Email and Password

LaunchFast provides email and password authentication using web standards and established libraries. Passwords are hashed with bcrypt. Email verification is required before account creation.

Signup flow

1. User submits their email address
2. LaunchFast sends a verification email with a code and a link
3. User verifies by entering the code or clicking the link
4. User completes onboarding, including setting their password

Login

Users log in with their email and password. If two-factor authentication is enabled, they are prompted for their 2FA code after password verification.

Forgot password

The forgot password flow sends a TOTP verification code to the user's email. After verification, the user can set a new password.

OAuth providers

LaunchFast includes GitHub OAuth out of the box, built on remix-auth. You can add other providers supported by remix-auth, including OpenID Connect via web-oidc.

GitHub OAuth setup

During development, GitHub OAuth is mocked when GITHUB_CLIENT_ID starts with MOCK_ (using MSW). For real GitHub authentication:

1. Go to GitHub Settings, then Developer settings, then OAuth Apps
2. Register a new application with Homepage URL http://localhost:3000 and Callback URL http://localhost:3000/auth/github/callback
3. Copy the Client ID to GITHUB_CLIENT_ID in your .env
4. Generate a client secret and copy it to GITHUB_CLIENT_SECRET

GITHUB_CLIENT_ID="your-client-id"
GITHUB_CLIENT_SECRET="your-client-secret"

Create separate OAuth apps for each deployed environment (staging, production) with the appropriate URLs.

Related

• Rate limiting — protecting login and signup endpoints from abuse