#Production Level Signup, Authentication and Authorization Process

1. User should be able to signup with email -> Email should be sent to the email address making sure it's valid
2. User should be able to Login
3. User should be able to click on forgot password and a forgot password workflow be initiated
4. User should be able to logout

I want to implement this in the most secure way possible, using all the best practices.
Thank you for your help 🙏

How do you want to validate the existence of the validity of the email
What is your reset password flow?
JWTs or Sessions?
Do you want to allow for refreshing the current session?

There's a lot that's missing here

How do you want to validate the existence of the validity of the email
-> I've never done this before but I normally see websites send a link to the email and when that link is clicked the account would then be verified. I assume part of that link would be a token stored in the database that is related to the user account.

What is your reset password flow?
-> Also never done this before but I assume it would be something like this:
User clicks forgot password -> User enters email address for account -> A reset password token gets generated that is tied to the user account with the email that was entered previously -> a link is sent to the users email for eg www.somsite.com/resetpassword/<token-that-was-generated> -> User resets password successfully -> User gets redirected to the login page

JWTs or Sessions?
-> I've used JWT in the pass and stored the token in local storage, but thats not safe due to XSS, so I've been learning about session lately and this is what I understand from it
<image attached>

Do you want to allow for refreshing the current session?
Mhmm, I dont see where this would be applicable in my current use case but I'm not sure if this will be needed in the future

I normally see websites send a link to the email and when that link is clicked the account would then be verified
Okay, so you need an email service (like mailgun or sendgrid or similar)
I assume part of that link would be a token stored in the database that is related to the user account.
Yeah, sounds like a good plan

Re: your reset email flow
Mostly sounds good. Make sure that not anyone can send a reset email request and that it's the actual user who is initiating it (usually means security questions/challenges)

JWTs or Sessions
Yeah, generally right, so which would you prefer to go to?

Mhmm, I dont see where this would be applicable in my current use case but I'm not sure if this will be needed in the future
Well, login sessions usually expire after X amount of time. With JWTs, it's a good idea to keep them short and constantly refresh them due to JWTs being a stateless access. So you'd need a way to refresh the JWT so that the user isn't logging in every five minutes

Ok, got you.

Yeah, generally right, so which would you prefer to go to?
I'll stick with Sessions since it's straightforward and more secure.

Personally I like cookies and sessions. JWTs are great for machine to machine, but I find sessions more useful for user login management