I would love to see alternatives of educational code that implements these things in a "compliant" way.

Security does not come from Compliance (sometimes they are at odds) but as someone who is not an academically trained security professional but who has read NIST* in detail, implements such code and has passed a number of code reviews from security professionals. And who has been asked to do things like STRIDE risk assessment on products I write code for I do appreciate the references and links along side actual code of any kind.

Now to be fair, I have not yet looked at any of the code here, it's commit history or its level of AI-induced fantasy confidence in the validity of the specific solutions. That could be good or bad but the intent of this is really on point for me.

Edit: I looked at some code:

This is missing a lot from NIST SP 800-63B

Looking at https://github.com/vhscom/private-landing/blob/main/packages...

    - the db select runs before the password has so you can detect if the account exists with timing attacks
    - there is no enforced minimum nor maximum length on the stored secret (e..g para 5.1.1.1 and 5.1.1.2 recommend length range of 8 to 64 unicode printable chars normalized to some form i forget)

    - there is no enforced min max length on the account identifier (in this case email) and no normalization

At least not in the code i saw. so there is still a lot of basics/low hanging fruit from NIST recommendations at least you would find in any production grade auth framework missing