plugin-auth-unloq is a simple & secure multi-factor authentication, transaction authorisation and data encryption service. This plugin enables passwordless authentication via push notifications. It wil seamlessly integrate with the UNLOQ API and only request a few lines of code to enable in your thorin app. You can visit the full documentation of the service and take a look at the Getting Started tutorial to get things going!

Installation and usage
npm i --save thorin-plugin-auth-unloq@1.x
'use strict';
   // app.js entry file
   const thorin = require('thorin');

   thorin.addPlugin(require('thorin-plugin-auth-unloq'));   // <- add this line => {});

#update config/app.js with your configuration
# run to setup the models and module
   node app.js --setup=plugin.auth-unloq
Default configuration
  • keynullyour application's API Key
  • secretnullyour application's API Secret
  • modelNameaccountthe name of your model that contains account information
  • storesqlthe store-sql name to use as the database
  • unloqId.unloqIdunloq_idthe field used in your account model to store the user's UnloqID
  • unloqId.options{}additional field opt to set on the unloqId field.
  • loginAt.fieldlogin_atfield used to store the last login time. Set loginAt to false to disable.
  • loginAt.options{}additional options to attach to the loginAt model field
  • registrationtrueby default, users that do not exist in the database will be automatically on-boarded. Set this to false if you want only users that have an account to login with UNLOQ
  • sessionPluginsessionif your application uses the session plugin, we will try to enable remote logout for your users. Setting this to null will completely disable remote logout.

Once you've configured the plugin, you just need to include the login widget script in your login page and create an action that will handle the login webhook.

Plugin functionality
Exposes the UnloqAPI object that can be used to perform API calls. For more information on the API, visit the docs.
Returns the script tag that you can include in your login page view.
  • themestringthe theme to use for the login widget. Values are light, dark
Authorization middleware
This should be used with your /uauth/login action that handles the login webhook. It will read the access token from the URL and fetch its associated user information from UNLOQ. If everything's ok, create or read the account (if necessary) and place it in the intent's data object under the configured modelName.
'use strict';
   .alias('GET', '/uauth/login')
   .use((intentObj, next) => {
      const accountObj ='account'),
         unloqData ='unloq');`Account ${} logged in with data:`, unloqData);
      intentObj.session.account =;
This should be used with your /uauth/logout webhook, enabling remote logout for your users. If your application is using plugin-session, the user's session will be automatically deleted. If not, a sid key will be placed in the intent's data object, so that you can manually invalidate the session token.
'use strict';
   .alias('POST', '/uauth/logout')
   .end((intentObj) => {
      let sid ='sid'),
         unloqId = intentObj.input('id');`Terminated session ${sid} of user ${unloqId}`);

Every time the user performs a login a auth:history event is fired through the dispatcher. This event is captured by plugin-auth-history (if used) and create an authentication log entry. For a more complex example, visit our examples.

Do you have a question or is something missing?

You can always create a new issue on GitHub or contact one of the core founders by chat.