Overview

InsForge implements a modern, secure authentication system using JWT tokens with RSA signing, OAuth provider integration, and database-backed session management.

Technology Stack

Core Components

ComponentTechnologyPurpose
Token FormatJWT with HS256Stateless authentication tokens
Signing AlgorithmHMAC-SHA256Symmetric key signing with shared secret
AuthenticationStateless JWTNo server-side session storage
Password Hashingbcryptjs (10 rounds)Secure password storage
OAuth ProvidersGoogle, GitHubSocial authentication
Token ExpiryFixed7 days for user tokens, never for anon tokens

Authentication Flow

Password-Based Authentication

OAuth Flow

JWT Token Structure

Token Payload

{
  "sub": "user_id_uuid",
  "email": "user@example.com",
  "role": "authenticated",
  "iat": 1704067200,
  "exp": 1704672000,
  "iss": "insforge",
  "aud": "insforge-api"
}

Token Claims

ClaimDescriptionExample
subSubject (User ID)UUID format
emailUser’s emailuser@example.com
roleUser role/permissionsauthenticated, admin
iatIssued at timestampUnix timestamp
expExpiration timestampUnix timestamp
issToken issuerinsforge
audIntended audienceinsforge-api

Security Features

HS256 Signing

Tokens signed with HMAC-SHA256 using shared secret key

bcrypt Hashing

Passwords hashed with bcryptjs using 10 salt rounds

OAuth State

CSRF protection via state parameter in OAuth flows

Stateless Auth

JWT tokens with built-in expiry, no server-side sessions

Token Rotation

Support for refresh token rotation (coming soon)

Rate Limiting

Protection against brute force attacks

API Endpoints

Authentication Endpoints

MethodEndpointPurpose
POST/api/auth/usersRegister new user
POST/api/auth/sessionsLogin with email/password
GET/api/auth/sessions/currentGet current user (requires auth)
POST/api/auth/admin/sessionsAdmin login (local development)
POST/api/auth/admin/sessions/exchangeExchange authorization code (cloud platform)

OAuth Endpoints

MethodEndpointPurpose
GET/api/auth/oauth/googleInitiate Google OAuth flow
GET/api/auth/oauth/githubInitiate GitHub OAuth flow
GET/api/auth/oauth/:provider/callbackOAuth callback handler

Admin Endpoints

MethodEndpointPurpose
GET/api/auth/usersList all users (admin only)
DELETE/api/auth/usersDelete users (admin only)

OAuth Provider Configuration

Google OAuth 2.0

  • Authorization URL: https://accounts.google.com/o/oauth2/v2/auth
  • Token URL: https://oauth2.googleapis.com/token
  • Scopes: openid, email, profile
  • Required: Client ID, Client Secret, Redirect URI

GitHub OAuth

  • Authorization URL: https://github.com/login/oauth/authorize
  • Token URL: https://github.com/login/oauth/access_token
  • Scopes: read:user, user:email
  • Required: Client ID, Client Secret, Redirect URI

Token Validation

Validation Steps

  1. Format Check: Verify JWT structure (header.payload.signature)
  2. Signature Verification: Validate with RSA public key
  3. Expiry Check: Ensure token hasn’t expired
  4. Issuer/Audience: Verify iss and aud claims
  5. User Lookup: Check user exists in _accounts table
  6. User Status: Ensure user account is active

Middleware Flow

// Simplified validation flow (stateless)
async function validateToken(token) {
  // 1. Decode and verify JWT
  const decoded = jwt.verify(token, publicKey, {
    algorithms: ['RS256'],
    issuer: 'insforge',
    audience: 'insforge-api'
  });
  
  // 2. Check user exists (optional)
  const user = await db.query(
    'SELECT * FROM _accounts WHERE id = $1',
    [decoded.sub]
  );
  
  // 3. Return user context from JWT
  return {
    userId: decoded.sub,
    email: decoded.email,
    role: decoded.role
  };
}

Security Best Practices

HTTPS Only

Always use HTTPS in production to protect tokens in transit

Secure Storage

Store tokens in httpOnly cookies or secure storage

Short Expiry

Use short-lived access tokens with refresh tokens

Revocation

Implement token revocation for compromised accounts

Password Policy

Enforce strong password requirements

2FA Support

Two-factor authentication (coming soon)

Environment Variables

VariableDescriptionExample
JWT_SECRETRSA private key or secretBase64 encoded key
GOOGLE_CLIENT_IDGoogle OAuth client IDxxx.apps.googleusercontent.com
GOOGLE_CLIENT_SECRETGoogle OAuth secretSecret string
GITHUB_CLIENT_IDGitHub OAuth client IDGitHub app ID
GITHUB_CLIENT_SECRETGitHub OAuth secretSecret string
TOKEN_EXPIRYToken lifetime7d, 24h, 3600