{"id":13772889,"url":"https://github.com/bitpay/bitauth","last_synced_at":"2025-10-05T00:36:22.486Z","repository":{"id":16560980,"uuid":"19314786","full_name":"bitpay/bitauth","owner":"bitpay","description":"Authenticate with web services utilizing the same strategy as Bitcoin.","archived":false,"fork":false,"pushed_at":"2024-10-21T17:29:14.000Z","size":519,"stargazers_count":503,"open_issues_count":40,"forks_count":176,"subscribers_count":45,"default_branch":"master","last_synced_at":"2025-09-09T03:53:48.297Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bitpay.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-04-30T13:42:25.000Z","updated_at":"2025-09-07T09:58:15.000Z","dependencies_parsed_at":"2024-01-13T09:35:52.205Z","dependency_job_id":"9dea5acd-021e-4b87-aee5-c97ca7b1d3e5","html_url":"https://github.com/bitpay/bitauth","commit_stats":{"total_commits":60,"total_committers":13,"mean_commits":4.615384615384615,"dds":0.5,"last_synced_commit":"68cf0353bf517a7e5293478608839fa904351eb6"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/bitpay/bitauth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitpay%2Fbitauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitpay%2Fbitauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitpay%2Fbitauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitpay%2Fbitauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bitpay","download_url":"https://codeload.github.com/bitpay/bitauth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitpay%2Fbitauth/sbom","scorecard":{"id":240540,"data":{"date":"2025-08-11","repo":{"name":"github.com/bitpay/bitauth","commit":"68cf0353bf517a7e5293478608839fa904351eb6"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.3,"checks":[{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Code-Review","score":5,"reason":"Found 8/16 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.1.2 not signed: https://api.github.com/repos/bitpay/bitauth/releases/684813","Warn: release artifact v0.1.1 not signed: https://api.github.com/repos/bitpay/bitauth/releases/646341","Warn: release artifact v0.1.2 does not have provenance: https://api.github.com/repos/bitpay/bitauth/releases/684813","Warn: release artifact v0.1.1 does not have provenance: https://api.github.com/repos/bitpay/bitauth/releases/646341"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 22 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T06:37:17.584Z","repository_id":16560980,"created_at":"2025-08-17T06:37:17.584Z","updated_at":"2025-08-17T06:37:17.584Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278395882,"owners_count":25979685,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-04T02:00:05.491Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T17:01:08.904Z","updated_at":"2025-10-05T00:36:22.470Z","avatar_url":"https://github.com/bitpay.png","language":"JavaScript","readme":"BitAuth\n=======\n\nPasswordless authentication using Bitcoin cryptography\n\n## Overview\n\nBitAuth is a way to do secure, passwordless authentication using the cryptography\nin Bitcoin. Instead of using a shared secret, the client signs each request using\na private key and the server checks to make sure the signature is valid and matches\nthe public key.\n\n## Getting started\n\nInstall with Node.js:\n\n```bash\nnpm install bitauth\n```\n\n## Advantages over other authentication mechanisms\n\n* By signing each request, man in the middle attacks are impossible.\n* A nonce is part of the data signed, which prevents replay attacks.\n* The cryptography in Bitcoin is rock solid and is securing billions\n of dollars worth of bitcoins.\n* It uses elliptic curve cryptography which performs much better than RSA.\n* Because the private key is never revealed to the server, it does\nnot need to be exchanged between the server and client over a side channel like\nin HMAC.\n\n## Technical Overview\nBitAuth uses the same technology in Bitcoin. A public private key pair is created\nusing elliptic curve secp256k1. The public SIN (System identification number),\nlike a bitcoin address, is the RIPEMD 160, SHA256 hash of the public key.\nSee https://en.bitcoin.it/wiki/Identity_protocol_v1 for complete details.\n\nIn each request, the client includes a nonce to prevent replay attacks. The client\nsigns the full url with the request body concatenated if there is one. The signature\nis included in the `x-signature` header and the public key is included in the\n`x-identity` header.\n\nThe server verifies that the signature is valid and that it matches the identity (the public key).