Documentation / Core Concepts / Authentication & Authorization

Authentication & Authorization

📅 Updated: May 21, 2025
👤 Author: LebCit
⏱️ Reading time:
On this page

The authentication system handles users, sessions, and security:

  • AuthManager (core/lib/auth/auth-manager.js): Coordinates authentication modules
  • UserManager (core/lib/auth/modules/user-manager.js): Manages user accounts
  • SessionManager (core/lib/auth/modules/session-manager.js): Handles login sessions
  • PasswordService (core/lib/auth/modules/password-service.js): Secure password hashing
  • RateLimiter (core/lib/auth/modules/rate-limiter.js): Prevents brute-force attacks

Components

Auth Manager
├── User Manager          # User CRUD operations
├── Session Manager       # Session handling
├── Password Service      # Argon2 hashing
└── Rate Limiter          # Brute force protection

User Roles

  1. Admin: Full system access
  2. Editor: Content management only

Security Features

  • Password Hashing: Argon2id with configurable parameters
  • Rate Limiting: Protect against brute force attacks
  • Session Management: Secure token-based sessions
  • CSRF Protection: Via signed cookies
  • Input Validation: Sanitize all user inputs

Authentication Flow

1. User submits credentials
2. Rate limit check
3. Password verification (Argon2)
4. Session creation
5. Secure cookie/token delivery
6. Middleware verification on requests