Hub Platform¶
The central identity and authentication hub for the CyberEco ecosystem.
The Hub is the gateway to every CyberEco application. It provides single sign-on, privacy controls, data management, and a unified dashboard for navigating the entire ecosystem. Every CyberEco app authenticates through the Hub, and every user manages their digital identity from this central point.
Status: Live Application
The Hub is available now at hub.cybere.co
What It Does¶
The Hub serves three primary functions: identity management, privacy control, and ecosystem navigation.
Single Sign-On (SSO)¶
One account, every CyberEco application. Users sign in once through the Hub and are automatically authenticated across JustSplit, Somos, Demos, and every future application in the ecosystem.
| Feature | Description |
|---|---|
| Email/Password Auth | Standard credential-based authentication with secure password handling |
| Password Reset | Self-service password recovery via email |
| Session Management | httpOnly cookie-based sessions with automatic 45-minute refresh |
| Cross-App SSO | Firebase Auth tokens validated across all CyberEco applications |
| Sign-Out | Clean session termination across all active applications |
Privacy Controls¶
The Hub is where users exercise sovereignty over their data. Granular privacy settings apply across the entire ecosystem.
| Control | Description |
|---|---|
| Data Sharing | Choose exactly which data is shared with which applications |
| Cookie Preferences | Fine-grained cookie consent management |
| Retention Settings | Control how long your data is stored |
| Visibility Settings | Manage who can see your profile and activity |
| Data Export | Export all your data in standard formats (GDPR compliance) |
| Account Deletion | Full right to erasure -- delete your account and all associated data |
Ecosystem Dashboard¶
A unified control center for managing your CyberEco experience.
- App Launcher -- Quick access to all CyberEco applications from a single dashboard
- Activity Overview -- See recent activity across all connected applications
- Profile Management -- Manage your identity, display name, and preferences
- Billing & Subscription -- Manage payments and subscription status
- Security Settings -- Two-factor authentication, active sessions, login history
- Audit Logs -- Review access logs and permission changes
Technical Architecture¶
The Hub is built with a modern, performance-focused stack that prioritizes server-side rendering for security-sensitive pages.
Technology Stack¶
| Layer | Technology | Purpose |
|---|---|---|
| Framework | Astro 5 | Server-rendered pages with selective client hydration |
| UI | React Islands | Interactive components hydrated with client:load |
| SSR | @astrojs/node |
Node.js server-side rendering adapter |
| Styling | CSS Modules + Custom Properties | Scoped styles with theme support (no Tailwind) |
| i18n | Custom system | EN + ES translations, server-side createT() + client-side LanguageProvider |
Application Structure¶
The Hub is a substantial application with 122+ source files.
| Layer | Count | Details |
|---|---|---|
| Pages | 17 .astro |
Landing, coming-soon, 3 auth pages, 12 protected pages |
| Islands | 15 .tsx + CSS |
SignIn, SignUp, Reset, Dashboard, Apps, MyData, Profile, Privacy, Settings, Billing, Security, AuditLogs |
| API Routes | 8 .ts |
login, set-cookie, generate-token, refresh, export, privacy/settings, privacy/consent, csp-report |
| Components | 20 .tsx |
ui/ (10 reusable), dashboard/ (3), hub/ (7) |
| Providers | 4 | HubAuthContext, ThemeProvider, LanguageProvider, HubProviders |
Authentication Flow¶
The Hub implements a secure, cookie-based authentication flow.
sequenceDiagram
participant User
participant Browser
participant Hub API
participant Firebase Auth
User->>Browser: Submit email/password
Browser->>Firebase Auth: signInWithEmailAndPassword()
Firebase Auth-->>Browser: Firebase UID + token
Browser->>Hub API: POST /api/auth/set-cookie (UID)
Hub API-->>Browser: Set httpOnly cookie
Browser->>Browser: window.location.href = '/dashboard'
Note over Browser,Hub API: Middleware reads cookie on every request
Browser->>Hub API: GET /dashboard (with cookie)
Hub API-->>Browser: Render protected page
Key security properties:
- Cookies are
httpOnly-- inaccessible to JavaScript, preventing XSS attacks - Cookies refresh automatically every 45 minutes
onAuthStateChangedlistener provides background session sync- Sign-out clears cookies via
DELETE /api/auth/refresh - CSRF protection in middleware for all state-changing requests
Middleware¶
The Hub middleware handles multiple security and routing concerns.
