Production Auth Checklist

The full lifecycle

This checklist covers the user’s entire journey through your app, from signup to deletion.

Email verification

• Verification token sent at signup (hashed, time-limited, single-use)
• Unverified users can log in but features are restricted
• Resend verification endpoint available
• Stale unverified accounts cleaned up after 7 days
• Email change resets verification status

Session management

• Device info captured per session (IP, user agent, device name)
• Last active time updated on requests
• GET /me/sessions lists all active sessions with device info
• DELETE /me/sessions/:id revokes a specific session
• “Sign out everywhere” keeps current session
• New-IP login detection with notification

Session security

• Idle timeout (30 minutes of inactivity)
• Absolute timeout (24 hours from creation)
• Session rotation after privilege changes (password change, role change)
• IDOR prevention on session revocation (user_id check)

Step-up authentication

• POST /auth/confirm re-authenticates with password or TOTP
• Re-authentication timestamp stored on session
• 5-minute window for sensitive actions
• Applied to: email change, password change, 2FA disable, account deletion, API key creation
• 403 response includes instructions for re-authentication

Account deletion

• Soft delete with 30-day grace period
• Cancellation available during grace period (no step-up required)
• Hard delete cascades through all user-specific tables
• Shared data anonymized (not deleted)
• Orphaned organizations cleaned up
• Audit logs anonymized but kept
• Step-up required to initiate deletion

SAML/SSO

• Per-domain SAML provider configuration
• SAML response signature validation against IdP certificate
• Just-in-time user provisioning on first SSO login
• Group-to-role mapping from IdP attributes
• Domain-based SSO enforcement (block password login for SSO domains)
• SSO users created with no-password placeholder
• Email automatically verified for SSO users

What we did not build

SCIM (System for Cross-domain Identity Management). Automates user provisioning and deprovisioning. When a company adds or removes an employee in their IdP, SCIM pushes the change to your app. Without SCIM, you rely on JIT provisioning (create on first login) and manual deprovisioning.

OIDC for enterprise. Some enterprises use OpenID Connect instead of SAML. The OAuth course covered OIDC with consumer providers (Google). Enterprise OIDC is similar but per-customer, like SAML.

Multi-factor enforcement. Allowing enterprise admins to require 2FA for all members of their organization. The 2FA course built the mechanism; the authorization course built org-level settings; combining them is an exercise.

Passwordless-only accounts. Accounts that never have a password — they use only passkeys or magic links. The 2FA course built the mechanisms; enforcing passwordless-only is a policy decision.

Exercises

Exercise 1: Go through the checklist for your app. How many items are implemented?

Exercise 2: Trace a user’s journey through the entire lifecycle: signup → verify email → use the app → manage sessions → step-up for email change → eventually delete account. Does every step work?