Visit us on Github

plugin-auth-password

The password authentication plugin is used to attach identity & password login to your application. It does so by altering your account model, adding a password field and the identity field configured.
Behind the scenes, it uses bcryptjs to correctly hash user passwords.

Installation and usage
npm i --save thorin-plugin-auth-password@1.x
'use strict';
// app.js entry file
const thorin = require('thorin');

thorin.addPlugin(require('thorin-plugin-auth-password'));   // <- add this line
thorin.run((err) => {});

#update config/app.js with your configuration
# run to setup the models and module
   node app.js --setup=plugin.auth-password
Default configuration
  • modelNameaccountthe name of your model that contains account information
  • storesqlthe store-sql name to use as the database
  • identity.fielduserthe identity field to use for the user id (eg, email, username, etc)
  • identity.typeusernamethe type of identity. Currently only username and email
  • identity.options{}additional field opt to set on the identity field.
  • password.fieldpasswordthe name of the field that will hold the user's password
  • password.policy.minthe minimum number of chars for the password
  • password.policy.upperfalseshould we ask for upper case chars for passwords
  • password.policy.numbersfalseshould we ask for numbers in the password
  • password.policy.specialfalseshould we ask for special chars, like !@#
  • password.options{}additional options to attach to the password model field
  • loginAt.fieldlogin_atfield used to store the last login time. Set loginAt to false to disable.
  • loginAt.options{}additional options to attach to the loginAt model field
Plugin functionality
pluginObj.checkPolicy(password)
Verifies if the given password is accepted by the password policy. If it is not accepted, it will return a thorin.error, otherwise return undefined
pluginObj.hashPassword(password) : Promise
Asynchronously uses bcrypt to hash the given password and resolve with the hashed version of it. Useful for user registration.
pluginObj.comparePassword(password, hashedPassword) : Promise
Compares the two passwords and resolves the promise if they match or reject if they do not.
Authorization middleware
auth#password.login
Authorization middleware to be used in your authenticate endpoint. It will check if the intent has the identity and password field names. If so, query for the account and match the password. Once an account was found and matched the password, it will place in the intent's data object under the configured modelName. 
'use strict';
const storeObj = thorin.store('sql');
dispatcher
   .addAction('account.login')
   // The authorization will essentially add:
   // input({
   //    user: dispatcher.validate('string'),
   //    password: dispatcher.validate('string')
   // })
   // and check the account matching the two.
   .authorize('auth#password.login')
   .use((intentObj, next) => {
      const accountObj = intentObj.data('account');
      log.info('Account logged in');
      next();
   });
auth#password.change
Authorization middleware used to change the password of an account. It will check if the input has {opt.password.field}, {opt.password.field}_new and {opt.password.field}_check, check if they match and finally update the account entity with the new password.
Note: this authorization middleware requires that the account model be placed in the intent's data object under the {opt.modelName} key. 
'use strict';
const storeObj = thorin.store('sql');
dispatcher
   .addAction('account.password.change')
   .use((intentObj, next) => {
      const Account = storeObj.model('account');
      // first read the accountObj that wants to change the password
      Account.find({
         where: {id: 1}
      }).then((accObj) => {
         // and place it under the "account" data field.
         intentObj.data('account', accObj);
      });
   })
   // The authorization will essentially add:
   // input({
   //    password: dispatcher.validate('string'),
   //    password_new: dispatcher.validate('string'),
   //    password_check: dispatcher.validate('string')
   // });
   .authorization('auth#password.change')
   .use((intentObj, next) => {
      log.info('Password changed');
      next();
   });

Every time the user performs a login or changes his password, a auth:history event is fired through the dispatcher. For a more complex example, visit our examples.

Do you have a question or is something missing?

You can always create a new issue on GitHub or contact one of the core founders by chat.