Authentication boilerplate for Node.js.
Originally inspired by Your Node.js authentication tutorial is (probably) wrong. Although its critique is on point, the article sadly doesn't offer any concrete solutions. This repo is my attempt to address those remarks in code. You can also find some of my research here.
- login, logout, and registration
- email verification (
"Confirm your email"
) - password reset (
"Forgot password"
) - password confirmation (
"Re-enter your password"
) - persistent login (
"Remember me"
) - account lockout (
"Too many failed login attempts"
) - rate limiting (
"Too many requests"
)
First, create a .env
file:
cd api
cp .env.example .env
Next, populate APP_SECRET
, which you can generate like so:
$ node
> require('crypto').randomBytes(32).toString('base64')
Make sure to also populate MAIL_*
variables. For example, you can sign up for a free service like Mailtrap or Ethereal. Using Ethereal you can even create an account right from your terminal:
$ node
> require('nodemailer').createTestAccount().then(console.log)
Finally, boot the server:
npm run dev
Tip: just read the first test in each file to follow the happy path. Other tests cover non-standard scenarios.
npm test
Method | URI | Middleware |
---|---|---|
POST | /register | guest |
POST | /login | |
POST | /logout | auth |
POST | /email/verify | |
POST | /email/resend | |
POST | /password/email | |
POST | /password/reset | |
POST | /password/confirm | auth |
Tip: run
echo '-w "\n"' >> ~/.curlrc
to auto-add a newline to response body.
# Auth
curl -d '{"email":"[email protected]","password":"test"}' -H 'Content-Type: application/json' \
localhost:3000/login
curl -X POST \
-b 'sid=s%3AT_Pkrw6AvSQ3LfOYC9q0EnE1uqWQhJbp.hTs%2BqXXHbFMn2dxgSKBWd%2F%2FEQ8xwnV3KKsA9IwVJ7nU' \
localhost:3000/logout
curl -d '{"email":"[email protected]","password":"test","name":"Alex"}' \
-H 'Content-Type: application/json' localhost:3000/register
# Email verification
curl -X POST \
'localhost:3000/email/verify?id=2&expires=1626766452957&signature=ddd8e0451ef93172b5345e0f7d1e8a5e85b69bca2b2aeed80a14848d0d2fb2df'
curl -d '{"email":"[email protected]"}' -H 'Content-Type: application/json' localhost:3000/email/resend
# Password recovery
curl -d '{"email":"[email protected]"}' -H 'Content-Type: application/json' localhost:3000/password/email
curl -d '{"password":"123456"}' -H 'Content-Type: application/json' \
'localhost:3000/password/reset?id=2&token=78f3065ed0b350b1ee1ea80162c2e2f4908fb5bc9d42c22e08202d2e79a0d180a59a86bf9885a002'
# Password confirmation
curl -d '{"password":"test"}' \
-b 'sid=s%3AT_Pkrw6AvSQ3LfOYC9q0EnE1uqWQhJbp.hTs%2BqXXHbFMn2dxgSKBWd%2F%2FEQ8xwnV3KKsA9IwVJ7nU' \
localhost:3000/password/confirm
I am not a security expert. There is only so much I know, so there are likely things I missed. If you see something that doesn't make sense, poses a vulnerability, or otherwise needs improvement, please feel free to open an issue or submit a PR. All contributions are welcome!