Adding Authentication to Your Web App Without Breaking It
Authentication is one of those features that looks simple from the outside — a login form, a password, maybe a "forgot password" link — but breaks in surprising ways once real users show up. If you're building a SaaS dashboard, a member portal, or any app that stores user data, getting auth right is non-negotiable. Here's a practical walkthrough of how to add authentication to a web application, what to choose, and what to avoid.
Decide What "Authentication" Actually Means for Your App
Before writing any code, get clear on what you need. "Login" can mean very different things depending on the product:
- Single-user tools (personal dashboards) — a simple email/password may be enough.
- B2B SaaS — you'll likely need teams, roles, invitations, and possibly SSO.
- Consumer apps — social login (Google, Apple) reduces signup friction dramatically.
- Regulated industries — MFA, audit logs, and session controls become mandatory.
Write down which user types exist, what they should access, and how they'll recover their account. That document drives every technical decision below.
Pick an Authentication Strategy
There are three realistic paths. Each has trade-offs.
1. Roll Your Own with Sessions
You store a hashed password (using bcrypt, argon2, or scrypt), issue a session cookie after login, and check it on each request. This is the most traditional approach and still excellent for server-rendered apps (Laravel, Rails, Django, Next.js with server actions).
- Good for: Monoliths, small teams, full control.
- Watch out for: Password reset flows, brute-force protection, secure cookie flags (
HttpOnly,Secure,SameSite=Lax).
2. Token-Based Auth (JWT)
The server issues a signed JWT after login. The client sends it on each request, usually in an Authorization: Bearer header. Useful when your frontend and backend are separate (React SPA + API, mobile apps).
- Good for: APIs, SPAs, microservices.
- Watch out for: Token revocation is hard. Use short-lived access tokens (15 min) plus a refresh token stored in an
HttpOnlycookie.
3. Managed Auth Providers
Services like Auth0, Clerk, Supabase Auth, Firebase Auth, or AWS Cognito handle the heavy lifting — sign-up, social login, MFA, password reset, even SSO.
- Good for: Founders shipping fast, teams without security specialists.
- Cost example: Clerk starts free up to 10,000 monthly active users, then around $25/month. Auth0 has a free tier and paid plans starting near $35/month.
- Watch out for: Vendor lock-in and pricing cliffs at scale.
For most small businesses and early-stage founders we work with at Axoxweb, a managed provider is the right call — you'd rather spend engineering hours on the product, not on rebuilding password reset for the third time.
The Step-by-Step Implementation
Let's walk through a realistic flow using a Node.js + Express + a managed provider (the steps generalise to any stack).
- Set up your provider. Create an account, define your application, and copy the API keys into environment variables. Never commit them.
- Add the SDK. For example:
npm install @clerk/clerk-sdk-node. Most providers have drop-in middleware. - Protect routes. Wrap server routes with the provider's middleware so unauthenticated requests get a 401.
- Build the UI. Use the provider's prebuilt components for sign-in/sign-up, or build your own forms calling their API.
- Store user metadata. Keep your own
userstable keyed by the provider's user ID. Sync via webhooks on signup. - Handle authorization. Authentication says who the user is. Authorization decides what they can do — store roles in your database and check them on each protected action.
- Test the recovery paths. Forgot password, email change, account deletion, expired session. These are where real users get stuck.
Security Essentials You Can't Skip
Whether you build it yourself or use a service, these protections must be in place:
- HTTPS everywhere. Cookies and tokens over HTTP are essentially public.
- Password hashing with
argon2idorbcryptat cost factor 12+. Never store plaintext. - Rate limiting on login, signup, and password reset endpoints. Five attempts per minute per IP is a reasonable start.
- CSRF protection on cookie-based sessions. Use SameSite cookies plus CSRF tokens for state-changing requests.
- Multi-factor authentication as an option, mandatory for admin accounts.
- Email verification before granting full access — stops fake signups and protects deliverability.
- Secure password reset. Single-use, short-lived tokens (15–30 minutes). Don't reveal whether an email exists in your system.
Common Mistakes That Bite Later
Storing JWTs in localStorage
Any XSS vulnerability now hands attackers a valid token. Use HttpOnly cookies for refresh tokens instead.
Conflating authentication with authorization
Once a user is logged in, every sensitive action still needs a permission check. "They're logged in" is not the same as "they're allowed to delete this invoice."
Leaking information in error messages
"Email not found" tells attackers which emails are registered. Use a generic "Invalid email or password" message instead.
Ignoring session lifecycle
Add a way to revoke sessions, list active devices, and force logout on password change. These features become urgent the first time a user's account is compromised.
Building it from scratch when you don't need to
Custom auth has hidden costs: MFA, social login, SSO for enterprise customers, audit logs, compliance. A managed provider gives you all of this on day one.
What to Build Next
Once basic login works, the features users start asking for include:
- Team invitations and role management
- Single sign-on (SAML or OIDC) for enterprise deals
- API keys for programmatic access
- Audit logs of login activity
- Account deletion and data export (GDPR)
Plan for these from the start — even if you don't build them immediately, design your user model so adding them later doesn't require a rewrite.
If you'd rather not piece authentication together yourself — or you've launched something and want it audited before users start signing up — the team at Axoxweb builds secure, modern web apps with auth done properly from day one. Get in touch to talk through your project.