Production-grade authentication system built with Spring Boot + React, designed with progressive security hardening and extensibility in mind.
This project focuses on implementing authentication the correct way — following modern security principles such as:
- httpOnly cookie-based authentication
- Short-lived JWT access tokens
- Refresh token rotation
- OTP & OAuth support
- Stateless security architecture
Currently, in Phase 3 - OAuth & Extensibility.
Secure Authentication Module is a reusable, enterprise-ready authentication service built to simulate real-world production security architecture. The goal is to:
- Understand authentication flows deeply
- Implement security best practices
- Build a modular system extensible for OAuth, OTP, and future passkey support
- Keep frontend and backend cleanly separated
This project evolves in structured phases, gradually increasing security, reliability, and extensibility.
- Java 21
- Spring Boot 4.x
- Spring Security
- JWT (Access + Refresh token)
- MySQL 8.x
- Redis 7.x
- Spring Data JPA
- Hibernate
- Lombok
- Resilience4j (Phase 4)
- OpenAPI / Swagger (Phase 4)
- React 18
- TypeScript
- Vite
- Axios
- React Router v6
- Shadcn UI
- Tailwind CSS
- React Hook Form - later
- Zod - later
Below is the simplified authentication flow
- User Registration
- User submits [name, email, password]
- Password is hashed using BCrypt
- User saved in database (MYSQL)
- Verification email send (6-digits alphanumeric code)
- User verified if correct OTT.
- User Authentication [login] - (password / passwordless)
- User submits credentials
- Spring Security authenticates
- if passwordless, OTP is sent for verification
- once verified
- Access token (short-lived) generated
- Refresh token generated and stored in Redis
- Tokens send via httpOnly secure cookies
- Token refresh flow
- Access token expires
- Frontend automatically calls refresh endpoint
- Refresh token validated against redis
- New access token issued
- Refresh token rotation applied