ohadr / authentication-flows-js Goto Github PK

authentication-flows-js is a powerful and highly customizable framework that covers all flows that any express-based authentication-server needs.

TypeScript 100.00%

authentication-flows-js's People

Contributors

Stargazers

Watchers

Forkers

eskiell agarciagaray

authentication-flows-js's Issues

forgot password: ensure that Even if we don’t find an email address, we return 'ok' as our status.

ensure that Even if we don’t find an email address, we return 'ok' as our status.
We don’t want untoward bots figuring out what emails are real vs not real in our database.

refactor setAuthority( string ) ==> setAuthorities( string[] )

prevent attackers from using my password reset mechanism to email bomb people?

according to https://stackoverflow.com/questions/67290297/how-to-prevent-attackers-from-using-my-password-reset-mechanism-to-email-bomb-pe

My web app has a pretty standard feature that allows a user who forgot their password to reset it by sending themselves a password reset email with a link to the page to create a new password.

I'm concerned that person1 could use this page to harass person2 by claiming to need a password reset email, but giving the email address of person2, and automate this with a bot, sending massive numbers of emails to person2. It wouldn't reveal any secrets, but it could be very annoying, even a DoS on their inbox, and my application would get the blame.

logs

rather than "debug()", use a good logger (e.g. log4js)

prefer passing configuration in the config-object, rather than using env-vars

the hosting app needs to "guess" which env-vars it should define. it is more clear to pass all relevant configuration in the .config() method. for example, the details of the email-server:

process.env.emailSender
process.env.smtpServer
process.env.smtpPort
 process.env.emailServerUser
process.env.emailServerPass

use `log4js-api`

better use use log4js-api, and let the user-app to configure the logger:
https://github.com/log4js-node/log4js-api

change activate URL to /aa/<linkCode>

change activate URL to /aa/ instead of /aa?uts=

check link expiration and throw LINK_HAS_EXPIRED

implement isPasswordChangeRequired()

after failed-authentication, redirect properly back to login page. currently there is "Unauthorized. Redirecting to /login"

[reveiled by automation] authentication failure - do not "redirect", but "render" instead, so can send 401 and message

[iot-management-console usecase] do not send activation email upon account-creation, so only "owner" can approve new users

the subject of the email - allow it to contain the hosting-application's name

enable customized CreateAccountInterceptor

add in-mem impl (rather than have a seperate package for it)

since in-mem is lightweight impl and requires no dependencies, it is better to be here in the main package rather than in a seperate package (OhadR/authentication-flows-js-inmem)

[iot-management-console usecase] [rollback #11]: DO send activation email upon account-creation, but enforce authorization

related to #11

upon successful authentication, use MaxPasswordEntryAttempts, and not hard coded

use policyRepo.getDefaultAuthenticationPolicy().getMaxPasswordEntryAttempts(), rather hard-coded '5'

when error upon sending email (e.g. mail not configured) do not throw error, only log

when error upon sending email (e.g. mail not configured) do not throw error, only log
because if i throw error, so for example in account-lock scenario, the user do not see the lock page because in the code the LOCK_ERROR is never thrown but instead there is the error because of the email.
so log the error to the logger, but do not throw.