Cloudcore

Authentication Methods

Cloudcore supports 5 authentication methods. All are configurable from Admin > Settings.

Password (email/password)

Default method. Passwords are hashed with PBKDF2-SHA512 at 210,000 iterations (OWASP 2023 standard). Requirements: 12+ characters, uppercase, lowercase, number, special character.

Passkeys (WebAuthn / FIDO2)

Passwordless authentication using fingerprint, face scan, or hardware security keys. Users register passkeys from their Profile page, then use them to sign in.

Magic Links

Send a one-time login link via email. Requires SMTP configuration (or SendGrid/Resend/Mailgun API key). Links expire in 15 minutes and are single-use.

GitHub OAuth

Login with GitHub. Requires GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET. Only verified primary emails are accepted. Users must exist in the CMS first โ€” OAuth does not auto-create accounts.

Google OAuth

Login with Google. Requires GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET. Uses PKCE for extra security. Same rules as GitHub โ€” accounts must exist first.

Cloudflare Access

Integrate with Cloudflare Access for zero-trust authentication. Requires CF_ACCESS_TEAM_DOMAIN, CF_ACCESS_AUD, and CF_ACCESS_ENABLED=true.

Disabling methods

Go to Admin > Settings > Authentication Methods to toggle each method on/off. Safety check: you cannot disable all methods. If an environment variable is not set for a method (e.g., no GitHub OAuth credentials), it shows as "Not configured" and cannot be enabled.

Session management

  • Sessions last 30 days by default
  • Optional sliding window extends active sessions (max 90-day absolute lifetime)
  • Session tokens are SHA-256 hashed before storage โ€” only the client has the raw token
  • All sessions are invalidated when a user's password is changed
  • Cookies use SameSite=Strict, HttpOnly, and Secure (in production)