LibreAuth protects against unauthorized access to your TOTP secrets and session. It does not protect against a compromised device, shoulder surfing, or phishing — use backup codes and hardware keys for high-value accounts.
Data flow
Browser
Web Crypto generates TOTP from secret in memory
Supabase
Encrypted TLS stores secrets with RLS per user
Session
HTTP-only cookies validate auth server-side
Architecture
Codes compute in your browser via Web Crypto (RFC 6238). Secrets live in Supabase behind row-level security — only your user ID touches your rows. No server-side TOTP generation.
Authentication
Supabase Auth + @supabase/ssr cookies. Protected routes validate sessions server-side
before render. Logout clears cookies via server endpoint.
Database policies
Every totp_entries row is scoped to auth.uid():
- SELECT — own rows only
- INSERT — must match authenticated user
- UPDATE / DELETE — own rows only
Recommendations
- Strong unique password for your LibreAuth account.
- Enable email confirmation in Supabase for production.
- Self-host for full data control and custom auth policies.
- Keep service backup codes — authenticators are not account recovery.
- Use a password manager alongside 2FA for defense in depth.
Roadmap
Client-side vault encryption with a separate passphrase — secrets opaque even to the database operator. Export/import bundle. Hardware key login for the vault itself.
Security FAQ
Can LibreAuth staff read my secrets?
What happens if Supabase is down?
Is Web Crypto safe for TOTP?
Read the code yourself.
AGPL licensed. Audit the repo, run the migration, deploy your own instance.