Authentication server for Hasura that does the job 💪

• 🔐 Secure password hashing with Argon2.
• 👨‍💻 Codebase is written in 100% TypeScript.
• ✅ Optional checking for Pwned Passwords.
• 📈 Rate limiting is enabled for all API routes.
• 🎨 Fully customizable with sensible defaults.
• 🚀 Easy to setup, can be deployed anywhere.

You need Node.js installed on your machine.

$ git clone https://github.com/pnfcre/authway.git
$ cd authway

Install the required dependencies.

$ npm install

Start your Hasura instance with the following environment variables set:

HASURA_GRAPHQL_ADMIN_SECRET: a_very_secure_admin_secret_goes_here
HASURA_GRAPHQL_JWT_SECRET: '{"type": "HS256", "key": "a_very_secure_jwt_secret_goes_here"}'

Install the Hasura CLI to run migrations:

$ npm i -g hasura-cli
$ hasura init hasura --endpoint "<endpoint>" --admin-secret "<admin-secret>"
$ mv hasura/config.yaml . && rm -rf hasura && hasura migrate apply

Make sure to add user to the public.roles table through the Hasura Console.

Copy the .env.example file to .env:

$ cp .env.example .env && $EDITOR $_

Edit the file and start the server 🚀

$ npm i -g pm2
$ pm2 start npm --name "authway" -- start

You can apply the latest updates by running:

$ git pull origin
$ npm install
$ pm2 restart authway

To confirm that everything's working properly, run:

$ pm2 logs authway

Authway comes with an opt-in feature to check passwords against the HIBP API. These checks are only performed during registration and password recovery. The password is given in plain text, but only the first 5 characters of its SHA-1 hash will be submitted to the API. Enable the feature by setting HIBP_ENABLED to true in your .env file.

All fields are required. See this article for information on handling JWTs in the client.

Expects the following fields in the JSON body: email, password and username.

• email: Valid email address.
• password: String between 6-128 characters in length.
• username: Alpha-numeric string between 2-32 characters in length.

Returns 204 No Content if account is successfully created.

Expects the following field in the JSON body: secret_token.

• secret_token: Valid v4 UUID string.

Returns 204 No Content if account is successfully activated.

Expects the following fields in the JSON body: email and password.

• email: Valid email address.
• password: String between 6-128 characters in length.

Returns the following on successful login:

• httpOnly cookie named refresh_token.
• jwt_token and jwt_token_expiry in the JSON response.

Expects the following field in the JSON body: refresh_token.

• refresh_token: Valid v4 UUID string.

Returns the following on successful login:

• httpOnly cookie named refresh_token.
• jwt_token and jwt_token_expiry in the JSON response.

Expects the following fields in the JSON body: secret_token and password.

• secret_token: Valid v4 UUID string.
• password: String between 6-128 characters in length.

Returns 204 No Content if password is successfully changed.

• Confirmation emails
• Password recovery emails
• Two-factor authentication

Contributions, issues and feature requests are welcome!

Feel free to check the issues page.

Give a ⭐️ if this project helped you!

Copyright © Hampus Kraft.

This project is MIT licensed.

This project is inspired by Hasura Backend Plus.