I asked why you needed authentication at all, so i could see if there were some other features that would depend on it which might change what nim libs you might choose. Oh well.
I'm using Guildenstern and sqliteral with sqlite. Mummy is also a fine option if you don't need streaming multipart file upload. You might just use asynchttpserver or Prologue, but i went with threading servers instead of async for my needs after having problems with all the async httpservers. I needed streaming multipart, and also was fairly ignorant about a lot of nim stuff when i tried those though, so you may have better luck with async than i did. I use nginx in front of the nim app server as a reverse proxy and for serving static assets. You can set all kinds of limits with nginx. IRT auth security stuff: One thing you will want to implement is CSRF protection for all form POSTs. You might implement some sort of bot filter for the Create Account form if you will have that. You may want to throttle requests by IP address for form POSTS, so they can't brute force your login form's username/password. Look into cookie security best practices. A framework like laravel has lots of cookie-related settings that will clue you in on what is possible.
