Authentication & Security

Supabase Auth handles sessions. The template layers TOTP, login history, SAML-ready settings, and route guards so those features are wired, not hypothetical.

Sign-in and sign-up

Users can create accounts and sign in using:

  • Email and password -- standard credential-based authentication
  • Google OAuth -- one-click sign-in with Google
  • GitHub OAuth -- one-click sign-in with GitHub

All auth flows are handled in src/app/(auth)/ with server actions in src/app/(auth)/actions/auth.ts.

How auth works

  1. User submits credentials on /sign-in or /sign-up
  2. Supabase Auth verifies credentials and creates a session
  3. The middleware at middleware.ts checks for a valid session on every protected route
  4. Authenticated users are redirected to /select-workspace

Password reset

  1. User clicks "Forgot password?" on the sign-in page
  2. They enter their email on /forgot-password
  3. Supabase sends a reset email with a secure link
  4. The link takes them to /reset-password where they set a new password

OAuth setup

To enable Google or GitHub sign-in, configure the providers in your Supabase project:

  1. Go to Supabase Dashboard > Authentication > Providers
  2. Enable Google and add your Client ID + Secret from the Google Cloud Console
  3. Enable GitHub and add your Client ID + Secret from GitHub OAuth Apps
  4. Set the redirect URL to https://yourapp.com/auth/callback

See Supabase Setup for the full guide.

Two-factor authentication (2FA)

SaaSForge Core supports TOTP-based two-factor authentication using authenticator apps like Google Authenticator, Authy, or 1Password.

How it works

  1. Users enable 2FA from Settings > Security
  2. A QR code is generated that they scan with their authenticator app
  3. They enter the verification code to confirm setup
  4. On future sign-ins, after entering their password, they're redirected to /two-factor to enter a code from their authenticator app

Where to customize

  • 2FA setup UI: src/app/(app)/w/[workspaceSlug]/settings/two-factor-section.tsx
  • 2FA challenge page: src/app/(auth)/two-factor/page.tsx
  • Workspace enforcement: Workspaces can require 2FA for all members via the require_2fa column on the workspaces table

Database

The 2FA workspace enforcement flag is added in supabase/004_onboarding.sql:

ALTER TABLE public.workspaces ADD COLUMN IF NOT EXISTS require_2fa BOOLEAN DEFAULT FALSE;

Login history

Every sign-in attempt is recorded with IP address, user agent (browser/device), and success/failure status.

Where to find it

  • UI: Settings page > Login History section
  • Server actions: src/lib/sessions/session-actions.ts
  • Database table: login_history (created in supabase/006_remaining_features.sql)

Database schema

CREATE TABLE public.login_history (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
  ip_address TEXT,
  user_agent TEXT,
  status TEXT NOT NULL DEFAULT 'success',    -- 'success' or 'failure'
  created_at TIMESTAMPTZ NOT NULL DEFAULT now()
);

How to customize

To add more tracking (e.g., geolocation, device fingerprinting), extend the login_history table with additional columns and update the insert logic in src/lib/sessions/session-actions.ts.

SSO (Single Sign-On) -- Enterprise

Workspaces on the Enterprise plan can configure SSO for centralized authentication.

Where to find it

  • UI: Settings page > SSO Configuration section (visible only on Enterprise plan)
  • Server actions: src/lib/sso/sso-actions.ts

Configuration

SSO supports SAML and OAuth providers. The configuration includes:

  • Provider type (SAML, OAuth)
  • Metadata URL
  • Enforcement flag (require_sso -- forces all members to use SSO)

How to customize

To enable SSO for additional plan tiers, modify the isEnterprise check in src/app/(app)/w/[workspaceSlug]/settings/page.tsx.

Session management

Sessions are managed by Supabase Auth using secure HTTP-only cookies. The middleware (middleware.ts) refreshes the session on every request to protected routes.

Protected routes

The middleware protects all routes under /w/, /select-workspace, and /create-workspace. Unauthenticated users are redirected to /sign-in.

How it works

Request → middleware.ts
  ├── Public route? → Pass through
  ├── Auth route? → If already signed in, redirect to /select-workspace
  └── Protected route? → Check session
       ├── Valid session → Continue
       └── No session → Redirect to /sign-in

Where to customize

  • Middleware: middleware.ts -- add or remove protected route patterns
  • Auth helpers: src/lib/auth/require-user.ts -- the requireUser() function used in all server actions
  • Supabase clients: src/lib/supabase/ -- server and admin client creation

Security headers

The app includes security headers configured in next.config.ts:

  • X-Frame-Options: DENY -- prevents clickjacking
  • X-Content-Type-Options: nosniff -- prevents MIME sniffing
  • Strict-Transport-Security -- enforces HTTPS
  • Referrer-Policy: origin-when-cross-origin

GDPR & data management

SaaSForge Core includes GDPR-compliant data management:

  • Data export: Users can export all their personal data from Settings > Account
  • Account deletion: Users can delete their account, which cascades to all their data
  • Server actions: src/lib/gdpr/ handles export and deletion logic

Where to customize

  • Account section UI: src/app/(app)/w/[workspaceSlug]/settings/account-section.tsx
  • GDPR logic: src/lib/gdpr/ -- extend with additional data sources as you add features