Security

Password Storage

Passwords are hashed using bcrypt with a cost factor of 12. Plaintext passwords are never stored, even temporarily in server memory — they are discarded immediately after hashing. During sign-up, passwords are checked against the Have I Been Pwned API, and passwords with known breach history are rejected.

Tokens & Sessions

Authentication tokens are JWTs signed with the HS256 algorithm. In production, a JWT secret of at least 32 characters is required — the server will not start without it.

Refresh tokens are hashed with bcrypt (cost factor 10) before storage. Refresh tokens are rotated on every use — each refresh issues a new token and invalidates the previous one. Both access token and refresh token TTLs are configurable per project.

Sessions are managed server-side with IP address, user agent, and last active timestamp. Users can view active sessions and revoke individual or all sessions from the dashboard.

Multi-Factor Authentication

TOTP-based multi-factor authentication is supported. TOTP secrets are encrypted with AES before storage. 10 backup codes are generated per user, each hashed with HMAC-SHA256. Backup code verification uses constant-time comparison to prevent timing attacks.

OAuth & Social Login

OAuth state parameters are generated using crypto.randomBytes(32) to prevent CSRF attacks. 20 OAuth providers are supported, and callback URLs are restricted per project.

Passkeys (WebAuthn)

Passkey authentication is built on the FIDO2/WebAuthn standard. Server-side verification uses the SimpleWebAuthn library.

Network Security

All communication is encrypted via TLS. HSTS (HTTP Strict Transport Security) is enforced with a 1-year max-age.

CORS is configured with a dynamic whitelist that only allows domains registered to each project. Wildcard origins are not used.

The API server uses Helmet middleware to set security headers including Content-Security-Policy, X-Frame-Options (DENY), and X-Content-Type-Options (nosniff).

Brute Force Protection

Failed login attempts are tracked per user. By default, accounts are locked for 300 seconds (5 minutes) after 5 failed attempts. These thresholds are configurable in each project’s security settings. Successful login resets the failure counter.

Cloudflare Turnstile CAPTCHA can be enabled per project, adding bot protection challenges to sign-up and sign-in flows.

Input Validation

All API inputs are validated using class-validator. Unrecognized fields are automatically stripped (whitelist mode), and requests containing explicitly forbidden fields are rejected. Passwords require a minimum of 8 characters. Database queries use TypeORM parameterized queries to prevent SQL injection.

Webhook Security

Each webhook endpoint is assigned a unique signing secret on creation. Webhook payloads are signed with HMAC-SHA256, delivered with a timestamp in the X-Authon-Signature header. Failed deliveries are retried up to 3 times automatically.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it to security@authon.dev. Do not open a public issue — contact us directly via email.