\nIt then computes the SIN from the public key, and sees whether that SIN has access\nto the requested resource. The nonce is checked to make sure it is higher than\nthe previously used nonce.\n\n## Technology is readily available\n\nWith the growing popularity of Bitcoin, there are already libraries written in\nmany languages. Because BitAuth uses the same technology as Bitcoin, it is easy\nto start using BitAuth.\n\n\n## Problems with password authentication\n\n* Have to keep track of a separate password for every web service. People forget\npasswords, encouraging them to reuse passwords and opening themselves up to\nhaving multiple services compromised.\n* Brute force attacks on weak passwords.\n* Passwords may travel over plaintext\n* Passwords in databases being leaked\n* Phishing attacks to steal passwords\n\n## Passwordless based authentication across web services\n\nWith BitAuth, users can use the same, strong password to encrypt their keys and\nnot worry about one service gaining access to another.\n\nIn the future, an identity system could be built around BitAuth keys where a user\ncould create one key to represent an identity which could authenticate against\nmultiple services.\n\nIn order for this to work, there would have to be a browser\nintegration or plugin which would manage these identities and a Javascript API\nwhere websites could sign requests going to their website with the private key,\nbut without exposing the private key to the third party sites.\n\nThere also needs to be a public place to store SIN's, preferably in\na decentralized blockchain or datastore like namecoin. Key revocations could\nbe stored here as well as reviews/feedback to build a reputation around an\nidentity.\n\n## Examples\n\nExample server\n\n```javascript\nvar express = require('express');\nvar bodyParser = require('body-parser');\nvar rawBody = require('../lib/middleware/rawbody');\nvar bitauth = require('../lib/middleware/bitauth');\n\nvar users = {\n  'Tf7UNQnxB8SccfoyZScQmb34V2GdEtQkzDz': {name: 'Alice'},\n  'Tf22EUFxHWh4wmA3sDuw151W5C5g32jgph2': {name: 'Bob'}\n};\n\nvar pizzas = [];\n\nvar app = express();\napp.use(rawBody);\napp.use(bodyParser());\n\n\napp.get('/user', bitauth, function(req, res) {\n  if(!req.sin || !users[req.sin]) return res.send(401, {error: 'Unauthorized'});\n  res.send(200, users[req.sin]);\n});\n\napp.post('/pizzas', bitauth, function(req, res) {\n  if(!req.sin || !users[req.sin]) return res.send(401, {error: 'Unauthorized'});\n  var pizza = req.body;\n  pizza.owner = users[req.sin].name;\n  pizzas.push(pizza);\n  res.send(200, req.body);\n});\n\napp.get('/pizzas', function(req, res) {\n  res.send(200, pizzas);\n});\n\napp.listen(3000);\n```\n\nExample client\n\n```javascript\nvar request = require('request');\nvar bitauth = require('../lib/bitauth');\n\n// These can be generated with bitauth.generateSin()\nvar keys = {\n  alice: '38f93bdda21a5c4a7bae4eb75bb7811cbc3eb627176805c1009ff2099263c6ad',\n  bob: '09880c962437080d72f72c8c63a69efd65d086c9e7851a87b76373eb6ce9aab5'\n};\n\n// GET\n\nfor(k in keys) {\n  var url = 'http://localhost:3000/user';\n  var dataToSign = url;\n  var options = {\n    url: url,\n    headers: {\n      'x-identity': bitauth.getPublicKeyFromPrivateKey(keys[k]),\n      'x-signature': bitauth.sign(dataToSign, keys[k])\n    }\n  };\n\n  request.get(options, function(err, response, body) {\n    if(err) {\n      console.log(err);\n    }\n    if(body) {\n      console.log(body);\n    }\n  });\n}\n\nvar pizzas = ['pepperoni', 'sausage', 'veggie', 'hawaiian'];\n\n// POST\n\nfor(k in keys) {\n  var url = 'http://localhost:3000/pizzas';\n  var data = {type: pizzas[Math.floor(Math.random() * pizzas.length)]};\n  var dataToSign = url + JSON.stringify(data);\n  var options = {\n    url: url,\n    headers: {\n      'x-identity': bitauth.getPublicKeyFromPrivateKey(keys[k]),\n      'x-signature': bitauth.sign(dataToSign, keys[k])\n    },\n    json: data\n  };\n\n  request.post(options, function(err, response, body) {\n    if(err) {\n      console.log(err);\n    }\n    if(body) {\n      console.log(body);\n    }\n  });\n}\n\n```\n\n## Middleware\nBitAuth exposes a connect middleware for use in connect or ExpressJS applications.  Use:\n```javascript\nvar bitauth = require('bitauth');\napp.use( bitauth.middleware );\n```\n","funding_links":[],"categories":["List of content","JavaScript","High-level application","Public Chain"],"sub_categories":["Utilities","Others"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitpay%2Fbitauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbitpay%2Fbitauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitpay%2Fbitauth/lists"}