lets-mfa-express
Advanced tools
#Lets MFA Express Bindings
A simple way to add MFA to your Express app.
Use this library to add MFA protection to your Express app. This library will add the necessary routes to your Express app to handle the MFA flow. It will also add a middleware to your app that will check for a valid id_token on the request. If the id_token is not valid, the middleware will allow you to redirect the user.
npm install --save lets-mfa-express
Before you can use the library, you must generate a public/private key pair. This can be done with the following command. The keys will be written to the current directory. The private key is a secret and should be stored securely.
npx lets-mfa-express generate-keys
The following is a simple example of how to use the library. This will add MFA protection for the coveredPaths.
const express = require("express");
const app = express();
const letsMfa = require("lets-mfa-express");
const { existsSync, readFileSync } = require("fs");
// Read the keys from the file system
// Better yet, you should store these in a secrets manager
const publicKeyPath = "public-key.json";
const privateKeyPath = "private-key.json";
if (!existsSync(publicKeyPath) || !existsSync(privateKeyPath))
throw new Error("Must generate keys first");
const keys = {
publicKey: readFileSync(publicKeyPath).toString(),
privateKey: readFileSync(privateKeyPath).toString(),
};
// This adds LetsMFA bindings to your express server
// It should be called before any other routes are added
new LetsMFAExpress(app, {
// The paths that will be protected by MFA
coveredPaths: ["/protected"],
// The domain for the user account
domain: "example.com",
// The base URL for your express app
// The hostname must be part of the domain above
baseUrl: RESPONSE_URL_BASE,
// The keys from above
keys: {
publicKey: keys.publicKey,
privateKey: keys.privateKey,
},
// The URL to the logo that will be displayed on the MFA page
logoUrl: "http://localhost:4000/static/logo.png",
// Called after successful authentication
authResponseHandler: async (req, res, response) => {
// Get the User object from the database by username
let user = getUserFromDB(response.sub);
// Update the user's "accountVault" with the response
user.accountVault = response.accountVault;
// Save the user back to the database
saveUserToDB(user);
// Send the user to wherever they need to go after completing MFA
res.redirect(301, "/");
},
// Called when a user visits a 'coveredPath' without having
// a valid LetsMFA id_token
invalidAccessHandler: async ({
req,
res,
next,
client,
idTokens,
validation,
}) => {
// If the user is not authenticated, respond or redirect
// the user appropriately
res.status(401).send("Not Authorized");
},
});
FAQs
LetsMFA bindings for ExpressJS
The npm package lets-mfa-express receives a total of 69 weekly downloads. As such, lets-mfa-express popularity was classified as not popular.
We found that lets-mfa-express demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.
Security News
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.