Many of the nonprofits we work end up creating projects that have an authentication system. Often, every team develops their own version of it, but many times cut corners in order to focus on the rest of the product and deliver in a timely fashion. This opens up many potential vulnerabilities in the implemented security system.
We created an autogenerated authentication server that developers can customize and deploy on their own. Our CLI tool will walk the developers through generating the necessary tokens and setting a custom configuration and then deploying the server. This means teams using the tool should never have to actually touch any code related to the authentication server, but are rather given out of the box endpoints that they can call and use.
The tokens are encrypted and decrypted using JWT, but the code to encrypt and decrypt the tokens is refreshed every hour (or number set by the config file - expire_after_hrs). Only the authentication server knows the updated token, such that it becomes the single source of truth to verify a JWT token. This minimizes the risk of the token getting compromised as it isn't being sent between the client and server and is often refreshed.
If a user registers, they must verify their email during the registration process or later on. If the password is changed the user will get an email alerting them that the password was changed.
If a user is inactive for over an hour (or number set by the configuration file), they will be automatically logged out. This helps prevent attacks from people forgetting to log out.
Only users with a high enough permission level can see user under his or her permission level and promote/demote them. The roles hierarchy is easily configurable from the config.yml file.
If the password is forgotten, it will either ask the user a preset security question, send them an email with a PIN, or require both security measures to be taken before a user can reset their password.
A user can either choose to register with their gmail accounts or enter in their information.