Skip to content

Latest commit

 

History

History
53 lines (40 loc) · 1.68 KB

File metadata and controls

53 lines (40 loc) · 1.68 KB

Email and password example with 2FA and WebAuthn in Astro

Built with SQLite.

  • Password checks with HaveIBeenPwned
  • Sign in with passkeys
  • Email verification
  • 2FA with TOTP
  • 2FA recovery codes
  • 2FA with passkeys and security keys
  • Password reset with 2FA
  • Login throttling and rate limiting

Emails are just logged to the console. Rate limiting is implemented using JavaScript Map.

Initialize project

Create sqlite.db and run setup.sql.

sqlite3 sqlite.db

Create a .env file. Generate a 128 bit (16 byte) string, base64 encode it, and set it as ENCRYPTION_KEY.

ENCRYPTION_KEY="L9pmqRJnO1ZJSQ2svbHuBA=="

You can use OpenSSL to quickly generate a secure key.

openssl rand --base64 16

Install dependencies and run the application:

pnpm i
pnpm dev

Notes

  • We do not consider user enumeration to be a real vulnerability so please don't open issues on it. If you really need to prevent it, just don't use emails.
  • This example does not handle unexpected errors gracefully.
  • There are some major code duplications (specifically for 2FA) to keep the codebase simple.
  • Astro warns about unused functions (get2FARedirect()) but this is a bug with the language server.
  • TODO: Passkeys will only work when hosted on localhost:4321. Update the host and origin values before deploying.
  • TODO: You may need to rewrite some queries and use transactions to avoid race conditions when using MySQL, Postgres, etc.
  • TODO: Users are not shown their recovery code when they first register their second factor.
  • TODO: This project relies on the X-Forwarded-For header for getting the client's IP address.
  • TODO: Logging should be implemented.