FuscAuth

Live
fusheriff_head.png
FuscAuth

Centralized authentication service for the fuscripts ecosystem. Google OAuth, JWT tokens, shared commons packages, and the beginning of it all.

Node.js AWS Serverless DynamoDB Svelte

Timeline

One Sheriff, Every Door

November 2, 2025

What shipped

  • Shared backend library (fuscauth-commons) -- centralized JWT verification, auth middleware, and types into one package. Every API imports instead of copy-pasting
  • Shared frontend library (fuscauth-web-commons) -- centralized token management, login flow orchestration, and auth utilities for all web apps
  • Mock authentication for local development -- automatically generates valid JWTs in the browser using Web Crypto API when running locally. No OAuth dance, no token copying from DevTools, works offline. The single biggest DX improvement in the project's history
  • UUID migration -- replaced Google IDs as user identifiers with internal UUIDs. Decoupled identity from any single OAuth provider, enabling future multi-provider support (GitHub, Apple, etc.)
  • Email hashing with HMAC-SHA256 -- emails are hashed with a secret pepper before storage, enabling cross-provider account linking without storing plaintext emails
  • Lazy migration strategy -- existing users auto-migrate to UUIDs on their next login. No batch scripts, no downtime
  • AuthGuard React component -- wraps any fuscripts app, handles auth state, redirects if unauthenticated, renders mock banner in dev
  • Shared FuscHeader component -- consistent header with logo, app name, user info, and logout across all apps
  • React 19 compatibility -- updated peerDependencies to support React 19
  • Logo dimension fixes -- adjusted FuscriptsLogo sizing in the shared header

    • Before this, every new fuscripts project meant duplicating auth code and dreading local dev. After this, adding auth to a new project is two imports and a config object. The mock auth alone saved hours of frustration per week.

    The UUID migration was the quieter but more significant change. FuscAuth is no longer married to Google. When the day comes to add GitHub or Apple login, the architecture is ready -- accounts link automatically by email hash, and no existing user needs to do anything.

    This is when FuscAuth became infrastructure.

    Open for Business

    February 28, 2025

    February - May 2025. The sheriff got a face, a front door, and better manners.

    What shipped

  • Project restructure -- moved existing backend code into an api/ folder, establishing the standard fuscripts project layout
  • SvelteKit frontend -- built the login page from scratch. The Fusheriff finally had a home. Users could see where they were logging in and why
  • API-frontend integration -- wired the backend OAuth flow to work with the new frontend callback handling
  • PII minimization -- reduced the data requested from Google and stored in DynamoDB to the bare minimum. If we don't need it, we don't ask for it
  • IAM tightening -- replaced the general AWS role with specific IAM permissions in serverless.yml. Principle of least privilege
  • Login integration testing -- end-to-end verification that the full flow worked with client apps
  • Token expiration set to 7 days -- landed on the sweet spot between convenience (not re-logging daily) and security (not staying valid forever)
  • Dev script and documentation -- added local dev tooling and wrote a README with actually useful information

    • This was the leap from "it works in Postman" to "a real person can use this." The SvelteKit frontend gave FuscAuth its identity — the Fusheriff, the wild west theming, the personality that would define the entire fuscripts ecosystem.

    Security posture improved significantly with PII minimization and proper IAM scoping. And with a 7-day token expiration, the balance between UX and security was set.

    After this round, FuscAuth wasn't a proof of concept anymore. It was open for business.

    The First Badge

    November 10, 2024

    What shipped

  • Google OAuth proof of concept -- the first end-to-end login flow, from redirect to token
  • Refresh token logic -- access tokens expire, so users get a 30-day refresh token to avoid re-authenticating constantly
  • Token verification endpoint -- a Lambda authorizer that validates JWTs for all downstream APIs
  • Payload 2.0 -- restructured the JWT payload and simplified the verification response
  • Cleanup -- removed test logs that snuck into the first push (Nov 23)

    • This was the foundation. No frontend yet, no shared libraries, no fancy DX -- just a working OAuth flow that could issue and verify tokens. Every fuscripts app that exists today authenticates through logic that traces back to these four commits.

    The vision was simple: log in once, access everything. On November 10, that vision became real code.