Authentication & User Management

What's Included

The LaunchSaaS authentication package covers the full user management lifecycle without requiring you to build any of it from scratch:

• Email/password authentication — sign up, sign in, password reset via email
• Magic links — passwordless email login, one-time links with 1-hour expiry
• Google OAuth — pre-configured; additional providers (GitHub, Twitter) add in minutes
• Session management — JWT access tokens with automatic refresh token rotation
• Account lockout — locks after 10 failed attempts, email-based unlock
• Rate limiting — IP-based limits on auth endpoints to prevent brute-force attacks
• GDPR-compliant deletion — full account deletion with cascading data cleanup
• Row Level Security (RLS) — all user data protected at the Postgres level
• Custom profiles table — extends Supabase users with display name, avatar, preferences

How It Works

LaunchSaaS authentication is built on Supabase Auth, which handles the hard parts: secure password hashing, token generation, OAuth flows, and email delivery.

Request flow

For a typical authenticated page request:

1. The Next.js middleware reads the session cookie on every request.
2. If the access token is valid, the request proceeds. User data is available in request.auth.
3. If the access token is expired but the refresh token is valid, the middleware silently refreshes the session and sets a new cookie.
4. If both tokens are invalid or absent, the middleware redirects to /login.

Database access control

Every table that stores user data has Row Level Security (RLS) policies enabled. A user can only read and write rows where user_id = auth.uid(). This is enforced at the PostgreSQL level — it cannot be bypassed from the application layer. Multi-tenant data additionally requires matching workspace membership.

Sign-In Methods

Email and password

Standard sign-up and sign-in. Passwords are hashed by Supabase using bcrypt. Password reset sends a one-time link to the user's email. Minimum password length is 8 characters.

Magic links

Users enter only their email address. Supabase sends a one-time login link that expires in 1 hour. Clicking the link authenticates the user and establishes a session. No password is required or stored. This reduces signup friction significantly — in production, magic link signup rates are typically 20–30% higher than email/password signup rates.

Google OAuth

Google sign-in is pre-configured. To enable it, add your Google OAuth credentials to Supabase:

1. Go to Google Cloud Console → APIs & Services → Credentials → Create OAuth Client ID.
2. Add https://[your-project].supabase.co/auth/v1/callback as an authorized redirect URI.
3. Copy the client ID and secret into Supabase Dashboard → Authentication → Providers → Google.

Adding more OAuth providers

Supabase supports GitHub, Twitter/X, Discord, LinkedIn, and others. The process is the same as Google: create an OAuth app on the provider's platform, add the credentials to Supabase, and the existing OAuth button component in LaunchSaaS handles the rest. No application code changes are required.

Security Features

Rate limiting

Authentication endpoints are rate-limited using a token bucket algorithm. The defaults are:

• Sign-in attempts: 5 per IP per minute
• Password reset requests: 3 per email per hour
• Magic link requests: 3 per email per hour

These limits are configurable in lib/auth/rate-limit.ts.

Account lockout

After 10 consecutive failed login attempts on a single account, the account is locked. The user receives an email with an unlock link. Administrators can also unlock accounts from the admin dashboard.

Refresh token rotation

Every time a refresh token is used to get a new access token, the old refresh token is invalidated and a new one is issued. This means stolen refresh tokens can only be used once before they are invalidated by the legitimate user's next request.

Customization

Adding custom user profile fields

The profiles table in Supabase is the correct place to store user-specific data beyond what Supabase Auth provides (email, phone). To add a field:

1. Create a Supabase migration: ALTER TABLE profiles ADD COLUMN your_field text;
2. Update the TypeScript type in types/database.ts.
3. Update the profile update form in components/profile/ProfileForm.tsx.

Customizing redirect URLs after sign-in

The post-sign-in redirect is controlled in lib/auth/callbacks.ts. By default, users are redirected to /dashboard. You can add logic to redirect based on user state (e.g., redirect new users to an onboarding flow).

Customizing email templates

Supabase Auth sends confirmation and reset emails. The templates are customizable in the Supabase Dashboard under Authentication → Email Templates. LaunchSaaS includes styled HTML email templates that match the main app design.

Frequently Asked Questions

Does LaunchSaaS support magic link authentication?

Yes. LaunchSaaS includes magic link (passwordless email) authentication out of the box via Supabase Auth. Users enter their email address and receive a one-time login link. Magic links expire after 1 hour by default, configurable in Supabase project settings.

How do I add GitHub OAuth to LaunchSaaS?

LaunchSaaS is pre-wired for Supabase OAuth providers. To add GitHub login: (1) Create a GitHub OAuth App in your GitHub developer settings, (2) Add the client ID and secret in Supabase Dashboard under Authentication → Providers → GitHub, (3) Add the Supabase callback URL to your GitHub OAuth App's authorized redirect URIs. No code changes are needed — the existing OAuth flow handles it.

How does LaunchSaaS protect against brute-force login attacks?

LaunchSaaS implements rate limiting on authentication endpoints. After 5 consecutive failed login attempts from the same IP address, further attempts are blocked for 15 minutes. Accounts are additionally locked after 10 failed attempts and require email verification to unlock.

How does session management work in LaunchSaaS — do sessions expire?

LaunchSaaS uses Supabase Auth's JWT-based sessions with automatic refresh tokens. Access tokens expire after 1 hour by default. Refresh tokens are long-lived (60 days) and are rotated on each use for security. Users are only logged out when the refresh token expires or they explicitly sign out.

Can I add custom fields to user profiles in LaunchSaaS?

Yes. LaunchSaaS includes a profiles table in Supabase that extends the built-in users table. Adding fields requires a Supabase migration and updating the relevant TypeScript types. The profile update form is already wired up and ready for additional fields.

Does LaunchSaaS handle GDPR-compliant account deletion?

Yes. LaunchSaaS includes an account deletion flow that removes the user's Supabase Auth account, all profile data, and triggers cascading deletes on workspace memberships and user-owned records via foreign key constraints. Before deletion, users see a confirmation prompt.