Back to Notebook
Sep 24, 2025 6 min read

Making Security Taste Good

To build Authentication from scratch is to drink Hemlock.

It is the great filter of software engineering. Before one may paint the masterpiece—the dashboard, the agent, the marketplace—one must first build the Dungeon. One must forge the keys, dig the moat, and set the portcullis.

It is a task devoid of glory, yet fraught with peril. A single misstep in CORS configuration, a solitary lapse in session management, and the castle falls.

I found myself in this purgatory for the tenth time, stitching together fragile strategies with the thread of despair. I sought not just a library, but a deliverance.

I wanted security to feel not like a burden, but like Silk.

The Alchemist's Promise

I built Buttery-Auth to end the masochism.

It is not merely a framework; it is a Citadel in a Box. It creates a hermetically sealed environment where identity is verified with the precision of a Swiss watchmaker and the strength of a bank vault.

The Decree: "To reduce the 'Time-to-Trust' from weeks of agony to minutes of awe."

The Anatomy of the Gate

We did not simply write code; we curated a defense system. Like a curator arranging artifacts, we placed every cryptographic primitive with intention.

1. The Wax Seal (Stateless JWTs)

Old sessions were like Ledgers—heavy, centralized, and prone to burning. We chose JSON Web Tokens (JWT). Think of these not as database rows, but as Royal Decrees, stamped with a cryptographic wax seal.

  • The Access Token: A fleeting pass, valid only for moments.
  • The Refresh Token: The master key, guarded within Secure HttpOnly Cookies, invisible to the prying eyes of client-side scripts.
  • The Rotation: A "Burn After Reading" protocol. Use a token once, and it is destroyed, replaced by a new one. Replay attacks become mathematically impossible.

2. The Foreign Diplomats (OAuth 2.0)

Passwords are the relics of a darker age. They are secrets waiting to be spilled. Buttery-Auth opens the gates to Foreign Diplomats—Google and GitHub. We use the OAuth 2.0 protocol to establish a treaty of trust without ever exchanging the keys to the kingdom.

3. The Second Turn (2FA)

For the vaults that hold the crown jewels, a single key is insufficient. We forged a Two-Factor Authentication mechanism. It is the second turn of the key in the nuclear silo—a TOTP algorithm that demands proof of possession, not just knowledge.

The Foundation of Stone

We built this upon the "Charcoal Stack"—resilient, dark, and enduring.

The Iron Dome

Bcrypt hashing, CSRF shields, and XSS sanitization woven into the very fabric of the request lifecycle.

The Vessel

Entire stack hermetically sealed in Docker containers. Deploy the fortress anywhere, unchanged.

The Velocity

Forged in Node.js. Non-blocking I/O ensures the gates open instantly, even under siege.

The Law

Strict adherence to TypeScript contracts. The data shapes are immutable and predictable.

Who is Worthy?

  • The Architects: Building SaaS platforms requiring Role-Based Access Control (RBAC) without the monthly tribute to Auth0.
  • The Guardians: Securing internal dashboards where a breach would mean ruin.
  • The Visionaries: Who wish to ship the MVP before the sun sets, without leaving the back door open.

Seize the Keys.

Stop building the lock. Start building the treasure.

Inspect the Foundry

Live Demo