Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
DarkLord is designed to work with Express and provides a configurable authentication solution. It will provide you with a set of API end points straight out of the box. It also has a default User model and Mongo connectivity, however you can easily provide your own.
npm install darklord --save
Next:
var darklord = require('darklord')({ router: router });
This is the simplest way of getting DarkLord up and running.
var darklord = require('darklord')({
secret: <secret string>,
cookie: <turn on token cookie>,
user: <passport based user model>,
databaseSvc: <database logic controller>,
router: <express router>
});
secret (optional) - provide the JWT generator a secret key that it will use to encrypt and decrypt auth tokens. Leave it blank and it will use an environment variable called JWT_SECRET
cookie (optional) - turn token cookie on. The token will be stored in a signed cookie based on your secret. Useful if you want to use DarkLord for normal webpages as well as APIs.
user (optional) - you can setup your own passport initialised User model, the default one is wrapped up as a passport mongoose model
databaseSvc (optional) - if you are building your own User model and you don't want to use Mongo as a database then you probably already have a database logic layer. That's cool, you can provide DarkLord a database service that has the following interface where each method must return a promise.:
{
create:
update:
find:
findOne:
remove:
};
router (optional) - provide DarkLord with an express router and it will add all the routes you need. If you leave it blank you will need to configure your own routes, but that should be easy enough since require('darklord')()
returns a list of authentication middleware methods you can execute:
register
authenticate,
isAuthenticated,
forgotPassword,
resetPassword,
changePassword,
verifyEmail,
extendToken
If however you do supply DarkLord with a router then you'll get the following end points for free.
Remember to create a JWT token you'll need to set a secret to the JWT_SECRET
env variable
Generate an authentication token.
Request:
{
"email": "myemail@address.com",
"password": "123456"
}
Response:
{
"token": "<authentication-token>",
"expires": "<long-term-expiry-date>"
}
Create an account and generate an authentication token. Sets the verified flag to false and creates a verified token to email to the user.
Request:
{
"email": "myemail@address.com",
"password": "123456"
}
Response:
{
"token": "<authentication-token>",
"expires": "<long-term-expiry-date>"
}
Change the password on the account.
Request:
{
"email": "myemail@address.com",
"password": "abcdef"
}
Headers:
Authorization: "<authentication-token>"
Creates a forgot password token and emails the user the link to reset.
Request:
{
"email": "myemail@address.com"
}
Accepts a token and a password, the server then update the account password
Request:
{
"token": "<forgotten-password-token>",
"password": "654321"
}
Accepts a token (sent to the user's email address), then sets the verified flag on the user to true and removes the verify token
Checks to see if the request is already authenticated, and if so responds with a new auth token that has an extended expiry date
Request:
Headers:
Authorization: "<authentication-token>"
Since the cookies are httpOnly to improve security you won't be able to remove them via JavaScript. Therefore call this end point to instruct the server to remove them.
Response:
Cookies are removed
If you want to check if the current request has access, ie. they are authenticated, then you can use the hasAccess
method which returns a promise.
router.get('/access', function (req, res) {
authSvc
.hasAccess(req, res)
.then(function () {
res.status(200).end();
}, function () {
res.status(401).end();
});
});
To logout call the logout method, it will simply remove the cookies
router.post('/logout', function (req, res) {
authSvc.logout(req, res);
res.status(200).end();
});
FAQs
Stateless JWT based authentication
The npm package darklord receives a total of 1 weekly downloads. As such, darklord popularity was classified as not popular.
We found that darklord demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.