- Implements custom validation checks rather than relying on 3rd party modules
- Assumes rate limiting, bot detection, etc to be implemented in infrastructure layer, otherwise would implement using middleware express-rate-limit, helmet, etc
- 2FA/MFA solution recommended in production when sensitive data is processed/accessed
- Passwords stored as salted hashes
- Use HTTPS in production
- The challenge did not ask to setup a session, but normally I create a JWT token and return it in the auth endpoint
- Username changes handled by renaming Redis key with RENAME command
- Could be implemented with HSET/hashes for each user, but opted for simple key/value pairs for simplicity