Authentication and sessions
OAuth login, session management, and cookie security.
How authentication works
Le Bureau uses OAuth 2.0 for all user authentication. You sign in with your Google or GitHub account. There is no password to create.
OAuth login flow
When you click "Sign in with Google" or "Sign in with GitHub":
- You are redirected to the provider's login page (Google or GitHub).
- You authenticate with the provider and grant Le Bureau access to your basic profile (email and name).
- The provider sends an authorization code back to Le Bureau.
- Le Bureau exchanges the code for your profile information and creates or updates your account.
- A secure session is created and you are redirected to your dashboard.
Le Bureau never receives or stores your Google or GitHub password. Authentication is handled entirely by the OAuth provider.
nOAuth protection
User lookup is by oauthProvider + oauthId, not by email alone. Email-only lookup is vulnerable to spoofing if a provider does not verify email ownership.
This means an attacker who creates a Google or GitHub account with your email address cannot access your Le Bureau account. Your identity is tied to your specific OAuth provider account, not your email.
Session management
After login, Le Bureau creates a server-side session.
- Session duration -- sessions remain active as long as you use the platform regularly. Inactive sessions expire automatically.
- Single sign-on -- you can be logged in on multiple devices simultaneously.
- Session revocation -- logging out immediately invalidates your session on the server side.
Cookie security
Cookie settings:
| Setting | Value | Why |
|---|---|---|
| Prefix | __Secure- / __Host- | Ensures cookies are only set over HTTPS |
httpOnly | true | Prevents JavaScript from reading the cookie |
secure | true | Cookie is only sent over HTTPS connections |
sameSite | lax | Blocks cross-site request forgery attacks |
The __Host- prefix adds a further constraint: the cookie must be set from the exact host, which prevents subdomain attacks.
API authentication
For API access, authentication uses API keys instead of OAuth. See API authentication for details.
API key authentication includes rate limiting: after 10 failed authentication attempts within 60 seconds from the same IP address, further attempts are temporarily blocked to prevent brute-force attacks.
Recommendations
- Use a strong password on your Google/GitHub account. Le Bureau's security depends on your OAuth provider's security.
- Enable two-factor authentication on your Google or GitHub account.
- Log out on shared devices. Your session cookie is valid until you sign out or it expires.
Related docs
Data and privacy
Where your data is stored, what is encrypted, and how Le Bureau handles privacy.
API authentication
Two ways to authenticate with the API: session cookies for browser use and API keys for programmatic access.
Network security
How Le Bureau secures connections with CSP headers, rate limiting, TLS, and WebSocket authentication.