gjordao / simple-auth Goto Github PK
View Code? Open in Web Editor NEWAn authentication service that aims to be simple and customisable
License: MIT License
An authentication service that aims to be simple and customisable
License: MIT License
I would like to request support for JWT token type auth.
This is a very common auth standard, and would greatly increase compatibility with other technologies.
What do you think?
It would be fantastic if simple-auth would support using OAuth compatible services in order to make it easy to plug into other auth systems that support it.
It would be really great to have an activity log that persisted to a database.
The project is using bcrypt
, and it already has a healthy selection of options for algorithms.
It would be great to let the user select the one they would like to use through an ENV variable or similar.
A secure default should be used like AES256
for example. It might also be necessary to allow the user to inject algorithm specific configuration.
blocked
that disables access to the application.The environment variable PASSWORD_RESET_URL is set as required but by default we do not expect an SMPT server to be provided (we need email to send the password reset url). We need to either:
Extend env var configuration to allow other SMPT connection configurations:
SMTP_SECURE=true
SMTP_REQUIRE_TLS=false
SMTP_IGNORE_TLS=false
SMTP_SECURE=false
SMTP_REQUIRE_TLS=true
SMTP_IGNORE_TLS=false
SMTP_SECURE=false
SMTP_REQUIRE_TLS=false
SMTP_IGNORE_TLS=true
Most projects these days will have their logs collected and analysed somewhere.
It would be great if we could get structured logging in json format in order to make analysis easier.
the title says it all. Mobile or email, and even magic link ( https://en.wikipedia.org/wiki/One-time_password )
Scenario:
As a developer, I may wish to add more content to the JWT payload. This is a very common use case.
Suggestion:
If I as a developer could configure a web hook to be used before the JWT is returned, I could create a service to return the payload to be added to the JWT token (inside a payload
property for example).
{
...
payload: {
// the returned object from my webhook
}
}
When attempting to authenticate, if a user does not exist the it will throw invalidCredentialsError
, while when a user exists it takes much longer as the attempted password gets hashed and compared with the stored password. This allows for an attacker to infer whether or not a given account exists based upon the response time of an authentication attempt.
A way to mitigate this is to run a hash of a dummy password that is guaranteed to fail.
Use node-slim instead of alpine to avoid some issues with binaries. We can iterate on this if performance is an issue at some point
When setting a "boolean" env var to false (.env file or shell export), the Environment service will always return true.
Example: set the local .env file to
SMTP_SECURE=false
This code will always evaluate it to true (parsedField will always be true, regardeless of the value you put)
https://github.com/GJordao/simple-auth/blob/master/src/services/Environment/Environment.ts#L82
There are some conditions in the cloud that you want to turn ON or OFF the functionality by changing the env var between true/false, at the moment you need to completly remove the env var from the setup to make it OFF!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.