SJForge Auth Hub

Multiple SJForge tools need unified authentication and authorization, with users logging in once to access all their authorized applications.

A lightweight Next.js app serving as the SSO hub. Same-domain apps share Supabase session cookies; cross-project apps use HMAC-SHA256 tokens with 60-second TTL.

• Supabase email/password authentication
• Tool picker with auto-redirect for single-tool users
• Cross-subdomain cookie sharing (.sjforge.dev)
• HMAC-SHA256 token exchange (60s TTL)
• Role-based access control
• Nexus Design System UI

Hub-and-spoke auth: shared Supabase project for same-domain tools, HMAC tokens for cross-project apps. Middleware handles session refresh. Three database tables: users, tools, access grants.

Sole developer. Designed the SSO architecture, implemented both cookie and token auth flows.