Barillet connect middleware

One factor TOTP authentication middleware for connect / express.

Goals

Barillet aims to be a super safe and secure authentication system, at the cost of being super-weary for human users.

Barillet

• Doesn't trust or rely on HTTPS
• Avoid sending sensitive data over the net (like a password, a session ID, or even an username) that could be reused by an attacker
• Avoid any human error by not using password

It's not :

• Meant for systems with a lot of users. Barillet calculates each user's token at each authentication (see Security, Token Interception).
• Meant to provide sessions
• Meant to authenticate a server to the client (see Security, MITM)
• Meant to sign a request's body (see Security, MITM again)

Usage

barillet = require("barillet")
app.use(barillet(db))

Where DB can be either a mongodb URL, a mongo.Db instance (obtained via mongo.MongoClient.connect) or an objects containing two mongo.Collection : users and bans.

Security

Validation

String that doesnt length 6 characters or that are not integers throw 400-Bad Request.

Multiple users have the same token

If anytime multiple users have the same token, Barillet will apologize throwing a 500-Internal Error. If that ever occurs.

Token interception

If an attacker sniff's and gets a token, he won't be able to use it. Tokens can only be used once. Therefore, even valid users need to wait minimum 30 seconds between two authenticated actions.

Bruteforce attacks

Once a client's IP failed to send a valid token, any other attempts from this IP will throw a 429-Too Many Requests, until next time slice.

Man In The Middle attacks

Barillet doesn't prevent Man-in-the-Middle attacks. It doesnt authenticate the server toward the client. One can pretend to be the server and use a token to send an altered request to your actual app. Or respond with altered informations.

This may be done with HTTPS, if you do trust Certificate Authorities.