Overview
Risk Legion uses Supabase Auth (GoTrue) for authentication, providing JWT-based stateless authentication with automatic token refresh and secure session management.Authentication Flow
JWT Token Structure
Access Token
Token Lifetime
Frontend Authentication
Sign In
Sign Out
Get Current Session
Listen for Auth Changes
API Authentication
Using the Token
All API requests include the JWT in the Authorization header:Backend Verification
The FastAPI backend verifies tokens:Token Refresh
Automatic Refresh
Supabase client automatically refreshes tokens:Handling Refresh Failures
Password Management
Password Reset
Password Requirements
Session Management
Session Storage
Sessions are stored in localStorage by default:Session Security
Session Timeout Recommendations
Session management enhancements (15-minute inactivity timeout, auto-logout on tab close) are ready for implementation. See docs/SESSION_MANAGEMENT_IMPLEMENTATION_COMPLETE.md
Multi-Device Sessions
Users can have multiple active sessions across devices:- Each device gets its own access/refresh token pair
- Sign out on one device doesn’t affect others
- “Sign out everywhere” revokes all sessions
Error Handling
Common Authentication Errors
Error Handling Example
Security Best Practices
Token Storage
Token Storage
- Use httpOnly cookies for highest security (requires setup)
- Clear tokens on sign out
- Don’t expose tokens in URLs
- Never log tokens
Session Management
Session Management
- Implement session timeout for sensitive operations
- Consider re-authentication for critical actions
- Monitor for suspicious session patterns
- Use secure session storage
Password Security
Password Security
- Enforce strong password requirements
- Use password managers
- Consider MFA (future enhancement)
- Regular password rotation policies
API Security
API Security
- Always verify tokens server-side
- Check token expiration
- Validate token audience and issuer
- Log authentication failures
Related Documentation
- RBAC - Role-based access control
- API Authentication - API-specific auth details
- Supabase Auth Docs - Official Supabase documentation