protonfile-auth

Authentication and authorization solution initially built for Protonfile but usable for any modern app. It was created as an Auth0 replacement for Protonfile.

How does it work?

protonfile-auth works with the traditional JWT access and refresh token model, refresh tokens are long-lived (currently hard-coded to 7 days) and access tokens are short-lived and new ones can be obtained with the refresh token.

An Express middleware is exposed, which can be used to verify the users' access token before allowing them to access a resource.

Refresh token versions are stored in the database, which enables token rotation. It also allows for an instant session revocation by the user, which in turn blocks any access token issuing for that session.

Disadvantages

protonfile-auth is in no means a perfect authentication solution, there are some known issues. This module was built to have a complete control over the authentication process but it surely can't compete with solutions like OAuth. If you are building a professional application you should use more tested solutions than this.

• JWT is not advised as a session token because it's self contained with no central autority that can invalidate it. This is solved in protonfile-auth by saving those tokens in a database and removing them once a session is expired.
• Session/access token clutter: there were some bad decisions during the developement which introduced the session tokens. Sessions are a nice way of knowing on which devices a user is authenticated, but it can be solved without having 2 tokens.