Orchestre

Appearance

Authentication Examples

Authentication patterns implemented through Orchestre's intelligent prompt system.

Overview

Authentication is critical for most applications. These examples show how Orchestre's prompts discover your needs and adapt authentication implementations to your specific context.

JWT Authentication

Getting Started with Auth

bash
# Create app with authentication
orchestre create makerkit-nextjs secure-app

# Orchestre explores your auth needs:
"I'll analyze your application to understand your authentication 
requirements. Let me check what's already in place..."

# Adapts to findings:
"I found NextAuth.js configured. I'll extend it with JWT refresh
tokens following your existing session patterns..."

Memory Evolution During Auth Implementation

markdown
# Initial CLAUDE.md:
Project: Secure App
Auth: NextAuth with credentials provider
Goal: Add JWT with refresh tokens

# After implementation:
## Authentication Architecture
- JWT access tokens (15 min expiry)
- Refresh tokens in httpOnly cookies
- Token rotation on each refresh
- Blacklist for revoked tokens

# After security review:
## Security Enhancements
- Added CSRF protection
- Implemented rate limiting (5 attempts/min)
- Secure headers configured
- Session fixation prevention

OAuth Integration

bash
# Multi-provider setup
"Configure Google and GitHub OAuth providers"

# Intelligent discovery:
"Checking your environment setup... Found OAuth redirect URIs in .env.
I'll configure providers and handle the callback flow..."

# Provider-specific patterns captured:
/auth/providers/CLAUDE.md:
  Google: 
    - Workspace domain restriction added
    - Offline access for calendar integration
  GitHub:
    - Organization membership validation
    - Team-based access control

Multi-Factor Authentication

TOTP Implementation

bash
# Enable MFA
"Add TOTP-based two-factor authentication"

# Context-aware implementation:
"I see you have a user settings page. I'll add MFA setup there with
QR code generation and recovery codes..."

# Security decisions documented:
orchestre://project/auth/mfa
├── Algorithm: TOTP with SHA-256
├── Window: 30 seconds with 1 step tolerance
├── Recovery: 8 codes, single use
└── Backup: SMS fallback option

Memory Tracks Security Evolution

markdown
/auth/mfa/CLAUDE.md:
v1: Basic TOTP implementation
v2: Added recovery codes after user lockout
v3: SMS fallback for accessibility
v4: Backup codes in encrypted PDF
Learned: 20% users lose authenticator access

Session Management

Intelligent Session Handling

bash
# Database sessions
"Implement secure session management"

# Discovers infrastructure:
"Found Redis connection in your config. I'll implement distributed
sessions with automatic cleanup..."

# Session patterns evolve:
/sessions/CLAUDE.md:
  Initial: 24-hour fixed expiry
  Improved: Sliding window with activity tracking
  Current: Adaptive expiry based on user role
  Insight: Admins need shorter sessions for security

Cross-Service Sessions

bash
"Share sessions across microservices"

# Architectural discovery:
"Analyzing your service structure... Found 3 Next.js apps.
I'll implement JWT-based session sharing with service mesh..."

# Documented approach:
orchestre://project/auth/distributed
├── JWT issuer service
├── Public key distribution
├── Service-specific claims
└── Revocation via Redis pub/sub

Social Login

Platform-Adaptive Implementation

bash
# Mobile social auth
"Add social login to React Native app"

# Platform awareness:
"Detected Expo project. I'll implement platform-specific social auth
with unified interface..."

# Platform patterns:
/mobile/auth/CLAUDE.md:
  iOS: 
    - Apple Sign In (required for App Store)
    - Keychain for secure storage
  Android:
    - Google Sign In with One Tap
    - Keystore for credentials
  Shared:
    - OAuth flow in WebView fallback
    - Deep linking for callbacks

Enterprise SSO

SAML Integration

bash
"Add SAML 2.0 SSO for enterprise customers"

# Discovers multi-tenancy:
"Found tenant isolation in your database schema. I'll implement
SAML with per-tenant IdP configuration..."

# Enterprise patterns captured:
orchestre://project/auth/enterprise/saml
├── Metadata endpoint per tenant
├── Dynamic cert validation
├── Attribute mapping UI
├── Just-in-time provisioning
└── SCIM support preparation

Evolution Through Customer Needs

markdown
/auth/enterprise/CLAUDE.md:
Week 1: Basic SAML with Okta
Week 2: Added Auth0 after customer request
Week 3: OneLogin + custom attribute mapping
Week 4: Built IdP configuration UI
Learned: Every enterprise has unique requirements

Passwordless Auth

bash
"Implement passwordless login via email"

# Analyzes communication setup:
"Found SendGrid configuration. I'll implement magic links with
your existing email templates..."

