Authentication Service for a SaaS Platform

Problem/Feature Description

A SaaS startup needs a standalone authentication microservice. The security team has reviewed the previous implementation and raised several concerns: passwords were hashed with bcrypt (which they consider insufficiently memory-hard), rate limiting was implemented using an in-memory counter that could be bypassed by spinning up multiple instances behind the load balancer, and the service had no graceful shutdown — deployments caused in-flight login requests to fail.

Your task is to build a production-ready authentication API in Fastify that addresses all three concerns. The service must issue short-lived JWTs, refresh those tokens, and protect the login and registration endpoints from brute-force attacks in a way that works correctly across multiple instances.

The service needs:

• POST /auth/register — accepts email and password, stores hashed password, returns user ID
• POST /auth/login — validates credentials, returns access token and refresh token
• POST /auth/refresh — exchanges a valid refresh token for a new access token
• POST /auth/logout — invalidates the refresh token

The service will run behind an AWS load balancer with at least two instances.

Output Specification

Produce:

• package.json
• src/app.ts — Fastify factory function
• src/plugins/auth.ts — JWT plugin registration and authenticate decorator
• src/routes/auth.ts — the four auth routes
• src/server.ts — entry point with graceful shutdown
• architecture-notes.md documenting: the password hashing library chosen and why, the rate limiting storage backend chosen and why it works across instances, and the graceful shutdown mechanism used