Show HN: Minimal NIST/OWASP-compliant auth implementation for Cloudflare Workers (github.com)
Stack: Hono, Turso (libSQL), PBKDF2-SHA384 + normalization + common-password checks, JWT access + refresh tokens with revocation support, HTTP-only SameSite cookies, device tracking.
It's deliberately minimal — no OAuth, no passkeys, no magic links, no rate limiting — because the goal is clarity and auditability.
I wrote it mainly to deeply understand edge-runtime auth constraints and to have a clean Apache-2.0 example that follows NIST SP 800-63B / SP 800-132 and OWASP guidance.
For production I'd almost always reach for Better Auth instead (https://www.better-auth.com) — this repo is not trying to compete with it.
Live demo: https://private-landing.vhsdev.workers.dev/
Repo: https://github.com/vhscom/private-landing
Happy to answer questions about the crypto choices, the refresh token revocation pattern, Turso schema, constant-time comparison, unicode pitfalls, etc.
4 comments
[ 3.6 ms ] story [ 20.1 ms ] threadWho specifically is this intended for? It's a wonder that the model didn't spice things up with some tangential compliance catnip like FIPS or PCI DSS.
I would be curious to see the prompts used to create this.
Recently, I don't think there could be a better example of applicability of Brandolini's law.
The commits feel more human than usual these days, as does the timeline.