Authentication & Role-Based Security Verification (Current + Future Capabilities)

Question

1. Is role\u002Dbased access supported (admin/user/custom roles)?\u000a\u000a2. Can we apply role rules per route or per table?\u000a\u000a3. How are passwords stored (strong hashing)?\u000a\u000a4. What is the session duration? Is auto logout supported?\u000a\u000a5. Is a refresh token used or only session cookies?\u000a\u000a6. Are HTTP\u002Donly cookies used?\u000a\u000a7. Is there secure email verification and password reset flow?\u000a\u000a8. Is rate limiting / brute\u002Dforce protection implemented?\u000a\u000a9. Can sessions be revoked / force logout supported?\u000a\u000a10. Can advanced roles or SSO be added in the future?

Riya_NoCodeBackend · Answer

Hey — great security checklist. Below is a clear overview of our current capabilities and what’s planned.\u000a\u000a1️⃣ Role\u002Dbased access\u000a\u000aWe support Row Level Security (RLS) with three access modes:\u000a\u000a• Private — only the data owner can access\u000a• Shared — all authenticated users can access\u000a• Public — no authentication required\u000a\u000aNamed roles like “admin” or custom roles are not built\u002Din today but are planned for future expansion (see #10).\u000a\u000a2️⃣ Rules per route or per table\u000a\u000aAccess policies are configured per table, and both authenticated and public API routes automatically enforce the table\u002Dlevel policy you’ve defined.\u000a\u000a3️⃣ Password storage\u000a\u000aPasswords are never stored in plaintext. We use industry\u002Dstandard bcrypt hashing for secure password storage.\u000a\u000a4️⃣ Session duration / auto logout\u000a\u000aSessions have a 7\u002Dday duration and automatically expire after that period, effectively acting as auto logout. Active sessions are refreshed during use to keep users signed in while they remain active.\u000a\u000a5️⃣ Refresh tokens vs cookies\u000a\u000aWe currently use session cookies only. Sessions are extended on activity so users remain logged in while actively using the app.\u000a\u000a6️⃣ HTTP\u002Donly cookies\u000a\u000aYes — session cookies are HTTP\u002Donly and use the Secure flag on HTTPS, preventing client\u002Dside JavaScript access and helping protect against XSS.\u000a\u000a7️⃣ Email verification \u0026 password reset\u000a\u000aYes — we support secure password reset via email link and email OTP verification (6\u002Ddigit code with 5\u002Dminute expiry). SMTP configuration is required per database.\u000a\u000a8️⃣ Rate limiting / brute\u002Dforce protection\u000a\u000aRate limiting is not built\u002Din today but is on our near\u002Dterm roadmap.\u000a\u000aIn the meantime, if you’re deploying behind services like Vercel, Cloudflare, or AWS, these platforms provide built\u002Din rate limiting and DDoS protection that typically cover auth endpoints out of the box without additional setup.\u000a\u000aOnce we ship native rate limiting, it will work automatically without requiring deployment changes.\u000a\u000a9️⃣ Session revocation / force logout\u000a\u000aYes — users can sign out to clear their session. Password changes can optionally revoke other active sessions, and deleting a user invalidates sessions.\u000a\u000a🔟 Advanced roles / SSO (future)\u000a\u000aThe architecture is designed to be extensible. Google OAuth is already supported, and support for custom roles, SAML/SSO, and more advanced access models can be added as the platform evolves.

NoCodeBackend

Share NoCodeBackend

Choose a plan

Related questions