I feel like this thing is doing way too much by default and if you want to change that, then you gotta have fun time
e.g giant user class with so many unnecessary properties, a few tables in db and so on.
The point is that you don't have to hash passwords manually? or handle writing cookies with tokens? attaching current User at request pipeline?