Auth-Core is a unified authentication middleware for Node.js applications, supporting JWT-based authentication, session-based authentication, and OAuth 2.0 authentication. This package simplifies authentication management by providing middleware functions that handle authentication flows seamlessly.
- JWT Authentication with optional token blacklisting and logout
- Session-based Authentication with multiple sessions per user
- OAuth 2.0 Authentication (Google, GitHub, and custom providers)
- Two-Factor Authentication (2FA) integrated with JWT and session-based authentication
- User Service Integration
- Customizable Password Checker
- Role & Permission-Based Access Control
npm install @flycatch/auth-coreconst express = require("express");
const { config, verify } = require("@flycatch/auth-core");
const bcrypt = require("bcrypt");
const app = express();
const userRepository = {
async find(email) {
return {
id: "123",
email,
username: "exampleUser",
grants: ["read_user"],
is2faEnabled: false,
};
},
};
app.use(
config({
jwt: {
enabled: true,
secret: "my_jwt_secret",
expiresIn: "1h",
refresh: true,
prefix: "/auth/jwt",
tokenBlacklist: {
enabled: false, // Set to true for server-side logout
},
},
session: {
enabled: false,
prefix: "/auth/session",
secret: "my_session_secret",
resave: false,
saveUninitialized: true,
cookie: { secure: false, maxAge: 60000 },
},
oauth2: {
enabled: true,
baseURL: "http://localhost:3000",
prefix: "/auth",
successRedirect: "http://localhost:3000/oauth-success",
failureRedirect: "http://localhost:3000/oauth-failure",
defaultRole: "ROLE_USER",
onSuccess(info)=>{
const {profile, existingUser,} =info;
if(existingUser){
return existingUser;
}
// Logic to create new user
reateUser(profile)
},
onfailure(info)=>{
// Logic to be executed onFailure
},
providers: {
google: {
clientID: "GOOGLE_CLIENT_ID",
clientSecret: "GOOGLE_CLIENT_SECRET",
callbackURL: "/auth/google/callback",
scope: ["profile", "email"],
},
},
},
twoFA: {
enabled: false,
prefix: "/auth/2fa",
otpLength: 6,
otpExpiresIn: "5m",
storeOtp: async (userId, otp, expiresInMs) => {
// Implement OTP storage logic
console.log(
`Storing OTP ${otp} for user ${userId}, expires in ${expiresInMs}ms`
);
},
getStoredOtp: async (userId) => {
// Implement OTP retrieval logic
return null;
},
},
userService: {
loadUser: async (email) => userRepository.find(email),
createUser: async (profile) => {
return {
id: "new-user-id",
email: profile.email,
username: profile.username,
grants: [profile.defaultRole || "ROLE_USER"],
};
},
},
passwordChecker: async (inputPassword, storedPassword) =>
bcrypt.compare(inputPassword, storedPassword),
logs: true,
})
);
// Protected Route
app.get("/user", verify(), (req, res) => {
res.json({ message: "Access granted", user: req.user });
});
// Protected Route with specific permission
app.get("/admin", verify("admin"), (req, res) => {
res.json({ message: "Admin access granted", user: req.user });
});
app.listen(3000, () => {
console.log("Server running on http://localhost:3000");
});jwt: {
enabled: true,
secret: "my_jwt_secret",
expiresIn: "1h",
refresh: true,
refreshExpiresIn: "7d",
prefix: "/auth/jwt",
revokeOnRefresh: true,
tokenBlacklist: {
enabled: false,
storageService: {
add: async (token, expiresAt) => { /* Custom add logic */ },
has: async (token) => { /* Custom check logic */ },
remove: async (token) => { /* Custom remove logic */ },
clear: async () => { /* Custom clear logic */ },
},
onLogoutAll: async (userId) => { /* Custom logout all logic */ },
}
}- enabled: Enables or disables JWT authentication.
- secret: The secret key used to sign JWT tokens.
- expiresIn: Access token expiration time.
- refresh: Enables refresh token support.
- refreshExpiresIn: Refresh token expiration time.
- prefix: The route prefix for JWT authentication endpoints.
- tokenBlacklist: Optional token blacklisting for secure logout.
- enabled: Enables server-side token blacklisting.
- storageService: Custom storage for blacklisted tokens.
- onLogoutAll: Callback for custom cleanup on logout-all.
session: {
enabled: true,
prefix: "/auth/session",
secret: "my_session_secret",
resave: false,
saveUninitialized: false,
cookie: {
secure: false,
maxAge: 24 * 60 * 60 * 1000 // 24 hours
}
}- enabled: Enables session-based authentication.
- prefix: Route prefix for session authentication endpoints.
- secret: Session secret key.
- resave/saveUninitialized: Express session options.
- cookie: Session cookie configuration.
