I spent a week perfecting Auth so my users don't have to think about it. 🔐

Wrapping up week 3 of building NanoURL! I just finished the part of SaaS development that everyone loves to hate: Authentication.

I decided against using expensive third-party tools like Auth0 or Clerk and rolled a secure, enterprise-grade solution from scratch. It was a rabbit hole, but totally worth it.

Here is what the stack looks like now:

HttpOnly JWTs: No storing tokens in localStorage. Access and Refresh tokens are locked down in secure cookies to prevent XSS attacks.

Google OAuth (The Right Way): Instead of just trusting the frontend, React grabs the Google ID Token and passes it to Spring Boot. Java officially verifies the token audience via the Google API Client, extracts the email, and auto-registers the user behind the scenes.

Anti-Enumeration Resets: Built a secure "Forgot Password" flow using spring-boot-starter-mail. It uses timed, 15-minute expiring UUID tokens saved to the DB, ensuring users can't get locked out if they forget they originally signed up via Google.

Getting the React state perfectly synced with the backend cookies (especially during page refreshes and Google iframe popups) was tricky, but creating a "Single Source of Truth" in my AuthContext finally smoothed it all out.

Click Here : https://nanourl.link/

To the solo-founders out there: Do you still roll your own auth for new projects, or have you completely surrendered to Auth-as-a-Service providers?