LESSON 3 OF 5
Authentication that users trust
Auth is the feature where "mostly works" is not acceptable, so lean on standards: email plus password with proper hashing, or sign-in with Google/GitHub via OAuth. Tell the agent which methods you want and it will wire the flow. The classic snag is the redirect URL. OAuth providers only send users back to addresses you have whitelisted — when sign-in mysteriously fails, the exact redirect URL in your provider settings is the first thing to check. Test auth like an attacker, gently: wrong password, expired session, one user trying to open another user's data by changing the URL. Five minutes of hostile clicking catches what demos never do.