JS20

JS20

Documentation

JS20 - Documentation

Security & Prod checklist

Secure by default

Under the hood, JS20 applies a lot of security features automatically:

  • Global rate limiter
  • Stricter rate limiter for Auth endpoints
  • Security headers (CSP, hsts, etc)
  • Enforcing CORS is set up
  • Remove x-powered-by header
  • No caching for logged in API calls
  • Protection against SQL injections
  • Default error handlers
  • Limits on request body size
  • Cookie expiry, SameSite=lax, httpOnly & enforcing 12 digit secret
  • etc.

Prepare your app for production

When you are ready to deploy your app to production, make sure to:

  • isProduction flag is set to true in the main config
  • Use HTTPS
  • Setup Authenticator with all required options (secret, baseURL, cookie domain, sendEmail, etc)
  • Setup allowedOrigins in the server config to restrict CORS

Configure Authenticator

For production, provide the following options:

  • secret: A strong secret of at least 12 characters
  • baseURL: The base URL of your production app, used for redirecting users after login
  • cookie domain: The domain that owns the authentication cookie
  • cookie path: The path for the authentication cookie
/**
 * Configuration for authentication plugins
 * @param baseURL The base URL of your app, used for redirecting users after login
 * @param secret A secret key used for signing tokens or cookies
 * @param useEmailPassword Whether to enable email and password authentication, defaults to true
 * @param expiresIn The expiration time for tokens or sessions in milliseconds
 * @param cookie Configuration for authentication cookies
 */
export interface AuthConfig {
    baseURL?: string;
    secret?: string;
    useEmailPassword?: boolean;
    expiresIn?: number;
    cookie?: CookieConfig;
    sendEmail?: (email: AuthEmail) => Promise<void>;
}

/**
 * An email to send for authentication purposes
 * @param type The type of email to send (verification, reset, change), in case you want to customize the email content with your own subject or text
 * @param to The recipient's email address
 * @param url The URL to include in the email for the user to click
 * @param subject A simple default subject for the email
 * @param text A simple default text body for the email
 */
export interface AuthEmail {
    type: AuthEmailType;
    to: string;
    url: string;
    subject: string;
    text: string;
}

/**
 * Configuration for authentication cookies
 * @param domain The domain for which the cookie is valid, required in production
 * @param path The path for which the cookie is valid
 */
export interface CookieConfig {
    domain?: string;
    path?: string;
}

You can add it like this:

const authenticator = new BetterAuth(database, {
    secret: 'myproductionsecret',
    baseURL: 'https://myapp.com',
    useEmailPassword: true,
    cookie: {
        domain: 'example.com',
        path: '/',
    }
})

Setting allowedOrigins (CORS)

JS20 allows you to pass along allowedOrigins in the server config of the app. By default, if no origins are provided, it will allow all origins with access-control-allow-origin: *. This feature is not available in production mode, instead you must provide a list of allowed origins.

const app = new App({
    server: {
        allowedOrigins: ['https://example.com', 'https://anotherdomain.com']
    }
});

Custom rate limits

You can set your own rate limits. This is the default:

const defaultConfig: AppConfig = {
    isProduction: true,
    server: {
        type: WebServerType.express,
        port: 3000,
        allowedOrigins: [],
        rateLimit: {
            windowMs: 15 * 60 * 1000,
            max: 300,
        }
    },
}

To customize, you can pass along a rateLimit object in the server config of the app.

const app = new App({
    server: {
        rateLimit: {
            windowMs: 10 * 60 * 1000, // 10 minutes
            max: 100 // limit each IP to 100 requests per windowMs
        }
    }
});
JS20