Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-29452: @curveball/a12n-server

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

CVE
#sql#web#google#nodejs#js#oauth#auth

0.21.2 • Public • Published 7 days ago

  • Readme
  • Explore BETA
  • 29 Dependencies
  • 0 Dependents
  • 30 Versions

Authentication API

This package aims to provide a simple authentication system. The goal is to provide a simple authentication system for developers considering building their own.

The project implements OAuth2 standards where applicable.

Requirements

  • Node.js 14.x
  • MySQL

Features

  • A simple browseable API.
  • OAuth2
    • Supported grants: implicit, client_credentials, authorization_code and password.
    • OAuth2 discovery document.
    • PKCE.
    • OAuth 2 Token Introspection.
    • JSON Web Key Sets.
    • OAuth2 Token Revocation
  • MFA
    • Google Authenticator (TOTP).
    • WebauthN / Yubikeys
  • A simple, flat, permission model.
  • Registration, lost password.
  • secret-token: URI scheme

Documentation

Check out the Docs folder

The state of this project

If you are thinking of building a new authentication system, and decide to use this project instead, you get a lot of features for free.

The project has been used in production since 2018 and is still actively developed.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907