A Connect middleware handling 1 factor TOTP authentication.
One factor TOTP authentication middleware for connect / express.
Barillet aims to be a super safe and secure authentication system, at the cost of being super-weary for human users.
- Doesn't trust or rely on HTTPS
- Avoid sending sensitive data over the net (like a password, a session ID, or even an username) that could be reused by an attacker
- Avoid any human error by not using password
It's not :
- Meant for systems with a lot of users. Barillet calculates each user's token at each authentication (see Security, Token Interception).
- Meant to provide sessions
- Meant to authenticate a server to the client (see Security, MITM)
- Meant to sign a request's body (see Security, MITM again)
barillet = require("barillet") app.use(barillet(db))
Where DB can be either a mongodb URL, a mongo.Db instance (obtained via mongo.MongoClient.connect) or an objects containing two mongo.Collection :
String that doesnt length 6 characters or that are not integers throw 400-Bad Request.
If anytime multiple users have the same token, Barillet will apologize throwing a 500-Internal Error. If that ever occurs.
If an attacker sniff's and gets a token, he won't be able to use it. Tokens can only be used once. Therefore, even valid users need to wait minimum 30 seconds between two authenticated actions.
Once a client's IP failed to send a valid token, any other attempts from this IP will throw a 429-Too Many Requests, until next time slice.
Barillet doesn't prevent Man-in-the-Middle attacks. It doesnt authenticate the server toward the client. One can pretend to be the server and use a token to send an altered request to your actual app. Or respond with altered informations.
This may be done with HTTPS, if you do trust Certificate Authorities.