Context
My portal was developed as a centralized authentication solution to manage access to an ecosystem of subdomain applications. As the volume of my projects grew — GPS tracker, dashboards — the need for a unified identity provider became critical to avoid fragmented user databases and redundant login sessions.
The goal was to build a secure SSO hub allowing users to authenticate once and navigate between services while maintaining granular, role-based control.
Technical Architecture and Security
The portal is designed with Next.js 15, React 19, and Supabase, prioritizing a security-first architecture.
Token-Based Invitation System
To maintain a controlled, invite-only environment, I developed a custom token redemption flow:
- Generation: Super-admins can generate 32-character hashed tokens with expiration dates and usage limits
- Redemption: Users redeem tokens via a dedicated page, which automatically grants application-specific permissions upon account activation
- Security: Token logic is executed via PostgreSQL functions (RPC) to ensure sensitive authorization logic remains strictly server-side
Hardened Infrastructure
Identity management is enforced through PostgreSQL Row Level Security (RLS). Users only access their own profiles, while administrative audit logs record all sensitive changes for transparency and security.
External applications receive time-limited JWT tokens with specific permissions, enabling secure API access without exposing credentials.
Compliance and Internationalization
Building a central hub meant treating compliance and localization as priorities, not secondary add-ons.
- Internationalization (i18n): Full English and French support with locale-prefixed routing and SEO-optimized metadata per language
- GDPR Compliance: Granular cookie consent system for Google Analytics opt-ins. Tracking is strictly disabled until the user gives explicit consent, stored for 365 days
- Performance: Thanks to Next.js Turbopack and SSR-compatible session management, authentication checks do not introduce latency when switching between subdomains
Main Flow
After a single login — via email or Google OAuth — the user lands on a dashboard showing their authorized projects.
When a user attempts to access an application like PingTrail, the portal verifies their permissions in real time. If authorized, they are redirected to the subdomain with an active shared session, without re-authentication.
Technical Stack
- Frontend: Next.js 15 (App Router), React 19, TypeScript, Tailwind CSS, Jotai
- Backend: Supabase (PostgreSQL, Auth, Edge Functions)
- Security: RLS policies, JWT tokens, Cloudflare Turnstile for bot protection
- Hosting: Vercel
Takeaway
This project marks a transition from project-based websites to product-oriented, long-term systems. By centralizing authentication, security, and compliance in a single portal, I can now deploy new tools with confidence that they are immediately secure and integrated into a unified user experience.
