This is a sample application with an aim at implementing a simple node.js
- Clone this repository
- Install MongoDB as a local instance
- Generate a self-signed x509 certificate and private key and place them in the sslcert directory
- Example instructions on generating an x509 certificate
- The x509 certificate must be named
certificate.pem - The private key must be named
key.pem
- From the project directory, install npm dependencies
npm install - Run the application in "dev mode" using nodemon
- Install nodemon globally
npm install -g nodemon - Linux based:
npm run devmode - Windows:
- set DEBUG env variable
set DEBUG=jmoss-auth-exercise:* - run the application using nodemon
nodemon start
- set DEBUG env variable
- Install nodemon globally
The following section is an ongoing discussion of security related features or considerations.
- Web server only supports HTTPS
- Potential feature: ngix may be more efficient
- Utilizes the "helmet" middleware for sane header defaults and reduced attack surface for XSS / CSRF / Cookie abuse, etc
- Utilizes passport-local-mongoose middleware to store passwords in hashed and salted format
- Utilizes espress-session to set cookie attributes
The following is an ongoing list of items to consider for hardening into a production environment. The list is considered in progress and will be updated as new features are developed.
- Use an x509 certificate from a certificate authority
- TODO: Support using forward secrecy (DHE/ECDHE)
- Store certificates securely in a keychain / OS
- Only support encrypted connections with Mongo DB
- Encrypt the mongo db instance
- Note: passwords are already salted and hashed
- TODO: Input validation / testing / prevention of injection attacks
- TODO: Testing side channel attack on user account discovery
- TODO: Limited number of login attempts
- TODO: DDOS mitigation
- Maybe Revisit serialization approaches for local / github
- Bring in other profile data to the account collection