gjordao / simple-auth Goto Github PK

I would like to request support for JWT token type auth.

This is a very common auth standard, and would greatly increase compatibility with other technologies.

What do you think?

It would be fantastic if simple-auth would support using OAuth compatible services in order to make it easy to plug into other auth systems that support it.

It would be really great to have an activity log that persisted to a database.

The project is using bcrypt, and it already has a healthy selection of options for algorithms.

It would be great to let the user select the one they would like to use through an ENV variable or similar.

A secure default should be used like AES256 for example. It might also be necessary to allow the user to inject algorithm specific configuration.

• Accounts should have a boolean property blocked that disables access to the application.

The environment variable PASSWORD_RESET_URL is set as required but by default we do not expect an SMPT server to be provided (we need email to send the password reset url). We need to either:

• Remove the required restriction from this ENV
  OR
• Set it to required only if the SMTP server is provided

• Should be controlled by an env variable
  • Should default to 3
• Should lock that user account for X time
  • Time controlled by env variable
  • Default to 2 minutes

Extend env var configuration to allow other SMPT connection configurations:

1. secure
2. not secure but force STARTTLS to be used
3. not secure and don't use STARTTLS

New .env variables setup:

1. secure

SMTP_SECURE=true
SMTP_REQUIRE_TLS=false
SMTP_IGNORE_TLS=false

2. not secure but force STARTTLS to be used

SMTP_SECURE=false
SMTP_REQUIRE_TLS=true
SMTP_IGNORE_TLS=false

3. not secure and don't use STARTTLS

SMTP_SECURE=false
SMTP_REQUIRE_TLS=false
SMTP_IGNORE_TLS=true

Most projects these days will have their logs collected and analysed somewhere.

It would be great if we could get structured logging in json format in order to make analysis easier.

the title says it all. Mobile or email, and even magic link ( https://en.wikipedia.org/wiki/One-time_password )

Scenario:
As a developer, I may wish to add more content to the JWT payload. This is a very common use case.

Suggestion:
If I as a developer could configure a web hook to be used before the JWT is returned, I could create a service to return the payload to be added to the JWT token (inside a payload property for example).

{
...
  payload: {
    // the returned object from my webhook
  }
}

When attempting to authenticate, if a user does not exist the it will throw invalidCredentialsError, while when a user exists it takes much longer as the attempted password gets hashed and compared with the stored password. This allows for an attacker to infer whether or not a given account exists based upon the response time of an authentication attempt.

A way to mitigate this is to run a hash of a dummy password that is guaranteed to fail.

Use node-slim instead of alpine to avoid some issues with binaries. We can iterate on this if performance is an issue at some point

• Should be controlled by an env variable
  • Should default to 3
• Should lock that user account for X time
  • Time controlled by env variable
  • Default to 2 minutes

When setting a "boolean" env var to false (.env file or shell export), the Environment service will always return true.

Example: set the local .env file to
SMTP_SECURE=false

This code will always evaluate it to true (parsedField will always be true, regardeless of the value you put)
https://github.com/GJordao/simple-auth/blob/master/src/services/Environment/Environment.ts#L82

There are some conditions in the cloud that you want to turn ON or OFF the functionality by changing the env var between true/false, at the moment you need to completly remove the env var from the setup to make it OFF!