# Security considerations tracked:
/auth/passwordless/CLAUDE.md:
  - 15-minute link expiry
  - Single-use tokens
  - Rate limit: 3 requests per hour
  - Domain whitelist for email providers
  - Suspicious activity detection

WebAuthn Implementation

bash
"Add biometric authentication with WebAuthn"

# Browser compatibility aware:
"Checking target browsers... I'll implement WebAuthn with graceful
fallback to passwords for unsupported browsers..."

# Implementation insights:
orchestre://project/auth/webauthn
├── Passkey support detection
├── Credential backup strategies
├── Cross-device authentication
└── Recovery flow design

Security Best Practices

Adaptive Security Measures

bash
"Implement authentication security best practices"

# Comprehensive analysis:
"Analyzing your current auth setup for vulnerabilities...
Found a few areas to strengthen. Let me implement fixes..."

# Security improvements documented:
/security/auth/CLAUDE.md:
  Implemented:
  - Bcrypt with cost factor 12
  - Login attempt rate limiting
  - Account lockout after 5 failures
  - Suspicious IP detection
  - Session anomaly detection
  - Audit log with retention policy

Learning from Attacks

markdown
/security/incidents/CLAUDE.md:
Incident: Brute force attempt detected
Response: Added exponential backoff
Result: 99% reduction in attempts

Incident: Session token in logs
Response: Removed all auth tokens from logging
Result: Implemented log sanitization middleware

Mobile Authentication

Biometric Login Evolution

bash
# React Native biometrics
"Add Face ID and Touch ID support"

# Discovers device capabilities:
"I'll implement biometric auth with proper fallbacks and clear
user communication about data privacy..."

# Mobile auth patterns:
/mobile/biometrics/CLAUDE.md:
  Storage: Keychain/Keystore only
  Fallback: PIN then password
  Privacy: No biometric data leaves device
  UX: Clear permission prompts

Edge Authentication

Cloudflare Workers Auth

bash
# JWT validation at edge
"Implement authentication at Cloudflare edge"

# Performance-focused approach:
"I'll move JWT validation to Workers for sub-millisecond auth checks.
This will reduce origin load significantly..."

# Edge patterns discovered:
orchestre://project/auth/edge
├── JWT validation without origin call
├── Key rotation via Workers KV
├── Geographic access rules
├── DDoS protection built-in
└── 99.9% cache hit rate

Performance Evolution

markdown
/auth/performance/CLAUDE.md:
Before edge: 120ms auth check
After edge: 3ms auth check
Insight: Cache user permissions for 5 min
Result: 40x performance improvement

Testing Authentication

Intelligent Test Generation

bash
"Write comprehensive auth tests"

# Discovers test environment:
"Found Playwright setup. I'll create E2E tests covering all auth
flows with security edge cases..."

# Test patterns captured:
/auth/testing/CLAUDE.md:
  Unit tests:
  - Token generation/validation
  - Password hashing
  - Session management
  
  Integration tests:
  - OAuth flow mocking
  - Database session cleanup
  
  E2E tests:
  - Login flows
  - MFA setup
  - Password reset
  - Session timeout

Security Testing

bash
"Run security audit on authentication"

# Comprehensive security check:
"I'll test for OWASP Top 10 auth vulnerabilities and check your
implementation against security best practices..."

# Findings documented:
orchestre://project/security/auth-audit
├── No SQL injection vectors
├── Passwords properly hashed
├── ⚠️ Missing rate limit on password reset
├── CSRF tokens implemented
└── Secure session configuration

Common Patterns Discovered

Authentication Flow Evolution

markdown
/auth/patterns/CLAUDE.md:
Pattern: Progressive Enhancement
- Start with basic email/password
- Add OAuth when users request it
- Implement MFA for security-conscious users
- Add biometrics for mobile users

Pattern: Security Theater vs Real Security
- Avoid complex password rules (theater)
- Focus on MFA adoption (real security)
- Make secure path easier than insecure

Error Handling Wisdom

markdown
/auth/errors/CLAUDE.md:
Never reveal:
- User existence (same error for all failures)
- Account lock status
- Specific validation failures

Always log:
- Failed attempts with IP
- Unusual patterns
- Permission escalation attempts

See Also

  • orchestre://patterns/security - Security implementation patterns
  • orchestre://templates/makerkit/auth - MakerKit auth configuration
  • orchestre://knowledge/auth-flows - Authentication flow diagrams

Built with ❤️ for the AI Coding community, by Praney Behl

Copyright © 2025 Orchestre