iOS Authentication - I Almost Shipped a Security Bug

I built three authentication methods for a kids' iOS app — email/password, Google Sign-In, and Apple Sign-In. The backend was trusting whatever the app sent. No server-side verification. Anyone could access any account by sending a POST request directly.

Complete iOS authentication system breakdown: OAuth flows, JWT sessions, server-side token verification, and the security pattern most developers get wrong.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

🔐 WHAT'S COVERED:

✦ Email/Password Authentication - bcrypt hashing, JWT tokens, rate limiting
✦ Google Sign-In - OAuth 2.0, server-side idToken verification
✦ Apple Sign-In - App Store requirement, identity token handling
✦ Multi-Profile Architecture - one parent account, multiple child profiles
✦ Session Management - JWT in Keychain, Bearer tokens
✦ The Security Mistake - why backend must verify tokens with auth providers

Built with Claude Code, SwiftUI, Node.js, Express, MongoDB.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

⏱️ CHAPTERS:

0:00 — Introduction
0:12 — The Challenge
1:28 — Email & Password
4:12 — Google Sign-In
6:39 — Apple Sign-In
9:15 — Multi-Profile
10:12 — Session Management
11:32 — Challenges

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

🛠️ TOOLS:

SwiftUI: https://developer.apple.com/xcode/swiftui/
Xcode: https://developer.apple.com/xcode/
Claude Code: https://claude.ai/code
Node.js: https://nodejs.org
Express.js: https://expressjs.com
MongoDB Atlas: https://www.mongodb.com/atlas
Mongoose: https://mongoosejs.com
bcrypt: https://github.com/kelektiv/node.bcrypt.js
express-rate-limit: https://github.com/express-rate-limit/express-rate-limit

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📚 RESOURCES:

Google OAuth 2.0: https://developers.google.com/identity/protocols/oauth2
Google Sign-In for iOS: https://developers.google.com/identity/sign-in/ios
Apple Sign-In: https://developer.apple.com/sign-in-with-apple/
JWT (JSON Web Tokens): https://jwt.io
SwiftUI Docs: https://developer.apple.com/documentation/swiftui
OAuth 2.0 Spec: https://oauth.net/2/
Google Cloud Console: https://console.cloud.google.com
Apple Developer Portal: https://developer.apple.com/account

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

🎬 PREVIOUS VIDEOS:

Full Playlist: https://www.youtube.com/playlist?list=PLtZHXl79Y2ikQCoIbOBOt-xhhUoJG5lkD

V6 — iOS UI Walkthrough: https://youtu.be/O_Tymy3yAVA
V5 — AI Character Consistency: https://youtu.be/AmEz_098LeI
V4 — Building a Backend: https://youtu.be/_eIZKsCYESg
V3 — Random Prompting Stopped Working: https://youtu.be/JhE9bRU893U
V2 — App Validation: https://youtu.be/tg-2vC_9OWU
V1 — Zero to App Store: https://youtu.be/Rm6I_MGiPY8

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

#iOSAuthentication #SwiftUI #OAuth2 #GoogleSignIn #AppleSignIn #JWT #BackendSecurity #NodeJS #MongoDB #iOSDevelopment #AppSecurity #ServerSideVerification #ClaudeCode #BuildInPublic #TechTutorial #vibecoding

Видео iOS Authentication - I Almost Shipped a Security Bug канала Pratiksha