Room5 Team13 Auth0

Signing up with email and password.
Taking you back to the login page after successful sign up.
Login attempt with invalid credentials.
Error message displaying invalid login.
Login attempt with correct credentials.
Successful login attempt! Stays logged in until logged out and returns to 1st image.

Inspiration

We had the project to design a website with an authentication flow that could not be subverted in under 24 hours.

What it does

It is an authentication flow that works on a node.js server. It uses anonymous function calls and bcrypt to salt and hash individual users passwords separately to store securely. The hashing takes on average of 1 second, preventing an attacker from using a dictionary attack very easily. It also has authorization checks between each post and get request, ensuring that an attacker cannot access restricted webpages by simply manipulating the URLs. Further, we throw a generic message error for any type of invalid login, preventing an attacker from easily checking against valid usernames and exploiting them with brute force password attempts.

How we built it

It was built using a node.js server along with passport and express. We started with a bare-bones .ejs framework and added post and get requests to the login and signup page. Then, we used a passport config file to authenticate users with anonymous function calls. Lastly, we added authorization checks between each request to ensure an attacker could not browse freely through webpages if they were not logged in. Currently, data is stored as a json variable in the local instance of the server, but given more time, MongoDB would be used utilizing the .save() function to create pages and store data more securely.

Challenges we ran into

We initially had a way wider scope than what we were able to accomplish in under 24 hours. We wanted to use the authelia framework for setting up MFA in addition to authentication workflows. This proved to be too time consuming as there would need to be arrangements for web hosting, creating an LDAP instance and spinning up docker containers to make everything work smoothly. Also, we were limited by the scope of the project, being open source only. This prevented us from using cloud services that would allow us seamless hosting and integration of our components. Given enough time, we would have a live web app with beautiful UI, nginx reverse proxy with authelia running on a node.js server connected to a postgreSQL db, all on an heroku app.

Accomplishments that we're proud of

Considering where we started from, we are glad that the webapp is functional in any degree. We have learned a lot about ideal methods of user authentication, including weighing pros and cons between usability and security.

What we learned

Building a secure app is difficult, and the "bulletproof" scope of this activity was a little bit too ambitious for what experience levels we were at. We learned many characteristics of what makes a user authentication interface effective, and understand traits like MFA, bio-metrics scanning, or hardware keys are must haves in order to create a bulletproof environment.

What's next for Room5 Team13 Auth0

We anticipate implementing a proper MFA system along with a proper user database will be the next steps.

Built With

Submitted to

NetScout Online Cyberathon

Created by

I created the node.js server, implemented the post and get requests for the pages, added authentication and authorization between requests, and salting + hashing of passwords. Also preventative measures against dictionary, hammering, and access control.

suye sh
Created the graphical pitch presentation using Canva.

Ville Vru
Suchandra Dutta .
Caleb Sjostedt

Updates

Caleb Sjostedt started this project — May 22, 2022 08:35 AM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.