Login process can be done in many ways. Searching for a solution I found that there was some consensus about the principles, but no consensus on how to implement them.
Challenge #1: Speed
I have tested many apps with logins but never found an app without a "spinning wheel" or "Loading..." messages. So based on my experience speed was one of my top priorities for login.
Therefore I use Go as the foundation. Fast, simple and compiled. The goal is to always score 100 in pagespeed.web.dev.
Challenge #2: Safety
Everybody is talking about "encrypting" and is focused on passwords. I found nobody talking about safe "mechanic" environments.
I am exploring a different approach in conjunction with encryption. The first thing is to use a compiled language. Way harder to attack than an interpreted. Then avoid Javascript communication via the internet. Third was to place all the sensitive components in the basement and lock the door. Only communicate via internal ip-addresses. Isolated Safe Box sort of.
Challenge #3: GDPR
GDPR has contradictory rules. Both erase personal data and logging the same data for finding abnormal behavior.
There is no clear solution to both keep the cake and at the same time eat it. By isolating the data in a Safe Box and keep for a limited period that allow investigation is the middle way. Using a chrone routine to erase old session data.
The login procedure are separated into three steps: