A robust, scalable, and secure authentication service built with NestJS, Drizzle ORM, and Passport.js. This headless service provides a complete authentication and authorization solution that can be easily integrated with any frontend compatible with JWT.
- User authentication (username/email and password)
- JWT-based authentication
- Refresh token functionality
- Multi-Factor Authentication (MFA) support
- Password reset functionality
- Email verification
- User session tracking
- IP tracking for login history
- Role-Based Access Control (RBAC)
- Admin module for user management
- Token blacklisting for security
- Microservice-ready for easy integration with other APIs
- NestJS - A progressive Node.js framework for building efficient and scalable server-side applications.
- Drizzle ORM - A lightweight and performant TypeScript ORM.
- Passport - Simple, unobtrusive authentication for Node.js.
- PostgreSQL - Open source object-relational database system.
- Node.js (v14 or later)
- PostgreSQL
- npm or yarn
- Clone the repository:
git clone https://github.com/yourusername/headless-auth-service.git
cd headless-auth-service
- Install dependencies:
yarn install
- Set up environment variables:
Create a
.env
file in the root directory and add the following variables:
DATABASE_URL=postgresql://username:password@localhost:5432/your_database
JWT_SECRET=your_jwt_secret
REFRESH_TOKEN_SECRET=your_refresh_token_secret
JWT_EXPIRATION=2h
JWT_REFRESH_EXPIRATION=7d
VERIFICATION_TOKEN_EXPIRATION=24h
PASSWORD_RESET_TOKEN_EXPIRATION=1h
SALT_ROUNDS=10
EMAIL_VERIFICATION_URL=http://localhost:3000/verify-email
RESET_PASSWORD_URL=http://localhost:3000/reset-password
FROM_EMAIL=noreply@youremail.com
MFA_APP_NAME=YourAuthApp
- Start the application:
yarn start:dev
POST /auth/register
- Register a new userPOST /auth/login
- Authenticate a userPOST /auth/refresh
- Refresh access tokenPOST /auth/logout
- Logout (blacklist token)POST /auth/request-password-reset
- Request password resetPOST /auth/reset-password
- Reset passwordPOST /auth/verify-email
- Verify email address - WIP
POST /auth/enable-mfa
- Enable MFA for a userPOST /auth/verify-mfa
- Verify and complete MFA setupPOST /auth/disable-mfa
- Disable MFA for a user
GET /users/profile
- Get user profilePUT /users/profile
- Update user profileGET /users/sessions
- Get user sessions
GET /admin/users
- Get all usersPOST /admin/users
- Create a new userGET /admin/users/:id
- Get a userPUT /admin/users/:id
- Update a userDELETE /admin/users/:id
- Delete a user - WIPPUT /admin/users/:id/reset-password
- Reset user's passwordPUT /admin/users/:id/disable-mfa
- Disable MFA for a userGET /admin/users/:id/mfa-status
- Get MFA status for a userGET /admin/users/:id/roles
- Get roles for a user - WIPPUT /admin/users/:id/roles
- Update roles for a user - WIPPOST /admin/users/:id/roles/:roleId
- Add a role to a userDELETE /admin/users/:id/roles/:roleId
- Remove a role from a userGET /admin/users/:id/permissions
- Get permissions for a user - WIPPOST /admin/users/:id/permissions/:permissionId
- Add a permission to a userDELETE /admin/users/:id/permissions/:permissionId
- Remove a permission from a userGET /admin/sessions
- Get all sessions (All currently logged in users) - WIPPUT /admin/users/:id/disable-mfa
- Disable MFA for a userGET /admin/users/:id/mfa-status
- Get MFA status for a userGET /admin/roles
- Get all roles - WIPPOST /admin/roles
- Create a new roleGET /admin/roles/:id
- Get a role - WIPPUT /admin/roles/:id
- Update a role - WIPDELETE /admin/roles/:id
- Delete a role - WIPGET /admin/permissions
- Get all permissions - WIPPOST /admin/permissions
- Create a new permissionGET /admin/permissions/:id
- Get a permission - WIPPUT /admin/permissions/:id
- Update a permission - WIP
- Passwords are hashed using bcrypt
- JWT tokens for stateless authentication
- Refresh token rotation
- Multi-Factor Authentication using TOTP
- IP tracking and suspicious activity monitoring
- Token blacklisting for logout and security purposes
This auth service is designed to work in a microservice architecture. Other services can verify JWTs and check permissions by using the provided middleware or by making API calls to this service.
Run the test suite with:
yarn test
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.