{"id":15492902,"url":"https://github.com/juancastillo0/dart_auth","last_synced_at":"2025-10-15T12:27:21.221Z","repository":{"id":100588421,"uuid":"600310520","full_name":"juancastillo0/dart_auth","owner":"juancastillo0","description":"Integrations and tools for authentication in Dart applications and servers. Supports multiple OAuth2 and OpenIdConnect providers, and custom methods such as email, phone, username or TOTP (time-based one-time password).","archived":false,"fork":false,"pushed_at":"2023-06-04T03:59:27.000Z","size":1352,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-29T18:11:23.424Z","etag":null,"topics":["2fa","authentication","authorization","backend","dart","flutter","frontend","jwt","mfa","oauth","oauth2","openid-connect","shelf","totp"],"latest_commit_sha":null,"homepage":"","language":"Dart","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/juancastillo0.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-11T04:51:26.000Z","updated_at":"2024-12-29T22:54:33.000Z","dependencies_parsed_at":"2025-03-04T07:31:49.054Z","dependency_job_id":"052ad01e-68db-4ada-a2e7-44f4e20d420b","html_url":"https://github.com/juancastillo0/dart_auth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juancastillo0%2Fdart_auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juancastillo0%2Fdart_auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juancastillo0%2Fdart_auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/juancastillo0%2Fdart_auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/juancastillo0","download_url":"https://codeload.github.com/juancastillo0/dart_auth/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250310071,"owners_count":21409594,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["2fa","authentication","authorization","backend","dart","flutter","frontend","jwt","mfa","oauth","oauth2","openid-connect","shelf","totp"],"created_at":"2024-10-02T08:02:37.482Z","updated_at":"2025-10-15T12:27:16.188Z","avatar_url":"https://github.com/juancastillo0.png","language":"Dart","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- \nThis README describes the package. If you publish this package to pub.dev,\nthis README's contents appear on the landing page for your package.\n\nFor information about how to write a good package README, see the guide for\n[writing package pages](https://dart.dev/guides/libraries/writing-package-pages). \n\nFor general information about developing packages, see the Dart guide for\n[creating packages](https://dart.dev/guides/libraries/create-library-packages)\nand the Flutter guide for\n[developing packages and plugins](https://flutter.dev/developing-packages). \n--\u003e\n\n# Dart Authenticator\n\nProvides integrations and configuration for implementing authentication within your Dart applications and servers. Supports multiple [OAuth2/OpenIdConnect providers](#providers) and custom [credentials](#credentials-username-or-email-and-password) such as email, phone, username or time-based one-time password (TOTP).\n\n[Flutter](https://github.com/flutter/flutter) package for an integrated authentication flow and a [`package:shelf`](https://pub.dev/packages/shelf) web server for implementing the backend authentication endpoints.\n\nThis repository is a monorepo with the following packages:\n\n| Package           | Description                                                                                       | pub.dev |\n| ----------------- | ------------------------------------------------------------------------------------------------- | ------- |\n| dart_auth         | Core package with all models and the logic for implementing the\u003cbr\u003e server or client applications |         |\n| dart_auth_shelf   | Shelf bindings for implementing authentication for a backend\u003cbr\u003e web server using shelf           |         |\n| dart_auth_flutter | Widgets and API integration for authentication in Flutter applications                            |         |\n\n\n\n# Table Of Contents\n\n- [Dart Authenticator](#dart-authenticator)\n- [Table Of Contents](#table-of-contents)\n- [Features](#features)\n- [Endpoints](#endpoints)\n  - [Authentication Providers](#authentication-providers)\n  - [Sign In](#sign-in)\n  - [Sign Up](#sign-up)\n  - [Sign Out (Session JWT Revoke)](#sign-out-session-jwt-revoke)\n    - [Sign Out multiple sessions](#sign-out-multiple-sessions)\n  - [JSON Web Tokens (JWT)](#json-web-tokens-jwt)\n    - [Multiple Sessions](#multiple-sessions)\n    - [Multiple Devices](#multiple-devices)\n    - [Refresh Token](#refresh-token)\n  - [OAuth2 Callbacks](#oauth2-callbacks)\n    - [OAuth2 Notifications Webhooks](#oauth2-notifications-webhooks)\n- [Access Tokens and Authentication Headers](#access-tokens-and-authentication-headers)\n  - [JSON Web Tokens (JWT)](#json-web-tokens-jwt-1)\n  - [Sessions](#sessions)\n- [Providers](#providers)\n  - [OAuth2 and OpenID Connect](#oauth2-and-openid-connect)\n  - [Scopes](#scopes)\n    - [Other Custom