All systems operational

Authentication

Authentication is handled by Supabase Auth. Users sign in with email and password, can enable two-factor authentication, reset passwords, verify email, and sign out of all devices.

#Purpose

Explain how identity is established and the account-security features available.

#Architecture

Supabase Auth manages credentials and sessions. The Next.js app reads the authenticated session server-side to identify the caller and their organization.

Account-security features are exposed through the app: two-factor authentication (per user), forgot/reset password, email verification, and sign-out-of-all-devices.

#How it works

1

Sign in

Supabase authenticates the credentials and issues a session.
2

Session used server-side

API routes resolve the user and organization from the session.
3

Second factor (optional)

If the user enabled 2FA, it is completed at sign-in.
4

Recovery

Forgot-password and email verification flows restore or confirm access.

#Implementation notes

  • 2FA is enabled per user; there is no organization-wide enforcement toggle.
  • Password policy and session lifetime are managed by the auth platform, not organization-configurable.
  • Sign-out-of-all-devices ends every active session for a user.

#Limitations

Known limitations

  • No org-configurable password policy or session timeout.
  • No org-wide 2FA enforcement (drive adoption by policy).

#Security considerations

Security

  • Encourage 2FA for all privileged accounts.
  • Treat session handling as platform-managed; do not roll a custom auth layer.
  • Use sign-out-of-all-devices for suspected compromise.

#Best practices

  • Require strong passwords by policy and pair with 2FA.
  • Keep verified emails current for recovery.
  • Never store raw credentials in application tables.

Still need help?

Can’t find what you’re looking for? The DevSphere OS team is happy to help.