Use this guide to harden the complete password authentication sequence and map SDK failures to safe, actionable messages.
Best Practices
Password Security
- Client-Side Validation: Validate password strength before submission
- Never Log Passwords: Never log passwords in plain text
- HTTPS Only: Always use HTTPS in production
- Rate Limiting: The platform implements rate limiting on auth endpoints
- Secure Storage: Never store passwords in browser storage
Password Strength Requirements
Implement client-side validation to provide immediate feedback:
interface PasswordStrength {
score: number; // 0-4
feedback: string[];
isStrong: boolean;
}
function checkPasswordStrength(password: string): PasswordStrength {
const feedback: string[] = [];
let score = 0;
// Length check
if (password.length >= 8) score++;
if (password.length >= 12) score++;
// Character variety
if (/[a-z]/.test(password)) score++;
if (/[A-Z]/.test(password)) score++;
if (/[0-9]/.test(password)) score++;
if (/[^A-Za-z0-9]/.test(password)) score++;
// Provide feedback
if (password.length < 8) {
feedback.push('Use at least 8 characters');
}
if (!/[A-Z]/.test(password)) {
feedback.push('Add uppercase letters');
}
if (!/[a-z]/.test(password)) {
feedback.push('Add lowercase letters');
}
if (!/[0-9]/.test(password)) {
feedback.push('Add numbers');
}
if (!/[^A-Za-z0-9]/.test(password)) {
feedback.push('Add special characters for extra security');
}
return {
score: Math.min(score, 4),
feedback,
isStrong: score >= 3
};
}
// Usage in component
const strength = checkPasswordStrength(password);
console.log(`Password strength: ${strength.score}/4`);
console.log('Suggestions:', strength.feedback);
UX Considerations
- Clear Error Messages: Provide specific feedback for authentication failures
- Loading States: Show loading indicators during API calls
- Email Verification Reminder: Remind users to verify email if login fails
- Password Visibility Toggle: Let users toggle password visibility
- Auto-focus: Focus the appropriate input field automatically
Email Configuration
For production, configure organization-specific SMTP:
// Configure custom SMTP for your organization
await sso.organizations.setSmtp('acme-corp', {
host: 'smtp.gmail.com',
port: 587,
username: 'notifications@acme.com',
password: 'your-app-password',
from_email: 'notifications@acme.com',
from_name: 'Acme Corp'
});
This ensures:
- Emails come from your domain
- Better deliverability
- Custom branding in emails
- Compliance with email policies
Error Handling
import { SsoApiError } from '@drmhse/sso-sdk';
async function handleAuthError(error: unknown) {
if (error instanceof SsoApiError) {
switch (error.statusCode) {
case 400:
return 'Invalid request. Please check your input.';
case 401:
return 'Invalid credentials. Please try again.';
case 403:
return 'Email not verified. Please check your inbox.';
case 409:
return 'This email is already registered.';
case 429:
return 'Too many attempts. Please try again later.';
case 500:
return 'Server error. Please try again later.';
default:
return error.message;
}
}
return 'An unexpected error occurred.';
}
// Usage
try {
await sso.auth.login({ email, password });
} catch (error) {
const message = await handleAuthError(error);
showErrorToUser(message);
}
Next Steps
- MFA Management Guide - Add two-factor authentication
- Authentication Flows Guide - Learn about OAuth and device flows
- User API Reference - Detailed API documentation