Authorization and Authentication

Even the best-laid plans meet reality. When I first stood up the app on my laptop, I chose Keycloak running in Docker to handle sign-in and permissions. I spent two focused weeks wiring a network-detection layer to cope with my ever-changing IP addresses and hardening the backend for HIPAA-minded encryption. It was a good local setup, until it wasn’t.

The moment I pushed toward the cloud, the assumptions cracked. The containerized approach that behaved so nicely on my machine didn’t translate cleanly to the EC2 environment I’d chosen. Think “virtual machine inside a virtual machine”, a little Ghost in the Shell if you will, and suddenly my tidy plan needed a new direction.

Enter Amazon Cognito. Overnight I became a cybersecurity novice and a developer at the same time. I learned the language of user pools, identity providers, and group policies. I wrestled with redirects and deep links so that both mobile and desktop could glide through sign-in without getting lost. More than once it felt like freshman year all over again: reading docs for what must be the simplest of settings, then discovering the one checkbox that makes everything click.

It took a week of false starts, small victories, and a lot of notes, but we’re close, very close, to an end-to-end authentication flow that feels dependable and respectful of the user. The lesson was humbling and useful: security is not a bolt-on, and “works on my laptop” isn’t the same as “works in the world.” Designing for the environment where the app will live is just as important as choosing the right libraries.

With this pipeline nearly in place, the next stretch is the fun part: fleshing out features and inviting early users into the beta. This detour cost time, but it bought confidence. The app will be better for it, and so will the people who trust it with their health information.