Skip to main content

Overview

Risk Legion uses Supabase Auth (GoTrue) for authentication, providing JWT-based stateless authentication with automatic token refresh and secure session management.

Authentication Flow

JWT Token Structure

Access Token

Token Lifetime

Frontend Authentication

Sign In

Sign Out

Get Current Session

Listen for Auth Changes

API Authentication

Using the Token

All API requests include the JWT in the Authorization header:

Backend Verification

The FastAPI backend verifies tokens:

Token Refresh

Automatic Refresh

Supabase client automatically refreshes tokens:

Handling Refresh Failures

Password Management

Password Reset

Password Requirements

Session Management

Session Storage

Sessions are stored in localStorage by default:

Session Security

Session Timeout Recommendations

Session management enhancements (15-minute inactivity timeout, auto-logout on tab close) are ready for implementation. See docs/SESSION_MANAGEMENT_IMPLEMENTATION_COMPLETE.md

Multi-Device Sessions

Users can have multiple active sessions across devices:
  • Each device gets its own access/refresh token pair
  • Sign out on one device doesn’t affect others
  • “Sign out everywhere” revokes all sessions

Error Handling

Common Authentication Errors

Error Handling Example

Security Best Practices

  • Use httpOnly cookies for highest security (requires setup)
  • Clear tokens on sign out
  • Don’t expose tokens in URLs
  • Never log tokens
  • Implement session timeout for sensitive operations
  • Consider re-authentication for critical actions
  • Monitor for suspicious session patterns
  • Use secure session storage
  • Enforce strong password requirements
  • Use password managers
  • Consider MFA (future enhancement)
  • Regular password rotation policies
  • Always verify tokens server-side
  • Check token expiration
  • Validate token audience and issuer
  • Log authentication failures