Authentication in the Real World: Nuxt, Laravel, React & Express

Authentication in the Real World: Lessons from Nuxt 3, Laravel, React, and Express

Facts first: a practical blueprint for cookie sessions (Nuxt/React), Sanctum (Laravel), and HMAC/JWT (Express), with code.

ByPrazin Karki

Published2 September 2025

2 minute read

Last reviewed26 March 2026

nuxt3

laravel

react

express

authentication

security

Talk to PKTechie View projects

Technical Integrity Review

Verified 26 March 2026

Prazin Karki

Founder at PKTechie - Full-stack developer for websites, apps, and infrastructure

This article is based on production authentication work across SSR apps, Laravel backends, and service-to-service integrations.

Technical context+

On this page

Jump between sections

Technical Integrity Review

Verified 26 March 2026

Prazin Karki

Founder at PKTechie - Full-stack developer for websites, apps, and infrastructure

This article is based on production authentication work across SSR apps, Laravel backends, and service-to-service integrations.

Technical context

Glossary

Need this level of engineering?

Need auth help?

Bring PKTechie in for secure auth implementation or production review.

Talk to PKTechie View projects

Why I'm Writing This#

I've worked on survey tools, health trackers, and account dashboards. The common friction point was authentication. Here are the approaches that held up in practice, with working snippets.

The Pain Points I Ran Into#

LocalStorage tokens broke under SSR and subdomains.
CORS misconfigurations silently blocked cookies.
Safari’s cookie rules exposed bugs Chrome hid.
Service-to-service trust needed signed requests, not user cookies.
Public forms attracted bots until I hardened them.

Nuxt 3 (Vue)#

Nuxt 3 using HTTP-only cookie sessions compatible with SSR

export function useAuth() {
  const user = useState('user', () => null as any);

  async function login(email: string, password: string) {
    await $fetch('/api/login', {
      method: 'POST',
      body: { email, password },
      credentials: 'include',
    });
    await refreshUser();
  }

  async function refreshUser() {
    user.value = await $fetch('/api/me', { credentials: 'include' }).catch(() => null);
  }

  return { user, login, refreshUser };
}

Fact learned: Cookies work naturally with SSR. Avoid storing tokens in LocalStorage: they cause hydration bugs and add XSS risk.

Laravel 10#

Laravel Sanctum handling session-based SPA authentication

Route::post('/login', function (Request $request) {{
  $credentials = $request->validate([
      'email' => 'required|email',
      'password' => 'required|string|min:6',
  ]);

  if (! Auth::attempt($credentials, true)) {{
      return response()->json(['message' => 'Invalid credentials'], 422);
  }}

  $request->session()->regenerate();
  return response()->noContent();
}});

Route::get('/me', fn (Request $r) => $r->user())->middleware('auth:sanctum');

Fact learned: Sanctum is built for SPAs/SSR. Regenerate sessions on login/logout to prevent fixation.

Express.js#

Two Express services authenticating requests with HMAC signatures

import crypto from 'crypto';

function sign(body, secret) {{
  return crypto.createHmac('sha256', secret).update(body).digest('hex');
}}

function verify(req, res, next) {{
  const sig = req.header('x-signature');
  const expected = sign(req.rawBody, process.env.S2S_SECRET);
  if (sig !== expected) return res.status(401).send('Invalid signature');
  next();
}}

Fact learned: Don’t pass user cookies between services. Use HMAC or short-lived JWTs; rotate secrets.

React#

async function login(email, password) {{
  await fetch('/api/login', {{
    method: 'POST',
    credentials: 'include',
    headers: {{ 'Content-Type': 'application/json' }},
    body: JSON.stringify({{ email, password }}),
  }});
}}

Fact learned: Cookies still win for browser apps. With Next.js, SSR can read the cookie server-side.

Controls That Actually Worked#

Rate limiting for login/signup endpoints.
Honeypot fields that bots fill but humans ignore.
Analytics on failed logins to surface UX issues early.
SameSite=Lax + Secure cookies to avoid silent drops in Safari.

Final Thoughts#

Nuxt / React: Cookie sessions are safer and SSR-friendly than LocalStorage tokens.
Laravel: Sanctum + sessions is the simplest, reliable path for SPA/SSR.
Express: Prefer HMAC/JWT for service-to-service; never forward user cookies.
Browsers: Test in Safari early; its stricter rules expose hidden bugs.
Security + UX: Pair rate limits + honeypots with analytics; passwords alone aren’t “secure.”

Technical context+

On this page

Jump between sections

Technical Integrity Review

Verified 26 March 2026

Prazin Karki

Founder at PKTechie - Full-stack developer for websites, apps, and infrastructure

This article is based on production authentication work across SSR apps, Laravel backends, and service-to-service integrations.

