An authentication as a service provider made using express and postgresql. This project aims to showcase my skills in backend development.
-
/signupfor signing up a new user or a new client -
/loginfor logging in a user or a client -
/userfor getting the login options of a specified user -
/tokengenerates a temporary token for the login process -
/keygenerates a new API key for the user
- Using postgresql as the database
- Using express as the server
- JSDocs for type inference
- ESLint for code formatting
- Jest for unit testing
- Redis for token storage
/signup?type={user,client} has two types of users: user and client. A user is a person who wants to use the product as a service. A client is a person who uses the user's service. For example, a user can be a company and clients can be the users of the company.
Implementing user type first since the project starts with a user signing up. Signing up should create a new user.Storing hashed passwords instead of plain text, this increases security. I have also salted every passwords before hashing to prevent any rainbow table attacks.
Login route returns a JWT token which contains user id in it. This token is used for other route authentication. The token is signed usingg a secret key to avoid cookie tampering which can lead to unauthorized access.
I decided to add a new middleware called verifyUser to check if the incoming api request from a client is linked to a real user or not. I decided to use a middleware because this process of verifying a valid user is done in multiple client routes.
When a client wants to signup or login, they must be initiated by an user. The user must request for a temporary token from the server in order to initiate the client signup/login process. The token generation process goes like this:
- User requests for a temporary token from the server
- Server generates a temporary token and stores it in redis
- Server sends the temporary token to the user
- User directs the client to the
/loginor/signuppage with the temporary token as a query parameter
Now the login page will get client's login information and the temporary token from the query parameter and follows the process below:
- Client sends the login information to the server
- Server verifies token
- Server verifies/creates client login information
- Server sends a JWT token to the callback url of the user
The /key routes lets an user to generate or refresh their API key, the key is 16 bytes hex string which is used by the SDK to authenticate the user. The API key is stored in the database.