Note: Session authentication supports multiple concurrent sessions per user. Each login creates a new independent session.
oauth2: {
enabled: true,
baseURL: "http://localhost:3000",
prefix: "/auth",
successRedirect: "http://localhost:3000/oauth-success",
failureRedirect: "http://localhost:3000/oauth-failure",
onSuccess(info)=>{
const {profile, existingUser,} =info;
if(existingUser){
return existingUser;
}
// Logic to create new user
createUser(profile)
},
onfailure(info)=>{
// Logic to be executed onFailure
}
defaultRole: "ROLE_USER",
setRefreshCookie: true,
appendTokensInRedirect: false,
providers: {
google: {
clientID: "GOOGLE_CLIENT_ID",
clientSecret: "GOOGLE_CLIENT_SECRET",
callbackURL: "/auth/google/callback",
scope: ["profile", "email"],
},
github: {
clientID: "GITHUB_CLIENT_ID",
clientSecret: "GITHUB_CLIENT_SECRET",
callbackURL: "/auth/github/callback",
},
},
}- enabled: Enables OAuth 2.0 authentication.
- baseURL: Base URL for callback redirects.
- prefix: Route prefix for OAuth authentication endpoints.
- successRedirect: URL to redirect after successful OAuth authentication.
- failureRedirect: URL to redirect after failed OAuth authentication.
- onSuccess: Callback executed on successful OAuth2 authentication, This is where user registration/creation logic should be implemented
- onFailure: Callback executed on OAuth2 authentication failure
- defaultRole: Default role assigned to new users.
- providers: Supported providers (e.g., Google, GitHub).
twoFA: {
enabled: true,
otpLength: 6,
otpType: "numeric",
otpExpiresIn: "5m",
transport: async (otp, user) => {
console.log(`Send OTP ${otp} to ${user.email}`);
},
storeOtp: async (userId, otp, expiresInMs) => {
// Implement OTP storage
},
getStoredOtp: async (userId) => {
// Implement OTP retrieval
return null;
},
clearOtp: async (userId) => {
// Implement OTP cleanup
},
}- enabled: Enables 2FA for JWT or session-based authentication.
- otpLength: Length of the OTP.
- otpType: Type of OTP (numeric or alphanumeric).
- otpExpiresIn: OTP expiration time.
- transport: Function to send OTP to the user.
- storeOtp: Function to store OTP securely.
- getStoredOtp: Function to retrieve stored OTP.
- clearOtp: Optional function to clear OTP after verification.
userService: {
loadUser: async (email) => userRepository.find(email),
createUser: async (profile) => {
// Create new user during OAuth flow
return {
id: "new-user-id",
email: profile.email,
username: profile.username,
grants: [profile.defaultRole || "ROLE_USER"],
};
},
}- loadUser: Load user by email (required).
- createUser: Create new user during OAuth auto-provisioning (required for OAuth).
passwordChecker: async (inputPassword, storedPassword) =>
bcrypt.compare(inputPassword, storedPassword);All endpoints use the configured prefix. Default prefixes shown below:
- POST
/auth/jwt/login- Initiate user login (sends OTP if 2FA enabled, else returns tokens) - POST
/auth/jwt/verify- Verify OTP for 2FA and return tokens - POST
/auth/jwt/refresh- Refresh access token - POST
/auth/jwt/logout- Logout (simple or with blacklisting) - POST
/auth/jwt/logout-all- Logout all sessions (requires blacklisting enabled)
- POST
/auth/session/login- Initiate user login (sends OTP if 2FA enabled, else creates session) - POST
/auth/session/verify- Verify OTP for 2FA and create session - POST
/auth/session/logout- Logout current session
- GET
/auth/{provider}- Initiate OAuth login - GET
/auth/{provider}/callback- OAuth callback - GET
/auth/error- OAuth error redirect - POST
/auth/token- to get token from temporary code
- Integrated with JWT and session authentication flows.
- If enabled,
/loginendpoints trigger OTP generation and transport. - Use
/verifyendpoints to validate OTP and complete login.
- User sends login request to
/auth/jwt/login. - If 2FA is enabled, server sends OTP and user submits it to
/auth/jwt/verify. - On successful verification (or directly if 2FA is disabled), server returns JWT tokens (access + refresh if enabled).
- Client includes token in
Authorization: Bearer <token>header. - Middleware verifies token and grants access.
- Optional: Token blacklisting for secure server-side logout.
- User sends login request to
/auth/session/login. - If 2FA is enabled, server sends OTP and user submits it to
/auth/session/verify. - On successful verification (or directly if 2FA is disabled), server creates a new session.
- Session cookie is automatically sent with requests.
- Middleware validates session and grants access.
- Supports multiple concurrent sessions per user.
- User initiates OAuth flow with provider via
/auth/{provider}. - After successful authentication, provider redirects to
/auth/{provider}/callback. - Server processes authentication and auto-creates user if add any logic onSuccess.
- Server redirects to success URL with tokens as cookies.
- Subsequent requests use JWT or session authentication.
- After successful provider authentication, the temporary code will be set as a query parameter on the redirect URL.
- Frontend can then trigger
{prefix}/tokenwith aPOSTrequest and payload:
{
"code": "code-from-redirect-url"
}- Simple Logout (default): Client removes tokens, server logs event.
- Advanced Logout (with blacklisting): Server invalidates tokens.
- Logout All: Invalidates all tokens for a user (requires blacklisting).
- Destroys current session only.
- Other sessions remain active (multi-session support).
// Protect any route
app.get("/protected", verify(), (req, res) => {
res.json({ user: req.user });
});
// Require specific permission
app.get("/admin", verify("admin_access"), (req, res) => {
res.json({ message: "Admin only" });
});Contributions are welcome! Please fork the repository and submit a pull request with your improvements.
This project is licensed under the GPL-3.0 License.