Authentication Microservice
This project is a Node.js server designed to provide secure authentication services for applications. It employs a robust architecture to manage user accounts and protect sensitive data through effective authentication and authorization mechanisms.
Table of Contents
Introduction
The Authentication Microservice provides a centralized authentication system for various applications. It is built using Node.js and follows a modular approach for endpoint architecture, ensuring agility, efficiency, and a lightweight design. This microservice can be easily integrated into different application ecosystems.
Security Architecture
This server enforces a high level of security to safeguard against potential threats from malicious users. It features middleware that verifies the authenticity of all incoming requests, specifically for PUT, GET, and DELETE methods. Additionally, CORS is configured to restrict access to trusted client applications.
Although the database is configured to accept connections from various origins, authentication details are securely stored in environment variables to establish a connection. Future updates will improve the security of secret keys using libraries like crypto-js.
Authentication
Users are authenticated upon signup and sign-in. During signup, a JWT (JSON Web Token) is generated, including a signed user ID (automatically generated by MongoDB). This token is refreshed upon each successful signup and expires after three days. For PUT, GET, and DELETE requests, the validity of the token is verified.
Authorization
Unauthorized access is restricted. For all requests, except POST requests for account creation, users must include the following in the request headers: the Bearer token and user_id. The token is decoded to extract the user ID, which is checked against the provided user_id to ensure only legitimate users can access their data. Requests for data by ID must match the authenticated user's ID.
Known Issue: The authentication middleware should not be applied globally, as it may mislabel legitimate users as unauthorized.
Encryption
User passwords, access keys, and other sensitive data are encrypted using the bcryptjs library. These encrypted values are securely compared during the sign-in process against user-provided credentials.
HTTPS
Communication between clients and the server is secured using HTTPS, ensuring that data transmitted over the network is encrypted and protected from eavesdropping or tampering.
Input Validation
User input is validated to prevent common security vulnerabilities, such as SQL injection and cross-site scripting (XSS). Proper validation checks are implemented for all incoming data to maintain the integrity of the application.
Logging and Monitoring
Robust logging and monitoring practices are established to detect and respond to security incidents. These practices help maintain an audit trail and identify potential security breaches.
Third-Party Dependencies
All third-party dependencies are carefully evaluated for security and reliability. Regular updates and vulnerability checks are performed to ensure that the project remains secure.
Getting Started
Follow these instructions to set up and run the project.
Prerequisites
- Node.js (version 3.0.2)
- MongoDB (version 6.3.0)
Installation
-
Clone the repository:
git clone https://github.com/digitalterrene/authentication-microservice.git cd authentication-microservice -
Install dependencies:
npm install -
Install dependencies:
npm install
Configuration
Create a .env file in the root directory and set the necessary environment variables for your database connection and other configurations:
DB_URI=your_mongodb_uri
JWT_SECRET=your_jwt_secret
BCRYPT_SALT_ROUNDS=10
Usage
To start the server, run the following command:
npm start
The server will be running on http://localhost:3000 by default. You can access the authentication endpoints as needed.
Contributing
Contributions are welcome! Please submit a pull request or open an issue to discuss your changes.
Acknowledgments
nodejs
bcryptjs
jsonwebtoken
express
mongoose
dotenv