One factor TOTP authentication middleware for connect / express.
Barillet aims to be a super safe and secure authentication system, at the cost of being super-weary for human users.
It's not :
barillet = require("barillet") app.use(barillet(db))
Where DB can be either a mongodb URL, a mongo.Db instance (obtained via mongo.MongoClient.connect) or an objects containing two mongo.Collection :
String that doesnt length 6 characters or that are not integers throw 400-Bad Request.
If anytime multiple users have the same token, Barillet will apologize throwing a 500-Internal Error. If that ever occurs.
If an attacker sniff's and gets a token, he won't be able to use it. Tokens can only be used once. Therefore, even valid users need to wait minimum 30 seconds between two authenticated actions.
Once a client's IP failed to send a valid token, any other attempts from this IP will throw a 429-Too Many Requests, until next time slice.
Barillet doesn't prevent Man-in-the-Middle attacks. It doesnt authenticate the server toward the client. One can pretend to be the server and use a token to send an altered request to your actual app. Or respond with altered informations.
This may be done with HTTPS, if you do trust Certificate Authorities.