BLNDR▼ HELP CENTERBACK TO APP
▼ DOC 09

Account Security

What's on by default, and how to harden further

BLNDR handles your OAuth tokens for connected stores, payment IDs, and recipe IPs. We treat security as foundational, not optional. Here's what's on by default and what you can do to harden further.

What's always on

  • OAuth tokens encrypted at rest — your Shopify and Square access tokens are AES-256-GCM ciphertext in our DB. A database leak alone exposes nothing usable.
  • Row-level security on every table that holds your data. Other users physically cannot read your recipes, library, batches, or settings.
  • Webhook signatures required from Stripe, Shopify, and Square — no unsigned events are processed.
  • Rate limiting on AI endpoints to protect your subscription credits from runaway loops.
  • Bug screenshots auto-expire at 90 days. Image bucket rejects anything that isn't PNG or JPEG.
  • Daily vulnerability scan — every dependency checked against the OSV (Open Source Vulnerabilities) database. New CVEs land in our admin audit log within 24h.

Two-factor authentication (admin)

Admin accounts require TOTP on every sign-in.

  1. 1

    First-time enrollment

    On your first /admin visit, you'll be redirected to /auth/2fa-admin/setup.

  2. 2

    Open your authenticator app

    Authy, Google Authenticator, 1Password, Bitwarden — any TOTP app works.

  3. 3

    Scan or paste

    Scan the QR code, or click Can't scan? for the manual-entry secret.

  4. 4

    Verify the 6-digit code

    Enter the code your authenticator shows. Click VERIFY + ENABLE MFA. You're back at /admin, MFA enrolled.

HEADS UP — Lost your TOTP app?
Email rickjanusz@gmail.comwith subject “2FA recovery” from the email on your account. We'll wipe your factor; you can re-enroll on next admin visit.

User-side 2FA (Basic + Pro)

Paid subscribers can opt-in to TOTP step-up on every sign-in. Once enabled, password alone won't get you (or anyone with your password) past the home screen — Supabase issues a fresh challenge against your factor and you have to enter the current 6-digit code.

  1. 1

    Open Settings → Account Security

    Section 11 at the bottom of the Settings page. Free tier sees an upgrade prompt; Basic and Pro see ENABLE 2FA.

  2. 2

    Click ENABLE 2FA

    Routes to /auth/2fa/setup. The page generates a fresh TOTP factor and shows a QR code.

  3. 3

    Scan with your authenticator app

    Authy, 1Password, Google Authenticator, Bitwarden — any TOTP app works. The entry will show up as “BLNDR (your-email)”.

  4. 4

    Enter the 6-digit code to verify

    The factor flips to verified in Supabase. Settings flips to a green “2FA is enabled” card.

  5. 5

    Next sign-in: step-up

    After your password, you'll land at /auth/2fa/verify — type the current code, you're back in. The session is good until you sign out.

HEADS UP — Disabling 2FA requires a code
From the same Settings card, click DISABLE 2FA. You'll be asked for a fresh TOTP code to confirm — without that, anyone who steals your session cookie could just turn it off and stay in. The disable event is also written to security_audit_log so any tampering is traceable.
NOTE — Lost your authenticator app?
Email rickjanusz@gmail.comfrom the email on your account with subject “2FA recovery”. We'll wipe your factor; you can re-enroll on next sign-in.

Report a vulnerability

If you find a security issue, email rickjanusz@gmail.com with subject [BLNDR security]. Don't open a public GitHub issue — they're world-readable.

← PREVIOUS · DOC 08Bug TrackerNEXT · DOC 10Oil Engine