Something aberrant has wandered away from the usual path or form. The word is generally used in a negative way; aberrant behavior, for example, may be a symptom of other problems. But the discovery of an aberrant variety of a species can be exciting news to a biologist, and identifying an aberrant gene has led the way to new treatments for diseases.
Aberrant Authentication GitHub
What is Aberrant Authentication
Aberrant aims to make session tracking and user authentication a breeze. Within minutes, you can have a fully secure solution to a tough problem.
Set-up requires no sign-up, it doesn't track your users usage, and it doesn't require internet access to work.
I believe that access control, session tracking, and authentication should be the first thing done when creating an application. Security doesn't have to be an after-thought anymore; even if you aren't developing online.
Technology and Methodology
The application is built on top of the Spring framework, and requires a running database compatible with liquibase; that's it! I am looking to talk to people who are interested in security / authentication / session tracking and learn about what more I can do to make my solution as secure as possible. The current iteration involves a simple 'username' and 'password' combination which returns a session object if successful. The session object consists of three key things.
- SessionToken: String: Unique key to identify the session
- RefreshToken: String: Random key, Random size. A new key is generated and sent with every request.
- RequestNumber: int: Which number request the session is on. The client side application is responsible for incrementing this number themselves. A successful request will always increment the number, otherwise it's safe to assume it'll remain the same.
Upon creation of the account, 2 different randomly generated strings are stored, then combined with the password to create a hash.
Feature Wishlist
In the interest of getting a little help during Hacktoberfest, I'm adding the features I wish to see in the application.
Request header ("host") stored in a new table and determine if the login is coming from a new ip address.
Locking account if there are more than 3 attempts. Email / security questions required to unlock the account.
Security questions feature.
More verbose group / membership.
I've got a small Vue.js project that I've been using to interact with the project. I can provide that upon request.
Example Usage
In this example, we will be using javascript to request information on a specific user. It's important to note that this example assumes you've already authenticated.
fetch('/api/auth/v1/users/select/user', {
method: 'GET',
headers: {
'sessionToken': localStorage.sessionToken,
'refreshToken': localStorage.refreshToken,
'requestNumber': localStorage.requestNumber
}
}).then((result) => {
localStorage.refreshToken = result.headers.get("refreshtoken");
return result.json();
}).then((data) => {
let user = data[0];
localStorage.requestNumber++;
console.log("Found the user: "+user);
}).catch((error) => {
console.error(error);
});
I would love some feedback on what is good/bad about my ideas / application.
Let me know!
Top comments (0)