Technical context

Glossary

Need this level of engineering?

Need auth help?

Bring PKTechie in for secure auth implementation or production review.

Talk to PKTechie View projects

Why I'm Writing This#

I've worked on survey tools, health trackers, and account dashboards. The common friction point was authentication. Here are the approaches that held up in practice, with working snippets.

The Pain Points I Ran Into#

LocalStorage tokens broke under SSR and subdomains.
CORS misconfigurations silently blocked cookies.
Safari’s cookie rules exposed bugs Chrome hid.
Service-to-service trust needed signed requests, not user cookies.
Public forms attracted bots until I hardened them.

Nuxt 3 (Vue)#

export function useAuth() {
  const user = useState('user', () => null as any);

  async function login(email: string, password: string) {
    await $fetch('/api/login', {
      method: 'POST',
      body: { email, password },
      credentials: 'include',
    });
    await refreshUser();
  }

  async function refreshUser() {
    user.value = await $fetch('/api/me', { credentials: 'include' }).catch(() => null);
  }

  return { user, login, refreshUser };
}

Fact learned: Cookies work naturally with SSR. Avoid storing tokens in LocalStorage: they cause hydration bugs and add XSS risk.

Laravel 10#

Route::post('/login', function (Request $request) {{
  $credentials = $request->validate([
      'email' => 'required|email',
      'password' => 'required|string|min:6',
  ]);

  if (! Auth::attempt($credentials, true)) {{
      return response()->json(['message' => 'Invalid credentials'], 422);
  }}

  $request->session()->regenerate();
  return response()->noContent();
}});

Route::get('/me', fn (Request $r) => $r->user())->middleware('auth:sanctum');

Fact learned: Sanctum is built for SPAs/SSR. Regenerate sessions on login/logout to prevent fixation.

Express.js#

import crypto from 'crypto';

function sign(body, secret) {{
  return crypto.createHmac('sha256', secret).update(body).digest('hex');
}}

function verify(req, res, next) {{
  const sig = req.header('x-signature');
  const expected = sign(req.rawBody, process.env.S2S_SECRET);
  if (sig !== expected) return res.status(401).send('Invalid signature');
  next();
}}

Fact learned: Don’t pass user cookies between services. Use HMAC or short-lived JWTs; rotate secrets.

React#

async function login(email, password) {{
  await fetch('/api/login', {{
    method: 'POST',
    credentials: 'include',
    headers: {{ 'Content-Type': 'application/json' }},
    body: JSON.stringify({{ email, password }}),
  }});
}}

Fact learned: Cookies still win for browser apps. With Next.js, SSR can read the cookie server-side.

Controls That Actually Worked#

Rate limiting for login/signup endpoints.
Honeypot fields that bots fill but humans ignore.
Analytics on failed logins to surface UX issues early.
SameSite=Lax + Secure cookies to avoid silent drops in Safari.

Final Thoughts#

Nuxt / React: Cookie sessions are safer and SSR-friendly than LocalStorage tokens.
Laravel: Sanctum + sessions is the simplest, reliable path for SPA/SSR.
Express: Prefer HMAC/JWT for service-to-service; never forward user cookies.
Browsers: Test in Safari early; its stricter rules expose hidden bugs.
Security + UX: Pair rate limits + honeypots with analytics; passwords alone aren’t “secure.”

Authentication in the Real World: Lessons from Nuxt 3, Laravel, React, and Express

Glossary

Need auth help?

Why I'm Writing This#

The Pain Points I Ran Into#

Nuxt 3 (Vue)#

Laravel 10#

Express.js#

React#

Controls That Actually Worked#

Final Thoughts#

Key takeaways

Need this level of engineering?

More practical reads

Defensive Laravel: How I Write Safer Code for Production Systems

Building in the Cloud: A Developer's Field Guide to AWS (It's Just Better Construction)

A/B Testing for UX in Web & Mobile: What It Is and How to Use It

Authentication in the Real World: Lessons from Nuxt 3, Laravel, React, and Express

Glossary

Need auth help?

Why I'm Writing This#

The Pain Points I Ran Into#

Nuxt 3 (Vue)#

Laravel 10#

Express.js#

React#

Controls That Actually Worked#

Final Thoughts#

Key takeaways

Need this level of engineering?

More practical reads

Defensive Laravel: How I Write Safer Code for Production Systems

Building in the Cloud: A Developer's Field Guide to AWS (It's Just Better Construction)

A/B Testing for UX in Web & Mobile: What It Is and How to Use It