Security

Built-in security for auth, passwords, JWT, and sessions.

Password Hashing

// Hash password
String hash = Passwords.hash("secret123");

// Verify password
boolean valid = Passwords.verify("secret123", hash);

JWT Authentication

// Generate token
String token = JWT.create()
    .subject(user.getId())
    .claim("role", user.getRole())
    .expiresIn(Duration.ofHours(24))
    .sign(SECRET_KEY);

// Verify token
Claims claims = JWT.verify(token, SECRET_KEY);
String userId = claims.getSubject();

Protected Routes

app.use("/admin/**", Auth.required());
app.use("/api/**", Auth.jwt(SECRET_KEY));

// In handler
app.get("/profile", req -> {
    User user = req.user();  // Current user
    return profilePage(user);
});

Rate Limiting

app.use(RateLimit.perMinute(100));
app.use("/api/**", RateLimit.perMinute(30));

Always use HTTPS in production and store secrets in environment variables.