barrettruth/delta
1
0
Fork 0
Code Issues 14 Pull requests Releases 1 Packages Activity Actions

Auth strategy: roll-your-own vs alternatives #24

New issue
Closed
opened 2026-03-22 21:56:00 +00:00 by barrettruth · 0 comments
barrettruth commented 2026-03-22 21:56:00 +00:00
Copy link

Question

What auth approach fits delta? It's self-hosted but friends may want accounts too.

Current Implementation (on feat/scaffold)

~100-line src/core/auth.ts with:

  • bcrypt password hashing
  • Random session tokens (7-day expiry, httpOnly cookies)
  • API key generation and validation for CLI/integrations
  • Multi-user: each user gets their own account, sessions, API keys

Considerations

  • Hosted at delta.barrettruth.com — internet-accessible
  • Multi-user schema already exists (D010)
  • Friends may want their own accounts
  • Need API access for CLI client (#23)
  • Lucia (popular Next.js auth lib) is deprecated; author recommends DIY
  • Auth.js is overkill for this use case

Open Questions

  • Should users be able to self-register, or invite-only?
  • Per-user task isolation or shared workspace?
  • Rate limiting on login endpoint?

Status

Basic implementation exists and is tested (11 tests). Revisit when multi-user becomes a real requirement.

## Question What auth approach fits delta? It's self-hosted but friends may want accounts too. ## Current Implementation (on `feat/scaffold`) ~100-line `src/core/auth.ts` with: - bcrypt password hashing - Random session tokens (7-day expiry, httpOnly cookies) - API key generation and validation for CLI/integrations - Multi-user: each user gets their own account, sessions, API keys ## Considerations - Hosted at `delta.barrettruth.com` — internet-accessible - Multi-user schema already exists (D010) - Friends may want their own accounts - Need API access for CLI client (#23) - Lucia (popular Next.js auth lib) is deprecated; author recommends DIY - Auth.js is overkill for this use case ## Open Questions - Should users be able to self-register, or invite-only? - Per-user task isolation or shared workspace? - Rate limiting on login endpoint? ## Status Basic implementation exists and is tested (11 tests). Revisit when multi-user becomes a real requirement.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/task-panel-save-atomicity
settings-modal
feat/add-task-external-links
feat/reminder-transport-settings
feat/reminder-foundation
build/oidc-release-pipeline
fix/settings-cleanup
fix/remove-oauth-config-ui
nightly-20260426
cli-v0.0.2
Labels
Clear labels   
bug
Something isn't working

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
track:api
API layer track

  
track:auto
Automation track

  
track:core
Core engine track

  
track:deploy
Deployment track

  
track:infra
Infrastructure track

  
track:ui
Web UI track

  
v0.1.0
First release milestone

  
v0.1.1
post-initial release

  
wontfix
This will not be worked on

No labels
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
track:api
track:auto
track:core
track:deploy
track:infra
track:ui
v0.1.0
v0.1.1
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
barrettruth/delta#24
No description provided.