A New Collection of Thoughtful Learning Apps — Now Available on iOS & Android

By -
Image
I’m excited to share a set of mobile apps I’ve recently completed and published on both the Google Play Store and the Apple App Store. These apps are designed with a simple goal in mind: to make meaningful, structured content more accessible, whether you’re studying theology or improving your English vocabulary. 📱 Now Available on Both Platforms All apps are live and available for download: Google Play Developer Page: https://play.google.com/store/apps/dev?id=5835943159853189043 Apple App Store Developer Page: https://apps.apple.com/ca/developer/q-z-l-corp/id1888794100 📖 Theology & Confession Study Apps For those interested in Reformed theology and classical Christian teachings, I’ve developed a series of apps that present foundational texts in a clean, focused reading format: The Belgic Confession Canons of Dort Heidelberg Catechism Westminster Shorter Catechism Each app is designed to provide a distraction-free experience, making it easier to read, reflect, and revisit these im...
Post a Comment

Next.js + NextAuth.js — SSO Security Hardening and Best Practices

By -

Next.js + NextAuth.js — SSO Security Hardening and Best Practices

This final post in the Next.js Frontend SSO series focuses on security and best practices for production-grade SSO. Even with a working authentication flow, neglecting security can lead to token leaks, session hijacking, or unauthorized access.

1️⃣ Secure session cookies

NextAuth.js stores session information in cookies (JWT or database sessions). Configure cookies properly:

  • httpOnly: prevents JavaScript access to cookies
  • secure: ensure cookies are sent only over HTTPS
  • SameSite: protect against CSRF (use "lax" or "strict")


cookies: {

  sessionToken: {

    name: `__Secure-next-auth.session-token`,

    options: {

      httpOnly: true,

      sameSite: 'lax',

      path: '/',

      secure: process.env.NODE_ENV === 'production'

    }

  }

}

2️⃣ Refresh token rotation

Refresh tokens should be rotated to prevent replay attacks. NextAuth.js allows you to implement token refresh in the jwt callback: 



async jwt({ token }) {

  if (Date.now() > token.expires) {

    const refreshed = await refreshAccessToken(token);

    token.accessToken = refreshed.accessToken;

    token.refreshToken = refreshed.refreshToken;

    token.expires = refreshed.expires;

  }

  return token;

}

> Always propagate the refreshed tokens to the session.

3️⃣ Minimum scope / least privilege

  • Only request the scopes your app actually needs
  • For API calls, never use a long-lived access token with excessive permissions
  • Limit manager or admin privileges to dedicated flows (like popup login)

4️⃣ Handle token expiration and logout

  • Always check token expiration before making API calls
  • Use automatic logout if a refresh fails or token is invalid
  • Clear cookies and session on logout to prevent stale sessions

5️⃣ Debugging and monitoring

Monitoring authentication flows helps detect anomalies early:

  • Log all login attempts and role verification failures
  • Enable DEBUG="next-auth:*" in development for detailed logs
  • Monitor refresh token failures and session expirations

6️⃣ CSRF and CORS considerations

  • NextAuth.js has built-in CSRF protection for sign-in requests
  • Always configure your backend APIs with proper CORS headers
  • For manager approval flows or popups, ensure postMessage only accepts trusted origins

7️⃣ Summary

By following these practices, your Next.js SSO flows become production-ready:

  • Secure session cookies
  • Refresh token rotation and propagation
  • Least privilege scopes
  • Token expiration handling and forced logout
  • Logging and monitoring
  • CSRF and CORS protections

This concludes the Next.js Frontend SSO Series. With these 7 posts, you now have a complete guide from basic setup to advanced flows, role management, popup approval, token handling, and security hardening.

Part of the Next.js Frontend SSO Series

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular Posts

2026 Begins: Choosing to Stay on the Path as a Blogger

By -
Image
  Today is January 1st, 2026 . Before rushing into new goals, I spent some time looking back at the past 12 months of data for this blog — the quiet numbers that tell a very honest story. Looking Back at the Numbers Over the past year: 📈 Total views: ~44,600 👀 Daily average visits: ~200 💬 Comments: 19 💰 AdSense income: about $0.01 per month At first glance, these numbers may look small — especially the income. But when I zoom out, I see something more meaningful. This blog has been quietly read every single day . No viral posts. No aggressive promotion. No paid traffic. Just consistent readers arriving through search, bookmarks, and curiosity. That consistency matters. What the Traffic Graph Tells Me The graph over the last 12 months shows something important: Early months were quiet and uneven Mid-year brought steady growth Toward the end of the year, traffic became more stable , with clear spikes when certain posts resonated This tell...
Read more

Health Checks and Scaling Strategies for Next.js in Kubernetes

By -
Image
Health Checks and Scaling Strategies for Next.js in Kubernetes This is Part 6 and the final post of the series: Self-Hosting Next.js in Kubernetes (Without Vercel) . At this point, your Next.js standalone app: Builds cleanly Runs in a minimal Docker image Deploys correctly on Kubernetes / OpenShift Serves static assets properly Uses runtime configuration and secrets Now let’s make it resilient and scalable . Why Health Checks Matter Kubernetes relies on health checks to: Know when a pod is ready to receive traffic Restart unhealthy containers Safely roll out new versions Without proper probes, traffic can be sent to a pod that isn’t ready yet. Readiness Probe A readiness probe tells Kubernetes: “This pod can accept traffic.” For most Next.js apps, the root path works well: readinessProbe: httpGet: path: / port: 3000 initialDelaySeconds: 10 periodSeconds: 5 If your app depends on downstream services (APIs, d...
Read more