This PR adds an AuthModule and AuthGuard that abstract away all user authentication actions via three endpoints:
POST /auth/generate creates cryptographically secure passcodes, forwards them to user emails, and internally encrypts them via BCrypt to store in MongoDB. Ratelimited to 1 minute per email to prevent spam.
POST /auth/verify accepts an email + passcode pair and verifies them. If successful, creates a httpOnly, Secure, SameSite cookie on the client with a jwt encrypted token valid for a week. Allows up to 5 attempts for each email address. Note that cookies are NOT marked as Secure and SameSite in development for convenience.
GET /auth/me returns user information for logged in users, and throws 401 Unauthorized otherwise. Implemented via AuthGuard
AuthGuard is a guard that can be applied on protected endpoints. It checks for a valid signed JWT token from the incoming request, and attaches the decrypted payload to the request for convenience.
Some additional improvements added are:
Updated README
Add compodoc to automatically generate documentation for rp-core
Add helmet to attach important headers to outgoing responses automatically
Fixed broken variable names and unimplemented endpoints in AttendeeModule
Note: This PR only deals with authentication, NOT authorization. Next steps are to add an internal authorization layer to grant access to staff accounts automatically.
This PR adds an
AuthModuleandAuthGuardthat abstract away all user authentication actions via three endpoints:POST /auth/generatecreates cryptographically secure passcodes, forwards them to user emails, and internally encrypts them via BCrypt to store in MongoDB. Ratelimited to 1 minute per email to prevent spam.POST /auth/verifyaccepts an email + passcode pair and verifies them. If successful, creates a httpOnly, Secure, SameSite cookie on the client with a jwt encrypted token valid for a week. Allows up to 5 attempts for each email address. Note that cookies are NOT marked as Secure and SameSite in development for convenience.GET /auth/mereturns user information for logged in users, and throws 401 Unauthorized otherwise. Implemented via AuthGuardAuthGuardis a guard that can be applied on protected endpoints. It checks for a valid signed JWT token from the incoming request, and attaches the decrypted payload to the request for convenience.Some additional improvements added are:
AttendeeModuleNote: This PR only deals with authentication, NOT authorization. Next steps are to add an internal authorization layer to grant access to staff accounts automatically.