OchaAuthPro is a lovingly overbuilt, feature-rich authentication system built with:
- Qwik (frontend) + Fastify (backend)
- PostgreSQL and Redis (self-hosted on a VPS)
- WebSocket-based infrastructure health updates for clients
- Prometheus + Grafana for real-time administrative monitoring
- Paseto V4, Argon2, and secure cookie practices
It’s designed to showcase what happens when you fully commit to:
- Security best practices
- Speed and UX optimization
- Meticulous error handling
- Robust observability & monitoring
- Clean code and type safety
- …and a healthy dose of obsessive craftsmanship 😭🔥
🚀 Live Demo: ocha-auth-pro.ochacoder.com
🌞 Grafana Dashboard: ocha-auth-pro.ochacoder.com/grafana/
⚡️ Google Page Speed Result: ocha-auth-pro.ochacoder.com/speed-test/
🫶🏻 GitHub Repo: ocha-auth-pro.ochacoder.com/github/
- Secure & Modern: Uses Paseto tokens (safer than JWT) and Argon2 for password hashing.
- Server-Side Everything: No CORS needed! All data is sent server-side for security and simplicity.
- Real-Time Health Checks: WebSocket-driven modals inform users of backend or infra outages with friendly transitions.
- Smooth UX: Dark mode, animated modals and toast, consistent visual transitions even during direct visits.
- Type-Safe: TypeBox and Zod to ensure robust runtime and compile-time validation.
- Email-Based Password Reset: Secure reset links signed with Paseto, hashed and stored in Redis.
- Self-Hosted Infra: All services including Redis, Postgres, Prometheus, and Grafana run in Docker on a single VPS.
-
Sign-up/Sign-in Users authenticate via email + password. Paseto-based access and refresh tokens are issued.
-
Password Storage Passwords are hashed using Argon2 and securely stored in PostgreSQL.
-
Refresh Token Rotation Single-use RTs stored in Redis, scoped to a browser ID, protecting against multi-tab desync and replay attacks.
-
Access Token Handling Stored in
HttpOnly,Secure,SameSite=Strictcookies. 60-second lifespan, automatically refreshed server-side. -
Infra Health Monitoring WebSocket pings detect backend/infra status. Friendly modal indicators appear on disruption and recovery.
-
Grafana Dashboard Real-time admin view of monitor uptime, Redis and PostgreSQL metrics. Hosted on same VPS.
-
Email Verification On sign-up and email update, users verify via Paseto-signed links.
-
Frontend Error Handling Toasts for user alerts, server-side redirects for critical/suspicious states.
-
Backend Error Handling Custom error classes separate user input issues, misuse, logic bugs, and suspicious behavior.
-
Separation of Concerns Independent deployment folders for frontend and backend. Dockerized and orchestrated via Compose.
| Layer | Tool |
|---|---|
| Frontend | Qwik |
| Backend | Fastify |
| Database | PostgreSQL (self-hosted via Docker) |
| Cache | Redis (self-hosted via Docker) |
| Token Auth | Paseto V4 |
| Hashing | Argon2 |
| Email Service | Resend |
| Monitoring | WebSocket + Prometheus + Grafana |
- Clone the repo:
git clone https://github.com/ochacoder/ocha-auth-pro.git- Copy sample env files and set your secrets:
cp ocha-auth-pro--fastify@node/.env.sample ocha-auth-pro--fastify@node/.env
cp ocha-auth-pro--qwik@node/.env.local.sample ocha-auth-pro--qwik@node/.env.local- Start the full stack with Docker Compose:
docker compose -f docker-compose.sample.yml up --build- Visit the app locally: http://localhost:3000
.env files to Git.
OchaAuthPro was built to embody production-level architecture, with special care for real-world edge cases and user experience.
The goal was to make an authentication system that is:
- Secure by default
- Fully observable and traceable
- Smooth and friendly for users
- A pleasure to build and read
From RT rotation edge cases to server-side redirects for suspicious behavior, everything here was handcrafted for clarity and resilience.
- OchaAuthLight: A simpler, beginner-friendly variant using Express and Next.js
- Add OpenAPI docs: Auto-generated documentation for backend endpoints
- Rate Limiting: To protect critical routes from abuse
- Unit Tests: For core logic like token issuance and validation
Built with 🍵 and many late nights. OchaAuthPro hopes to show that security can be clear, friendly, and elegant.
Thank you for checking it out — feedback is always welcome!