Skip to content
learnthevibe

modul 3shipping to production

auth: sign-in without passwords

Users mean accounts, and accounts mean the part of the codebase where a bug costs trust. Magic links skip stored passwords, and the framework's defaults carry the security.

~2 min read · ~10 min with the exercise · v1.0 · verified: 2026-07-15

the first door you build

Payments, saved progress, anything personal: each of these needs to know who the visitor is. Authentication is the door, and it belongs early in the module because the payment lesson builds on it. The stakes differ from the rest of your code. A layout bug embarrasses you; an auth bug hands a stranger someone else's account.

The rule for this lesson: use a maintained auth framework and hold its defaults. This site runs on Better Auth, and the pattern transfers: the framework ships origin validation, session handling, and CSRF protection out of the box, and its docs mark the escape hatches (disableCSRFCheck, disableOriginCheck) with security warnings. Treat a request to loosen one of those flags, from anyone, your agent included, as an incident to investigate.