| Responsibility | Description |
|---|---|
| Auth Gating | Reads cybereco-auth-token cookie and blocks unauthorized access to protected routes |
| Security Headers | CSP (Content Security Policy), HSTS, X-Frame-Options, X-Content-Type-Options |
| CORS | Cross-origin request handling for API routes |
| CSRF | Cross-site request forgery protection for POST/PUT/DELETE |
| Locale Detection | Auto-detect user language from Accept-Language header |
| Prerender Skip | Bypass header access for statically prerendered pages |
API Routes¶
Eight API endpoints power the Hub's server-side functionality.
| Endpoint | Method | Purpose |
|---|---|---|
/api/auth/login |
POST | Authenticate user credentials |
/api/auth/set-cookie |
POST | Set httpOnly session cookie after Firebase auth |
/api/auth/generate-token |
POST | Generate JWT for cross-app SSO |
/api/auth/refresh |
GET/DELETE | Refresh session cookie / clear on sign-out |
/api/export |
GET | Export user data in standard formats (GDPR) |
/api/privacy/settings |
GET/PUT | Read and update privacy preferences |
/api/privacy/consent |
POST | Record user consent for data processing |
/api/csp-report |
POST | Receive Content Security Policy violation reports |
Islands Pattern¶
The Hub uses Astro's islands architecture to keep security-sensitive pages server-rendered while providing rich interactivity where needed.
Each protected page follows this pattern:
.astroshell -- Server-rendered page that checks authentication via middleware- React island -- Interactive component hydrated on the client with
client:load <HubProviders>wrapper -- Provides Auth, Theme, and Language contexts to the island
---
// dashboard.astro -- server-rendered shell
import DashboardIsland from '../islands/DashboardIsland';
---
<Layout title="Dashboard">
<DashboardIsland client:load />
</Layout>
This pattern ensures that:
- Authentication is validated on the server before any page content is sent
- JavaScript-heavy interactions (forms, state management) run as client-side React
- The initial page load is fast because only the interactive parts are hydrated
Environment Configuration¶
The Hub requires Firebase credentials and a JWT secret for server-side token operations.
PUBLIC_HUB_URL=http://localhost:4321
PUBLIC_FIREBASE_API_KEY=...
PUBLIC_FIREBASE_AUTH_DOMAIN=...
PUBLIC_FIREBASE_PROJECT_ID=...
PUBLIC_FIREBASE_STORAGE_BUCKET=...
PUBLIC_FIREBASE_MESSAGING_SENDER_ID=...
PUBLIC_FIREBASE_APP_ID=...
JWT_SECRET=... # Server-only, never exposed to client
Security Note
Variables prefixed with PUBLIC_ are exposed to the client bundle. The JWT_SECRET is server-only and must never be prefixed with PUBLIC_. Access environment variables via import.meta.env.PUBLIC_* in Astro.
Feature Roadmap¶
| Feature | Timeline | Description |
|---|---|---|
| Enhanced dashboard | 2025 | Richer activity feed with cross-app data aggregation |
| Two-factor authentication | 2025 | TOTP-based 2FA for enhanced account security |
| OAuth providers | 2025-2026 | Google, GitHub, and Apple sign-in options |
| App permissions manager | 2026 | Fine-grained control over which apps can access which data |
| DID integration | 2027+ | Decentralized Identifier support for self-sovereign identity |
| P2P auth | 2030+ | Peer-to-peer authentication without central servers |
Getting Started¶
- Visit hub.cybere.co
- Create an account with your email and password
- Configure your privacy settings
- Launch CyberEco applications from the dashboard
- Clone the repository:
git clone https://github.com/cyber-eco/cybereco-hub.git - Copy
.env.exampleto.envinapps/hub/and fill in Firebase credentials - Install dependencies:
npm ci - Start the dev server:
npm run dev