Headline
CVE-2021-29452: @curveball/a12n-server
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.
0.21.2 • Public • Published 7 days ago
- Readme
- Explore BETA
- 29 Dependencies
- 0 Dependents
- 30 Versions
Authentication API
This package aims to provide a simple authentication system. The goal is to provide a simple authentication system for developers considering building their own.
The project implements OAuth2 standards where applicable.
Requirements
- Node.js 14.x
- MySQL
Features
- A simple browseable API.
- OAuth2
- Supported grants: implicit, client_credentials, authorization_code and password.
- OAuth2 discovery document.
- PKCE.
- OAuth 2 Token Introspection.
- JSON Web Key Sets.
- OAuth2 Token Revocation
- MFA
- Google Authenticator (TOTP).
- WebauthN / Yubikeys
- A simple, flat, permission model.
- Registration, lost password.
- secret-token: URI scheme
Documentation
Check out the Docs folder
The state of this project
If you are thinking of building a new authentication system, and decide to use this project instead, you get a lot of features for free.
The project has been used in production since 2018 and is still actively developed.