ToastyHub is a public-facing company website with a protected customer workspace behind sign-in. Sessions stay server-side, provider access stays in the backend, and every signed-in user only sees their own data.
ToastyHub combines a conventional landing page with a secure dashboard for internal and customer-facing data. Authentik handles identity, Cloudflare handles delivery, and the backend enforces every access decision.
The public homepage is intentionally simple and accessible. Sensitive account data, provider lookups, and user actions live behind authenticated routes and are enforced on the server.
Use the root route as a clean company front door with clear sign-in and dashboard entry points.
Every dashboard route is backed by session checks and per-user filtering before data leaves the backend.
Add new providers through server-side adapters without changing the security model in the browser.
ToastyHub is designed to minimize browser exposure. Frontend code renders data and submits requests, but session validation, authorization, claim mapping, provider credentials, and data access checks remain in backend functions only.
Authorization Code Flow with PKCE, HttpOnly cookies, CSRF validation, and session rotation controls.
Only the required claims from Authentik are mapped locally: subject, email, display name, and groups.
Provider tokens stay backend-only, and the dashboard receives sanitized summaries instead of raw API payloads.
The stack stays pragmatic: Cloudflare Pages, Pages Functions, D1, Authentik, and small adapter modules for services such as Immich and Plex.
Use ToastyHub for a polished public presence and a secure private workspace without exposing sensitive provider credentials or security-critical logic to the frontend.