Show HN: Minimal NIST/OWASP-compliant auth implementation for Cloudflare Workers
Source: Hacker News
Overview
This is an educational reference implementation showing how to build reasonably secure, standards‑compliant authentication from first principles on Cloudflare Workers.
Stack
- Framework: Hono
- Database: Turso (libSQL)
- Key Derivation: PBKDF2‑SHA384 + normalization + common‑password checks
- Tokens: JWT access + refresh tokens with revocation support
- Cookies: HTTP‑only SameSite cookies
- Additional: Device tracking
Design Philosophy
The implementation is deliberately minimal—no OAuth, no passkeys, no magic links, no rate limiting—because the goal is clarity and auditability. It was created primarily to deepen understanding of edge‑runtime authentication constraints and to provide a clean Apache‑2.0 example that follows NIST SP 800‑63B / SP 800‑132 and OWASP guidance.
Production Recommendation
For production use, the author recommends reaching for Better Auth instead. This repository is not intended to compete with that solution.
Live Demo
Live demo link not provided.
Repository
Repository link not provided.
Contact / Comments
Happy to answer questions about the crypto choices, the refresh token revocation pattern, Turso schema, constant‑time comparison, Unicode pitfalls, etc.
Comments URL: (not provided) (Points: 11)