Security
Authentication
Authentication
HIVE Protocol implements a comprehensive authentication system built on Supabase Auth, providing secure identity management for all platform users. This guide covers the complete authentication architecture, from basic email/password flows to advanced two-factor authentication.
Authentication Architecture
The authentication system uses a layered approach combining industry-standard protocols with platform-specific enhancements:
┌─────────────────────────────────────────────────────────────────┐
│ Client Application │
├─────────────────────────────────────────────────────────────────┤
│ Supabase Client SDK (@supabase/supabase-js) │
│ - Session management │
│ - Token refresh │
│ - Auth state listeners │
└──────────────────────────┬──────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Supabase Auth │
├─────────────────────────────────────────────────────────────────┤
│ JWT Token Generation & Validation │
│ - Access tokens (1 hour expiry) │
│ - Refresh tokens (7 day expiry) │
│ - Automatic token rotation │
├─────────────────────────────────────────────────────────────────┤
│ Password Security │
│ - bcrypt hashing (cost factor 10) │
│ - No plain-text storage │
│ - Secure comparison │
├─────────────────────────────────────────────────────────────────┤
│ Two-Factor Authentication (TOTP) │
│ - Time-based one-time passwords │
│ - RFC 6238 compliant │
│ - Backup code support │
└─────────────────────────────────────────────────────────────────┘Email/Password Authentication
Registration Flow
New users register with email and password through a secure multi-step process:
import { supabase } from '@/lib/supabase';
async function registerUser(email: string, password: string) {
const { data, error } = await supabase.auth.signUp({
email,
password,
options: { data: { full_name: '', avatar_url: '' } }
});
if (error) throw error;
return data;
}Password Requirements
| Requirement | Minimum | Recommended |
|---|---|---|
| Length | 8 characters | 12+ characters |
| Uppercase | 1 character | 2+ characters |
| Lowercase | 1 character | 2+ characters |
| Numbers | 1 digit | 2+ digits |
| Special chars | 1 character | 2+ characters |
Login Flow
async function login(email: string, password: string) {
const { data, error } = await supabase.auth.signInWithPassword({ email, password });
if (error) throw error;
return data;
}Two-Factor Authentication
HIVE Protocol supports TOTP-based 2FA compatible with Google Authenticator, Authy, 1Password, and Microsoft Authenticator.
Session Management
Token Lifecycle
| Token Type | Expiry | Refresh |
|---|---|---|
| Access Token | 1 hour | Automatic |
| Refresh Token | 7 days | On use |
Security Headers
| Header | Value | Purpose |
|---|---|---|
| Authorization | Bearer {token} | User authentication |
| apikey | {anon_key} | Project identification |
Related Documentation
- [Authorization](/docs/security/authorization): RLS policies and access control
- [Data Privacy](/docs/security/data-privacy): Encryption and data protection
- [Best Practices](/docs/security/best-practices): Security recommendations