LogoDocsHub
IAM

IAM

Production-grade Identity and Access Management for Node.js and Express

@riavzon/auth is a production-grade authentication service built on Express 5 and MySQL. It ships ready to use route sets, middleware, and a fully typed programmatic API that cover every layer of a modern auth stack: JWT access and refresh tokens with configurable rotation, multi-factor authentication, OAuth social login, behavioral anomaly detection, rate limiting, and secure email flows powered by Resend.

You can use this service, as library to build your own custom flows, configure different part of it to suite your apps needs, and use the standalone service thats already shipped with it.

The service integrates directly with Bot Detector for IP geolocation and device fingerprinting, and uses Shield Base databases for disposable-email and threat-intelligence checks.

The service is also available as a docker image.

IAM is designed to run as a standalone Express service. The Auth H3 Client module connects your Nuxt/H3/Nitro frontend to this service with full session management, different OAuth providers and many other boilerplate to get you started quickly to actual building your app.

Features

JWT Token Lifecycle
Short-lived access tokens cached in memory for fast verification, and long-lived refresh tokens stored hashed in MySQL with configurable rotation on every use.
Anomaly Detection
Every refresh-token use runs through nine behavioral checks including canary-cookie matching, IP range comparison, idle-time detection, device fingerprint consistency, and integrates natively with the Bot Detector service.
Adaptive MFA
Email OTP links are issued automatically when an anomaly is detected. Custom MFA flows let you trigger verification for any sensitive action in your application.
OAuth Social Login
Add any OAuth provider by defining a name and field mapping. Built-in support for standard profile schemas with automatic deduplication against existing accounts.
Rate Limiting
Fully configurable rate limiters for every sensitive endpoint. Backed by in-memory or MySQL stores with black and white list support.
Magic Links
Signed temporary JWTs power password reset and MFA email flows. All link tokens are cached and single use by design.
Password Security
Argon2id hashing with a configurable pepper, time cost, memory cost, and hash length. Built-in disposable-email detection via Shield Base LMDB.
HMAC Service Auth
Optional shared-secret HMAC authentication layer for inter-service calls with clock-skew tolerance and request signing.
mTLS support
The Auth H3 Client allows you easily to configure mTLS to the auth service.
Detects Leaked Credentials
Uses the haveibeenpwned api and searches it by hash range using k-anonymity to detect if new signing up users, uses leaked password, and if logging in users password was found in a data breach.
Logging
Ships with both HTTP logger and a general logger powered by pino.
Docker
Comes with a hardened docker image with your secrets encrypted at rest, and deleted after they loaded.

Documentation

Getting Started
Prerequisites, installation, and first run.
Essentials
Token lifecycle, authentication flows, anomaly detection, MFA, rate limiting, database schema, and every core subsystem.
Security
Password hashing with Argon2id, cookie security, XSS defenses, and an overview of the defense strategy.
Guides
RBAC, deployment, etc for using this service.
Configuration
Complete reference for the configuration object passed to the IAM service, including database, JWT, email, and rate-limiter options.
API Reference
Complete reference for all exported functions, middlewares, and routes.

Getting Started

Logo