Newfangled Package Modernizer

    protonfile-auth
    TypeScript icon, indicating that this package has built-in type declarations

    1.6.4 • Public • Published

    protonfile-auth

    Authentication and authorization solution initially built for Protonfile but usable for any modern app. It was created as an Auth0 replacement for Protonfile.

    How does it work?

    protonfile-auth works with the traditional JWT access and refresh token model, refresh tokens are long-lived (currently hard-coded to 7 days) and access tokens are short-lived and new ones can be obtained with the refresh token.

    An Express middleware is exposed, which can be used to verify the users' access token before allowing them to access a resource.

    Refresh token versions are stored in the database, which enables token rotation. It also allows for an instant session revocation by the user, which in turn blocks any access token issuing for that session.

    Disadvantages

    protonfile-auth is in no means a perfect authentication solution, there are some known issues. This module was built to have a complete control over the authentication process but it surely can't compete with solutions like OAuth. If you are building a professional application you should use more tested solutions than this.

    • JWT is not advised as a session token because it's self contained with no central autority that can invalidate it. This is solved in protonfile-auth by saving those tokens in a database and removing them once a session is expired.
    • Session/access token clutter: there were some bad decisions during the developement which introduced the session tokens. Sessions are a nice way of knowing on which devices a user is authenticated, but it can be solved without having 2 tokens.

    Keywords

    none

    Install

    npm i protonfile-auth

    DownloadsWeekly Downloads

    33

    Version

    1.6.4

    License

    ISC

    Unpacked Size

    77.6 kB

    Total Files

    50

    Last publish

    Collaborators

    • jmax45