Proof point → Every serious platform lives or dies by its identity layer. I have already built one - solo, spec-first, observable from day one.

🩻 Problem

LuraVPN needed a single source of truth for user accounts: authentication, admin management, and an influencer/referral program with codes, earnings tracking, and dashboards. Off-the-shelf identity providers are expensive and opaque; a privacy product cannot outsource its trust layer.

🔨 Solution

Lura Lite V2 - the Identity & User Management microservice for Luravpn.com, rebuilt from scratch as a clean-architecture FastAPI service.

Architecture Overview

  1. Layered, spec-driven design - controllers → services → domain → infrastructure, with a repository pattern over SQLAlchemy and dependency injection throughout. The repo carries 11 numbered specification documents (requirements & UML, sequence/activity diagrams, class responsibilities, information hiding, exception design, coding conventions) plus a tracked backlog.
  2. Auth engineering - JWT lifecycle with a dedicated token service, OTP + phone/email verification, SSO, rate limiting, and account lockout.
  3. Referral subsystem - influencer applications, signup codes, conversions, and earnings tracking as first-class services.
  4. Database evolution - Alembic migrations including a non-trivial integer→UUID primary-key migration, guarded by a dedicated migration test suite.
  5. Observability from day one - OpenTelemetry tracing, Prometheus /metrics, request-ID middleware, structured logging, and a centralized exception→JSON error contract.

Quality signals

  • Five-layer test suite: unit, domain, infrastructure, migrations, and controller integration tests - with a documented fast-to-slow execution strategy.
  • CI that gates merges: ruff lint + mypy type-checks + pytest on every PR; multi-arch Docker builds pushed to GHCR on main.
  • 100+ commits of dense, solo activity over roughly one month (June–July 2025).

📜 Philosophy

Identity is not a feature - it is infrastructure. Specs before code, types enforced in CI, exceptions designed as a subsystem, and telemetry wired in before the first user, not after the first incident.

🎓 Key learnings

  • Production-grade FastAPI structure: clean architecture and the repository pattern applied to a real product, not a tutorial.
  • The full auth surface - JWT rotation, OTP, SSO, lockout, RBAC - and where each one breaks.
  • Schema migration as a tested, reversible operation rather than a leap of faith.
  • A test pyramid and CI pipeline tight enough that a solo developer can ship like a team.

📈 Output & impact

  • LuraVPN’s identity service, built solo end-to-end (the spec names one developer for this service: Richard).
  • A complete influencer/referral subsystem shipped inside the same service boundary.
  • Automated container publishing to GitHub Container Registry on every mainline merge.

🌍 Why this matters

Platforms & Registries · Trust, Security & Compliance. Any platform that registers people - a marketplace, a directory, a civic service - must first authenticate them correctly and protect their data under laws like the NDPR. This project is the evidence: a production-grade identity layer, designed, built, tested, and shipped by one person, with the audit trail to prove it.

🚀 Hire me

Need an authentication nucleus for your next SaaS or platform? Let’s talk → · See also: GhostRoute · The thesis