I have plenty of experience both in web apps and in babylonjs games. https://gcapsarena.com uses such a system.
What I use is a nodejs login server to store the users information and to handle the database operations and a Game server to handle the matches. The Login server also instances game servers as needed in runtime.
By the other hand, the database ( MySQL) is being accessed by a webservice written in PHP ( My custom MVC webservice framework ) which handles all the queries. In the login server there are some models for the database entities with the appropriate apis.
Between the client, the login server and the game servers the communication is done via JSON through socket.io. I use the Facebook and Google api for the login, I do not use a custom login, I do all the validation server side and then store it via an API call. The page is secured with SSL.
Achievements in my system are stored via the userId. Of course, the user needs to be logged in in order to store achievements. This is all handled server side so definitely no security issues involved. You might want to secure your server though from outside access. Be careful if you are doing an old-style PHP website because those are prone to SQL injections attacks.
I hope this was somewhat useful to what you are doing