protonfile-auth

Authentication and authorization solution initially built for Protonfile but usable for any modern app. It was created as an Auth0 replacement for Protonfile.

How does it work?

protonfile-auth works with the traditional JWT access and refresh token model, refresh tokens are long-lived (currently hard-coded to 7 days) and access tokens are short-lived and new ones can be obtained with the refresh token.

An Express middleware is exposed, which can be used to verify the users' access token before allowing them to access a resource.

Refresh token versions are stored in the database, which enables token rotation. It also allows for an instant session revocation by the user, which in turn blocks any access token issuing for that session.

Disadvantages

protonfile-auth is in no means a perfect authentication solution, there are some known issues. This module was built to have a complete control over the authentication process but it surely can't compete with solutions like OAuth. If you are building a professional application you should use more tested solutions than this.

• JWT is not advised as a session token because it's self contained with no central autority that can invalidate it. This is solved in protonfile-auth by saving those tokens in a database and removing them once a session is expired.

Advantages

• Access token revocation is istantaneous, each token is linked to a session and if the session is recoked (on logout or device kick) the access token is also invalidated. Auth middleware does not make a query to the database on each verification and instead keeps an in-memory cache of revoked sessions to be able to instantaneosly verify the token. Though the cache is in-memory all revoked sessions are also stored in the database till their expiration, this allows to recover them in case the server goes down.
• Total control over your data. All TypeORM entities are exported, which means that you can access your data from external TypeScript applications.