portal

The self-service identity portal — password reset, email change, TOTP MFA, and session management over a Postgres job queue.

TypeScriptNodeExpressReactPostgres live demo

What it is

Account lifecycle flows a real IdP needs: password reset, email verification and change, TOTP MFA enrollment with recovery codes, and session management — all driven by a Postgres-backed job queue for asynchronous email. TypeScript throughout: Express API + polling job worker, React/Vite frontend with hand-rolled CSS.

Key design decisions

Security highlights

From the threat model: unknown-user login verifies a decoy Argon2 hash so timing matches; TOTP-enrolled accounts get an mfa_pending session that can’t use any authenticated endpoint until step-up passes; email change keeps the old address as the login until the new one proves receipt; session cookies are 256-bit random with only the SHA-256 stored; job payloads embed emailed links (raw token included), so the jobs table and dev outbox are documented as secret-bearing. Honest residuals: TOTP secrets are necessarily stored recoverable (keysmith envelope encryption is the platform upgrade path), and signup’s 409-on-duplicate intentionally remains an existence oracle — standard UX, covered by rate limiting.

Verified by

Code worth reading