npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

kuzzle-plugin-auth-passport-local

v6.4.1

Published

Kuzzle plugin to log-in users

Downloads

3,517

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

kuzzlekuzzle

Keywords

kuzzlepluginauthpassportjs

Readme

Build Status

Plugin Local Password Authentication

This plugin provides a local authentication with username/password with passportjs module.

By default, this plugin is already installed in Kuzzle.

Compatibility matrice

| Kuzzle Version | Plugin Version | | -------------- | -------------- | | 1.x.x | 5.x.x | | 2.x.x | 6.x.x |

Configuration

The default configuration is as follow:

{
  "algorithm": "sha512",
  "stretching": true,
  "digest": "hex",
  "encryption": "hmac",
  "requirePassword": false,
  "passwordPolicies": []
}

General settings

  • algorithm: one of the supported encryption algorithms (run crypto.getHashes() to get the complete list). Examples: sha256, sha512, blake2b512, whirlpool, ...
  • stretching must be a boolean and controls if the password is stretched or not.
  • digest describes how the hashed password is stored in the persisting layer. See other possible values in the node.js documentation
  • encryption determines whether the hashing algorithm uses crypto.createHash (hash) or crypto.createHmac (hmac). For more details, see the node.js documentation
  • requirePassword must be a boolean. If true, this makes this plugin refuse any credentials update or deletion, unless the currently valid password is provided or the change is performed via the security controller
  • resetPasswordExpiresIn: A positive time representation of the delay after which a reset password token expires (see ms for possible formats). Users with expired passwords are given a resetPasswordToken when logging in and must change their password to be allowed to log in again.

Password policies

Since 6.2.0

Password policies can be used to define a set of additional rules to apply to users, or to groups of users.

Each password policy is an object with the following properties:

  • appliesTo: (mandatory). Can be either set to the * to match all users, or an object.
  • appliesTo.users: An array of user kuids the policy applies to.
  • appliesTo.profiles: An array of profile ids the policy applies to.
  • appliesTod.roles: An array of role ids the policy applies to.

At least one of users, profiles or roles properties must be set if appliesTo is an object.

Optional properties

  • expiresAfter: A positive time representation of the delay after which a password expires (see ms for possible formats). Users with expired passwords are given a resetPasswordToken when logging in and must change their password to be allowed to log in again.
  • forbidLoginInPassword: If set to true, prevent users to use their username in part of the password. The check is case-insensitive.
  • forbidReusedPasswordCount: The number of passwords to store in history and check against when a new password is set.
  • mustChangePasswordIfSetByAdmin: If set to true, when the password is set for a user by someone else, the user will receive a resetPasswordToken upon next login and will have to change her password before being allowed to log in again.
  • passwordRegex: A string representation of a regular expression to test on new passwords.

Examples

{
  "passwordPolicies": [
    {
      "appliesTo": "*",
      "forbidLoginPassword": true,
      "passwordRegex": ".{6,}"
    },
    {
      "appliesTo": {
        "profiles": ["editor"],
        "roles": ["admin"]
      },
      "expiresAfter": "30d",
      "mustChangePasswordIfSetByAdmin": true,
      "passwordRegex": "^(?=.*[a-zA-Z])(?=.*[0-9])(?=.{8,})"
    },
    {
      "appliesTo": {
        "roles": ["admin"]
      },
      "passwordRegex": "^(((?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*\\W)(?=.{8,}))|(?=.{24,}))"
    }
  ]
}

In the example above, no user can use a password that includes the login and the password must be at least 6 chars long.

Editors and admin users passwords expire every 30 days and the password must be at least 8 chars long and include at least one letter and one digit.

Admin users passwords must either be 24 or more chars long, or include a lower case char, an upper case char, a digit and a special char.

Usage

Login

To log in using Kuzzle's API:

{
  "controller": "auth",
  "action": "login",
  "strategy": "local",
  "body": {
    "username": "<username>",
    "password": "<password>"
  }
}

requirePassword option

By default, there is no restriction to update or delete credentials (provided the current user is logged in).

However, if the option requirePassword is set to true, this plugin will refuse to update credentials unless either the currently valid password is also provided, or the change is performed via the security controller.

To provide the password parameter, add a currentPassword argument in the request body of the request.

Example (non-HTTP protocol):

{
  "controller": "auth",
  "action": "updateMyCredentials",
  "strategy": "local",
  "jwt": "<currently valid token>",
  "body": {
    "currentPassword": "<currently valid password>",
    // just skip the fields you don't want to update
    "username": "<new username>",
    "password": "<new password>"
  }
}

Reset Password

Permissions

By default, all routes are denied to non-admin users. You will need to allow them if needed. A typical setup may look like:

.kuzzlerc

{
  "security": {
    "roles": {
      "anonymous": {
        "controllers": {
          "auth": {
            "actions": {
              "checkToken": true,
              "getCurrentUser": true,
              "getMyRights": true,
              "login": true
            }
          },
          "kuzzle-plugin-auth-passport-local/password": {
            "actions": {
              "reset": true
            }
          },
          "server": {
            "actions": {
              "publicApi": true
            }
          }
        }
      }
    }
  }
}

See Kuzzle user authentication documentation for more details about Kuzzle authentication mechanism.

Reset password

{
  "controller": "kuzzle-plugin-auth-passport-local/password",
  "action": "reset",
  "body": {
    "password": "new password",
    "token": "<reset password>"
  }
}

For HTTP:

curl \
    -XPOST \
    -H "Content-type: application/json" \
    -d '{"password": "new password", "token": "<reset token>"}' \
    kuzzle/_plugin/kuzzle-plugin-auth-passport-local/password/reset

Response:

{
  "requestId": "8a3c1366-e9cc-4e4e-8fe8-8e90f79d02a5",
  "status": 200,
  "error": null,
  "controller": "kuzzle-plugin-auth-passport-local/password",
  "action": "reset",
  "collection": null,
  "index": null,
  "volatile": null,
  "result": {
    "_id": "user",
    "expiresAt": 1587466666298,
    "jwt": "<login token>",
    "ttl": 3600000
  }
}

The returned jwt can be used the same way as if the user had logged in.

Get a reset password token

A reset token is automatically returned upon login if the password is either expired or must be changed according to the defined policies.

Another way to get a reset token for a user is to use the getResetPasswordToken route. For instance, it can be used programmatically from a plugin to generate a reset password link for a user in case he lost his password.

:warning: This route MUST be secured and accessible to permitted users only!

{
  "controller": "kuzzle-plugin-auth-passport-local/password",
  "action": "getResetPasswordToken",
  "_id": "<kuid>"
}

For HTTP

curl kuzzle/_plugin/kuzzle-plugin-auth-passport-local/password/resetToken/<kuid>

Response:

{
  "requestId": "7a701827-98eb-4122-8691-8f27d9c77fef",
  "status": 200,
  "error": null,
  "controller": "kuzzle-plugin-auth-passport-local/password",
  "action": "getResetPasswordToken",
  "collection": null,
  "index": null,
  "volatile": null,
  "result": {
    "resetToken": "<reset password token>"
  }
}

How to create a plugin

See Kuzzle plugin documentation about plugin for more information about how to create your own plugin.

About Kuzzle

For UI and IoT developers, Kuzzle is an open-source solution that handles all the data management (CRUD, real-time storage, search, high-level features, etc).

Kuzzle features are accessible through a secured API. It can be used through a large choice of protocols such as HTTP, Websocket or MQTT.