node package manager
Love JavaScript? Your insights can make it even better. Take the 2017 JavaScript Ecosystem Survey ยป


Barillet connect middleware

One factor TOTP authentication middleware for connect / express.


Barillet aims to be a super safe and secure authentication system, at the cost of being super-weary for human users.


  • Doesn't trust or rely on HTTPS
  • Avoid sending sensitive data over the net (like a password, a session ID, or even an username) that could be reused by an attacker
  • Avoid any human error by not using password

It's not :

  • Meant for systems with a lot of users. Barillet calculates each user's token at each authentication (see Security, Token Interception).
  • Meant to provide sessions
  • Meant to authenticate a server to the client (see Security, MITM)
  • Meant to sign a request's body (see Security, MITM again)


barillet = require("barillet")

Where DB can be either a mongodb URL, a mongo.Db instance (obtained via mongo.MongoClient.connect) or an objects containing two mongo.Collection : users and bans.



String that doesnt length 6 characters or that are not integers throw 400-Bad Request.

Multiple users have the same token

If anytime multiple users have the same token, Barillet will apologize throwing a 500-Internal Error. If that ever occurs.

Token interception

If an attacker sniff's and gets a token, he won't be able to use it. Tokens can only be used once. Therefore, even valid users need to wait minimum 30 seconds between two authenticated actions.

Bruteforce attacks

Once a client's IP failed to send a valid token, any other attempts from this IP will throw a 429-Too Many Requests, until next time slice.

Man In The Middle attacks

Barillet doesn't prevent Man-in-the-Middle attacks. It doesnt authenticate the server toward the client. One can pretend to be the server and use a token to send an altered request to your actual app. Or respond with altered informations.

This may be done with HTTPS, if you do trust Certificate Authorities.