A developer has released a minimal, standards-compliant authentication reference implementation for Cloudflare Workers that demonstrates how to build secure auth from first principles. The project uses Hono for routing, Turso (libSQL) for database storage, PBKDF2-SHA384 for password hashing with normalization and common-password checks, and JWT dual-token sessions with revocation support. The implementation includes HTTP-only SameSite cookies, device tracking, and follows NIST SP 800-63B and SP 800-132 guidelines along with OWASP recommendations.

Built deliberately minimal without OAuth, passkeys, magic links, or rate limiting, the project prioritizes clarity and auditability over feature completeness. The author created it primarily to understand edge-runtime authentication constraints and provide a clean Apache-2.0 example that implements actual security properties rather than just documentation. With 250+ tests including attack-vector suites for token tampering, algorithm confusion, and unicode edge cases, the codebase demonstrates timing-safe rejection, session-linked revocation, and algorithm pinning.

The project explicitly recommends Better Auth for production use, positioning itself as an educational resource rather than a production library. The implementation includes comprehensive documentation of security headers, CSP policies, input validation with Zod schemas, and detailed guidance on extending the codebase toward production with critical features like rate limiting, breached-password checking, and CSRF protection.

Quick Fact: The project includes 250+ tests covering attack-vector suites and security edge cases.