forage409/authcore

AuthCore is an open source login system that you can run on Cloudflare Workers, which is a hosting service for small bits of code. It handles the parts of an app that deal with signing people up, logging them in, remembering them across visits, and blocking abusive users. The README pitches it as a self hosted alternative to paid services like Auth0 and Clerk, with the source code released under the MIT licence so anyone can read, copy, or change it. For a new project, the README shows two ways in. You can run a single command, npx create-nexus-auth my-app, which sets up a starter project with both the front end and back end wired together. Or you can install the SDK called nexus-auth-sdk into an existing app and call methods like register, login, and verifyAny. The SDK throws named errors such as AccountBannedError, so the calling code can react to specific problems without parsing text messages. The listed features cover the usual login flow plus several extras. Passwords are stored using PBKDF2 with 100 thousand iterations and a random salt. Sessions use a short lived JWT, valid for one hour, paired with a refresh token that lasts up to 30 days. There is full OpenID Connect support, meaning other apps can use AuthCore as a single sign on provider, with the consent page, token endpoints, and userinfo endpoint that the protocol expects. Brute force lockout, IP allow lists, a public abuse report endpoint, and a 14 day account deletion window are also built in. The code is laid out as a Cloudflare Worker called nexus-gateway, written with the Hono web framework in TypeScript, backed by Cloudflare D1 for the database and R2 for avatar storage. Email is sent through Resend. To self host it, the README walks through creating the D1 database and R2 bucket with wrangler, running SQL migration files in order, setting secrets for the JWT key and email API key, then deploying with wrangler deploy. A live playground and dashboard are linked for trying the system before installing anything.