This project was created as an learning experiment by implementing Authentication, Authorization from the ground up. Includes Phone and TOTP based MFA, Email verification, Password reset, etc. in an API only environment. Curiosity on how authentication in modern applications work led me to build this.
Since this is purely for learning purposes, it is not recommended to use this in production. In production, a battle-tested library like Passport is recommended to be used.
- Login, Register, Logout
- Mongo DB based database
- Globally distributed session store using Cosmos DB and connect-cosmosdb store for express-session.
- Email Verification
- Reset Passwords
- Phone based MFA
- TOTP based MFA to be used with apps like Microsoft Authenticator, Google Authenticator, Authy etc.
- Encryption of sensitive data using AES-256-GCM. Secrets are securely stored in Azure Key Vault.
- CSRF protection, using HMAC generated tokens and double submit cookie pattern.
Todo
- Session and device management
- Email alerts for suspicious login activity
- OAuth and OpenID for Self, Google, Entra ID.
- Install dependencies
npm install- Duplicate the
.env.samplefile and change it to.env, and fill in all the values like the connection strings and secrets. For better management, will be moving all the values to Key Vault. - Create the necessary resources as below
- Mongo DB database - For storing the data
- Cosmos DB database - For storing the session data. You can disable the Cosmos db based session store, by removing the
storeoption in the express-session middleware configuration.
app.use( session({ ... //store, - commented out. ... }) );
- Azure KeyVault to store the secrets. Currently you would need two secrets
sessionKeyfor session key andprimaryKeywhich is used in encryption. - Twilio account to send SMS OTP
- SendGrid/Email SMTP account to send emails via nodemailer.
- Add the relevant values to the
.envfile. - Build the app:
npm run build- Start the app:
npm start