Facebook Signup Emails Need Origin Checks
A practical security checklist for validating Facebook signup emails without leaking inboxes, tokens, or redirect trust.
Tag archive
A practical security checklist for validating Facebook signup emails without leaking inboxes, tokens, or redirect trust.
Our old authentication system logged users in with the OAuth2 client_credentials grant. If you know...
I was working on a somewhat complex client mobile app, using Supabase as a BaaS and to manage...
You rotate a key for Sign in with Apple, and suddenly every login throws invalid_client. It was...
In the ever-evolving landscape of cybersecurity and the modern business world, the management of...
A practical comparison of the 3 auth solutions for indie developers in 2026. Code examples, pricing, and vendor lock-in analysis.

Magic links are the visible part of passwordless auth. The harder part is handling scanners, replay protection, trusted devices, and the Laravel Fortify handoff without weakening security or creating support pain.

We've established that Base64 isn't encryption and that you can't un-hash a password. JWTs are where...
A backend pattern for password reset tokens in PostgreSQL that stays safe under retries, queues, and inbox-based staging checks.
If you've ever built a login system, or even just used one as a regular internet user, you've...
A production RFC 8628 device authorization flow for smart TV apps: PHP 8.4 device and token endpoint
One fail-open bug, five disguises: empty args, an empty log, a missing property, a sheared chain, an unset scope. When there's nothing to check, fail closed.