Authentication System
Sunschool uses JWT (JSON Web Token) authentication with scrypt password hashing. Fromserver/middleware/auth.ts:
JWT Configuration
JWT tokens provide stateless authentication, allowing the server to verify user identity without session storage.
Token Generation
Fromserver/middleware/auth.ts:
server/config/env.ts:
Token Verification
Fromserver/middleware/auth.ts:
Generate Secure Secrets
Generate JWT secret:.env:
If
JWT_SECRET is not set, it defaults to SESSION_SECRET. Set both separately for better security.Password Security
scrypt Hashing
Sunschool uses scrypt for password hashing - a memory-hard function resistant to brute-force attacks. Fromserver/middleware/auth.ts:
- Random 16-byte salt per password
- 64-byte derived key using scrypt
- Timing-safe comparison to prevent timing attacks
- Format:
{hash_hex}.{salt_hex}
Password Requirements
Recommended client-side validation:Role-Based Access Control
Fromshared/schema.ts:
User Roles
- ADMIN
- PARENT
- LEARNER
Permissions:
- Full system access
- View all users and data
- Manage parents and learners
- Access admin-only endpoints
- Export all data
server/auth.ts:Role Middleware
Fromserver/middleware/auth.ts:
First User Admin Promotion
Fromserver/auth.ts and server/routes.ts:
First registered user becomes ADMIN automatically. This ensures you can bootstrap the system without manual database access.
Session Security
Fromserver/config/env.ts:
Session Storage
Fromshared/schema.ts, sessions are stored in PostgreSQL:
expire index.
CORS Configuration
Fromserver/auth.ts:
API Security Best Practices
Rate Limiting
Not implemented by default. Add rate limiting for production deployments.
Input Validation
Current validation:SQL Injection Protection
Already protected. Sunschool uses Drizzle ORM with parameterized queries.
server/routes.ts:
XSS Protection
FromENGINEERING.md:
SVG content is sanitized via a lightweight regex-based sanitizer in server/services/svg-llm-service.ts
SVG sanitization:
- Strips
<script>,<style>,<iframe>tags - Removes event handlers (
onclick,onload, etc.) - Blocks
javascript:anddata:URIs - LLM prompts prohibit scripts and external references
Environment-Specific Security
Development
- Detailed error messages
- No SSL for local database
- Shorter JWT expiry for testing
Production
- Generic error messages
- SSL required for all connections
- Long random secrets
- Extended token expiry for user convenience
Security Checklist
Set Strong Password Policy
Implement client-side validation:
- Minimum 8 characters
- Mixed case, numbers, symbols
Audit Logging
Not implemented by default. Add audit logging for production.
Next Steps
Database Setup
Secure your database with SSL and access controls
Monitoring
Monitor authentication failures and security events
Troubleshooting
Debug authentication issues