Provider](#other-custom-provider)\n    - [apple](#apple)\n    - [discord](#discord)\n    - [facebook](#facebook)\n    - [github](#github)\n    - [google](#google)\n    - [linkedin](#linkedin)\n    - [microsoft](#microsoft)\n    - [reddit](#reddit)\n    - [steam](#steam)\n    - [twitter](#twitter)\n    - [spotify](#spotify)\n  - [OAuth2 and OpenIdConnect server](#oauth2-and-openidconnect-server)\n  - [Credentials: Username or Email and Password](#credentials-username-or-email-and-password)\n    - [Isolates](#isolates)\n  - [Email, Phone and Magic Link](#email-phone-and-magic-link)\n  - [Multi-Factor Authentication (MFA or 2FA)](#multi-factor-authentication-mfa-or-2fa)\n    - [Example:](#example)\n  - [Time-based One-Time Password (TOTP)](#time-based-one-time-password-totp)\n- [Persistence and Models](#persistence-and-models)\n  - [SQL Databases Table Schemas](#sql-databases-table-schemas)\n    - [User Model](#user-model)\n    - [Account Model](#account-model)\n    - [Session Model](#session-model)\n    - [AuthState Model](#authstate-model)\n    - [UserChangeEvent Model](#userchangeevent-model)\n- [OAuth2 Authentication Flows](#oauth2-authentication-flows)\n  - [Authentication Code and Tokens](#authentication-code-and-tokens)\n  - [Device Code (Smart TV, CLI app, no redirect uri in browser)](#device-code-smart-tv-cli-app-no-redirect-uri-in-browser)\n  - [Implicit Flow (frontend, no client secret, no refresh token)](#implicit-flow-frontend-no-client-secret-no-refresh-token)\n- [Admin Dashboard](#admin-dashboard)\n- [Backend Config](#backend-config)\n  - [Config](#config)\n  - [AppCredentialsConfig](#appcredentialsconfig)\n  - [Rate Limiting](#rate-limiting)\n    - [PersistenceRateLimiter](#persistenceratelimiter)\n      - [RateLimit Headers](#ratelimit-headers)\n  - [Session Dates Verification](#session-dates-verification)\n- [Frontend Client](#frontend-client)\n  - [Frontend Client GlobalState](#frontend-client-globalstate)\n    - [Global State](#global-state)\n    - [AuthClient State](#authclient-state)\n    - [Admin State](#admin-state)\n  - [Endpoint](#endpoint)\n  - [Flutter](#flutter)\n    - [Multiple sessions per device](#multiple-sessions-per-device)\n- [Translations, Localization and Internationalization (l10n and i18n)](#translations-localization-and-internationalization-l10n-and-i18n)\n  - [Backend Translations](#backend-translations)\n    - [Translation class](#translation-class)\n  - [Frontend Translations](#frontend-translations)\n  - [Getting started](#getting-started)\n  - [Usage](#usage)\n  - [Additional information](#additional-information)\n\n\nTODO: Put a short description of the package here that helps potential users\nknow whether this package might be useful for them.\n\n# Features\n\n\n# Endpoints\n\n\n| HTTP Method | Path                           | Path Params           | Input Payload | Output Body | Description |\n| ----------- | ------------------------------ | --------------------- | ------------- | ----------- | ----------- |\n| GET         | oauth/providers                |                       |               |             |             |\n| GET         | oauth/url/$providerId          | - $providerId: String |               |             |             |\n| GET         | oauth/device/$providerId       | - $providerId: String |               |             |             |\n| GET/POST    | oauth/callback/$providerId     | - $providerId: String |               |             |             |\n| GET         | oauth/state                    |                       |               |             |             |\n| WS          | oauth/subscribe                |                       |               |             |             |\n| POST        | jwt/refresh                    |                       |               |             |             |\n| POST        | jwt/revoke                     |                       |               |             |             |\n| GET         | user/me                        |                       |               |             |             |\n| POST        | user/mfa                       |                       |               |             |             |\n| DELETE      | providers/delete/$providerId   | - $providerId: String |               |             |             |\n| PUT         | credentials/update/$providerId | - $providerId: String |               |             |             |\n| POST        | credentials/signin/$providerId | - $providerId: String |               |             |             |\n| POST        | credentials/signup/$providerId | - $providerId: String |               |             |             |\n| GET         | admin/users                    |                       |               |             |             |\n\n## Authentication Providers\n\nGET \"/providers\"\n\nReturns a list of the supported authentication providers. Separated between OAuth and Credentials providers. Useful for presenting the sign up and sign in forms.\n\n## