UNPKG

@perfood/couch-auth

Version:

Easy and secure authentication for CouchDB/Cloudant. Based on SuperLogin, updated and rewritten in Typescript.

github.com/perfood/couch-auth

perfood/couch-auth

227 lines (224 loc) 9.77 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
// This is a tour of all possible SuperLogin configuration options and what they do const path = require('path'); /** @type {import('./src/types/config').Config} */ const exampleConfig = { // Useful settings for testing and debugging your app testMode: { // Use a stub transport so no email is actually sent noEmail: false, // Displays debug information in the oauth dialogs oauthDebug: false, // Logs out-going emails to the console debugEmail: false }, security: { // Default roles given to a new user defaultRoles: ['user'], // Disables the ability to link additional providers to an account when set to true disableLinkAccounts: false, // Maximum number of failed logins before the account is locked maxFailedLogins: 3, // The amount of time the account will be locked for (in seconds) after the maximum failed logins is exceeded lockoutTime: 600, // The amount of time a new session is valid for (default: 24 hours) sessionLife: 86400, // The amount of time a password reset token is valid for tokenLife: 86400, // The maximum number of entries in the activity log in each user doc. Zero to disable completely userActivityLogSize: 10, // If set to true, the user will be logged in automatically after registering loginOnRegistration: false, // If set to true, the user will be logged in automatically after resetting the password loginOnPasswordReset: false, // If set to true, any errors will not be logged and handled by couch-auth but instead forwarded to the express error handlers forwardErrors: false }, local: { // Send out a confirm email after each user signs up with local login sendConfirmEmail: true, // Require the email be confirmed before the user can login or before his changed email is updated requireEmailConfirm: false, // Return 200 even after the initial confirmation of an email token keepEmailConfirmToken: false, // Requires the correct `password` to be sent in the body in order to change the email requirePasswordOnEmailChange: false, // send a confirmation E-Mail to the user after the password has successfully been changed or resetted sendPasswordChangedEmail: true, // If this is set, the user will be redirected to this location after confirming email instead of JSON response confirmEmailRedirectURL: '/', // Send an email if the user tried to signup with an existing email sendExistingUserEmail: true, // Set this to true to disable usernames and use emails instead emailUsername: false, // Also return the username and UUID when creating a session sendNameAndUUID: false, // If a number is set here, the token for password reset will be shortened to that length (e.g. 8) tokenLengthOnReset: false, // Custom names for the username and password fields in your sign-in form usernameField: 'user', passwordField: 'pass', // Override default constraints passwordConstraints: { length: { minimum: 6, message: 'must be at least 6 characters' }, matches: 'confirmPassword' }, // `required` consents must be included in the signup form. Updates can be saved via the `consents` - route. consents: { privacy: { minVersion: 2, currentVersion: 3, required: true }, marketing: { minVersion: 3, currentVersion: 4, required: false } } }, dbServer: { // The CouchDB compatible server where all your databases are stored on protocol: 'http://', host: 'localhost:5984', user: '', password: '', // If the public uses a separate URL from your Node.js server to access the database specify it here. // This will be the access URL for all your user's personalDBs publicURL: 'https://mydb.example.com', /** * If specified together with `cloudant` or `couchAuthOnCloudant`, this IAM api key will be used for authentication * instead of legacy basic auth via `user:password`. Do not provide `password` or `CLOUDANT_PASS` if using IAM! */ iamApiKey: '', // The name for the database that stores all your user information. This is distinct from CouchDB's _user database. // Alternatively you can pass in a `nano` instance to the SuperLogin constructor and leave this blank userDB: 'sl_users', // CouchDB's _users database. Each session generates the user a unique login and password. This is not used with Cloudant. couchAuthDB: '_users', // Use this flag instead if you use Cloudant, but with the `_users` - DB and CouchDB's permission system instead couchAuthOnCloudant: false }, mailer: { // If you want to use the built in mailer or a custom one. If you want to use the custom one, you need to listen to the emitted events useCustomMailer: false, // Email address that all your system emails will be from fromEmail: 'noreply@example.com', // Use this if you want to specify a custom Nodemailer transport. Defaults to SMTP or sendmail. transport: require('nodemailer-sendgrid-transport'), // The options object that will be passed into your transport. These should usually be your SMTP settings. // If this is left blank, it will default to sendmail. options: { auth: { api_user: process.env.SENDGRID_USERNAME, api_key: process.env.SENDGRID_PASSWORD } } }, emails: { // Customize the templates for the emails that SuperLogin sends out confirmEmail: { subject: 'Please confirm your email' }, forgotUsername: { subject: 'Your username request' }, forgotPassword: { subject: 'Your password reset link' }, modifiedPassword: { subject: 'Your password has been modified' }, confirmEmailChange: { subject: 'Please confirm your new email' }, signupExistingEmail: { subject: 'You already have registered with us' } }, // Custom settings to manage personal databases for your users userDBs: { // These databases will be set up automatically for each new user defaultDBs: { // Private databases are personal to each user. They will be prefixed with your setting below and postfixed with $USERNAME. private: ['test'], // Shared databases that you want the user to be authorized to use. These will not be prefixed, so type the exact name. shared: [''] }, // If you specify default roles here (and use CouchDB not Cloudant) then these will be added to the _security object // of each new user database created. This is useful for preventing anonymous access. defaultSecurityRoles: { admins: ['$slAdmin'], members: [] }, // These are settings for each personal database model: { // If your database is not listed below, these default settings will be applied _default: { // Array containing name of the design doc files (omitting .js extension), in the directory configured below designDocs: ['mydesign'] }, test: { designDocs: ['test'], // 'private' or 'shared' type: 'private', // Roles that will be automatically added to the db's _security object of this specific db adminRoles: [], memberRoles: [] } }, // Your private user databases will be prefixed with this: privatePrefix: 'test', // Directory that contains all your design docs designDocDir: path.join(__dirname, './designDocs') }, // Configure all your authentication providers here providers: { // Each provider follows the following pattern facebook: { // Supply your app's credentials here. The callback url is generated automatically. // See the Passport documentation for your specific strategy for details. credentials: { // Anything under credentials will be passed in to passport.use // It is a best practice to put any sensitive credentials in environment variables rather than your code clientID: process.env.facebook_client_id, clientSecret: process.env.facebook_client_secret }, // Any additional options you want to supply your authentication strategy such as requested permissions options: { // Anything under options will be passed in with passport.authenticate scope: ['email'] }, // This will pass in the user's auth token as a variable called 'state' when linking to this provider // Defaults to true for Google and LinkedIn, but you can enable it for other providers if needed stateRequired: false, // You should copy the template from `templates/oauth/authCallback.ejs` and modify the second parameter // from '*' to your page origin, e.g. 'https://example.com', to avoid any malicious site receiving the auth data returned by the pop-up // window workflow. The template can be the same for all providers. template: path.join( __dirname, './templates/oauth/my-custom-secure-authCallback.ejs' ) } }, // Anything here will be merged with the userModel that validates your local sign-up form. // See [Sofa Model documentation](http://github.com/colinskow/sofa-model) for details. userModel: { // For example, this will require each new user to specify a valid age on the sign-up form or registration will fail whitelist: ['age'], validate: { age: { presence: true, numericality: { onlyInteger: true, greaterThanOrEqualTo: 18, lessThan: 150, message: 'You must be an adult, but not dead yet.' } } } } }; module.exports = exampleConfig;