auth-module-builder
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAuth Module Builder
身份认证模块构建器
Implement secure, production-ready authentication systems.
实现安全、可用于生产环境的身份认证系统。
Core Components
核心组件
Routes: POST /login, /register, /logout, /refresh, /forgot-password
Middleware: authenticate, requireAuth, optionalAuth
Security: bcrypt hashing, JWT signing, secure cookies, CSRF tokens
Session: Redis/DB storage, expiration, refresh tokens
Threats: Document common attacks and mitigations
路由:POST /login、/register、/logout、/refresh、/forgot-password
中间件:authenticate、requireAuth、optionalAuth
安全机制:bcrypt哈希、JWT签名、安全Cookie、CSRF令牌
会话:Redis/数据库存储、过期策略、刷新令牌
威胁防护:记录常见攻击方式及缓解措施
JWT Pattern
JWT模式
typescript
// Generate tokens
const accessToken = jwt.sign(
{ userId: user.id, email: user.email },
process.env.JWT_SECRET,
{ expiresIn: "15m" }
);
const refreshToken = jwt.sign(
{ userId: user.id, type: "refresh" },
process.env.JWT_REFRESH_SECRET,
{ expiresIn: "7d" }
);
// Verify middleware
export const authenticate = async (req, res, next) => {
const token = req.headers.authorization?.split(" ")[1];
if (!token) return res.status(401).json({ error: "No token" });
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
req.user = await User.findById(decoded.userId);
next();
} catch (err) {
res.status(401).json({ error: "Invalid token" });
}
};typescript
// Generate tokens
const accessToken = jwt.sign(
{ userId: user.id, email: user.email },
process.env.JWT_SECRET,
{ expiresIn: "15m" }
);
const refreshToken = jwt.sign(
{ userId: user.id, type: "refresh" },
process.env.JWT_REFRESH_SECRET,
{ expiresIn: "7d" }
);
// Verify middleware
export const authenticate = async (req, res, next) => {
const token = req.headers.authorization?.split(" ")[1];
if (!token) return res.status(401).json({ error: "No token" });
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
req.user = await User.findById(decoded.userId);
next();
} catch (err) {
res.status(401).json({ error: "Invalid token" });
}
};Session Pattern
会话模式
typescript
// Express session with Redis
app.use(
session({
store: new RedisStore({ client: redisClient }),
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
secure: process.env.NODE_ENV === "production",
httpOnly: true,
maxAge: 1000 * 60 * 60 * 24 * 7, // 7 days
sameSite: "lax",
},
})
);typescript
// Express session with Redis
app.use(
session({
store: new RedisStore({ client: redisClient }),
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
secure: process.env.NODE_ENV === "production",
httpOnly: true,
maxAge: 1000 * 60 * 60 * 24 * 7, // 7 days
sameSite: "lax",
},
})
);Password Security
密码安全
typescript
import bcrypt from "bcrypt";
// Hash password
const hashedPassword = await bcrypt.hash(password, 10);
// Verify password
const isValid = await bcrypt.compare(password, user.hashedPassword);typescript
import bcrypt from "bcrypt";
// Hash password
const hashedPassword = await bcrypt.hash(password, 10);
// Verify password
const isValid = await bcrypt.compare(password, user.hashedPassword);Security Checklist
安全检查清单
- Passwords hashed with bcrypt (cost ≥10)
- JWT secrets from environment, rotated regularly
- HTTPS only in production
- httpOnly, secure cookies
- CSRF protection enabled
- Rate limiting on auth routes
- Account lockout after failed attempts
- Password reset tokens expire
- Email verification for new accounts
- 使用bcrypt哈希密码(成本系数≥10)
- JWT密钥来自环境变量,定期轮换
- 生产环境仅使用HTTPS
- 启用httpOnly、安全Cookie
- 开启CSRF防护
- 对认证路由进行速率限制
- 多次失败尝试后锁定账户
- 密码重置令牌设置过期时间
- 新账户需进行邮箱验证
Threat Model
威胁模型
Brute Force: Rate limit + account lockout
Token Theft: Short expiry, httpOnly cookies, HTTPS only
CSRF: SameSite cookies + CSRF tokens
Session Fixation: Regenerate session ID on login
XSS: Sanitize inputs, CSP headers
暴力破解:速率限制 + 账户锁定
令牌窃取:短有效期、httpOnly Cookie、仅HTTPS传输
CSRF攻击:SameSite Cookie + CSRF令牌
会话固定:登录时重新生成会话ID
XSS攻击:输入内容 sanitize、CSP头配置