Helmet + CORS + Rate Limit | Node | Prevents common attacks (headers + spam + CSRF resilience) |
| CORS + credentials | Both | Allows cookie-based auth from the frontend (port 5173) |
project-root/
βββ frontend/
β βββ src/
β β βββ components/
β β β βββ StatusBar.tsx
β β βββ pages/
β β β βββ Login.tsx
β β βββ main.tsx, App.tsx, etc.
β βββ public/
βββ backend-node/
β βββ server.ts
βββ backend-go/
β βββ server.go
βββ authflow.md
- Redundancy: Two backend services offer failover or hybrid deployment.
- Transparency: Real-time info shown to users via StatusBar.
- Scalability: Directory structure and modular code allow service expansion.
- Security-first: Uses industry best practices for password hashing, cookie flags, rate limiting, and content security.
- Token refresh and expiration handling
- Dynamic backend selection based on health
- Database integration for real user registration/login
- OAuth (Google/GitHub/Apple)
- User roles and permissions
- Password reset and email verification
- Admin panel for service observability