Express-js Boilerplate with User Authentication

I couldn’t find a complete user authentication system for Expressjs, so I wrote this one.

For the impatient, the code resides at Github .

Mysql

It uses MySql for user data, and as a session store, too. I tried to make the code flexible. It’s easy to change MySql for something else.
There is no need to use the same database system for the session store. I did it for simplicity only.

Configuration

It uses .env file for the basic configuration of the application. That is, just editing the .env is enough to have the application up and running.

In addition there are a few configurable parameters in /config directory.

“Remember me” cookie duration.

Session store, session duration.

Email send configuration.

Authentication

The authentication system includes:

1. User registration, login based on passport.

2. Forgot – reset password functionality.

     By default reset password code is valid for 1 hour. Configurable.

3. “Remember me” cookie.

      By default valid for 360 days. Configurable.

4. Two user levels, regular and administrator. Not configurable.

Easy to extend in more levels with some coding.

5. Throttling protection for DOS attacks. Configurable.

      By default it allows two requests per two seconds.

6. Xsrf protection.

Interface

The interface is taken from Brad Traversy’s presentation . I only changed the parts I had to.

I believe it is easy to switch the interface with another one, according to the project requirements.

Registration

When a user is registered in the application he becomes an administrator, if there is no other user in the database.

There is no activation email. Users are active immediately after registration. I didn’t include an activation step, because not all projects need it. It is quite easy to add it, if there is such a requirement. 

Anyway, there is always the administrator to control which users are allowed, and which not.

Dashboard

There is a basic admin dashboard, where the admin can make, or cancel, other admins.

The admins can activate, deactivate other users. There is no user deletion, only deactivation.

Remember me

The remember me cookie does not contain the user ID but the UUID, which carries no useful info for an attacker. This is the only reason to include a UUID in the “users” database table.

The content of the cookie is the UUID and the “remember me” token. The “remember me” token hash is kept in the database. The token is verified
as a password.

The “remember me” cookie value, and the “forgot password” key, are treated as passwords, because they are in fact equivalent to passwords.

Dependencies

I tried to keep the number of dependencies low as possible, to not restrict the developer in the package selection for the main project.