express-virgil-passwordless

Passwordless auth for node applications

This module provides simple passwordless auth middleware using Virgil public keys service backed by virgil-passwordless

Installation

npm install express-virgil-passwordless

Usage

express-virgil-passwordless expects to fetch its params from req.body, so some kind of request body parsing middleware should be applied before:

var app = require('express')();
var bodyParser = require('body-parser');
var session = require('express-session');
var virgilPasswordless = require('express-virgil-passwordless');
 
app.use(session({ secret: 'secret token' }));
app.use(bodyParser.json());
 
app.post('/auth', virgilPasswordless({
    app_token: '091v3j913kv192kcqwce',
    success: function onSuccess (req, res, next) {
        req.session.is_authorized = true;
        res.end();
    },
    error: function onError (err, req, res, next) {
        res.status(400).json(err);
    }
}));

Client-side auth flow

1. Client sends email to the server's auth endpoint (in this example /auth)

Request:

POST /auth
{
    "email": "user-email@example.com"
}

• Server finds user's public key at Virgil Public Keys service
• Server encrypts random token with user's public key
• Server sends encrypted token back to the user

Response:

{
    "public_key_id": "1c2j83-c312c3-qwcec2-cercwer",
    "encrypted_token": "BASE64 encoded encrypted token"
}

1. Client decrypts token with according key and sends back to the server

Request:

{
    "email": "user-email@example.com",
    "decrypted_token: "decrypted token string"
}

• Server verifies if decrypted token is valid for given email
• If token is valid server creates user session
• If token isn't valid server responds with error

Response:

custom response from `success` callback

How does passwordless auth work

If client already has keys registered in Virgil Public Keys Service

1. User inputs email into login form
2. Client sends email address to web apps auth endpoint
3. Web app finds public key at Virgil public keys service using given email as search criteria
4. Web app generates random token, encrypts it using client's public key and send back to the client
5. Client decrypts token and sends it back to the web app
6. Web app matches decrypted token with it's original value and calls session initiation callback if everything is ok

If client doesn't have keys registered in Virgil Public Key Service

1. User inputs email into login form
2. Client generates key pair and registers public key at Virgil Public Keys service using given email
3. User enters confirmation code from email
4. Client sends confirmation to Virgil public keys service
5. Client sends email address to web apps auth endpoint
6. Web app finds public key at Virgil Public Keys Service using given email as search criteria
7. Web app generates random token, encrypts it using client's public key and send back to the client
8. Client decrypts token and sends it back to the web app
9. Web app matches decrypted token with it's original value and calls session initiation callback if everything is ok

Custom store for tokens

It's possible to specify custom store for tokens

app.use(virgilPasswordless({
    // ...
    store: customStore
}));

Store should implement node-style callbacks based interface, example of implementation:

var store = {
    cache: {},
    get: function get (key, cb) {
        cb(null, cache[key]);
    },
    set: function set (key, value, cb) {
        this.cache[key] = value;
        cb(null);
    },
    unset: function unset (key, cb) {
        delete this.cache[key];
        cb(null);
    }
};

Token expire time

Specify token expire time in ms

app.use(virgilPasswordless({
    // ...
    expireTimeout: 60000
});

Errors handling

For error details check virgil-passwordless

License

BSD 3-Clause. See LICENSE for details.

Contacts

Email: support@virgilsecurity.com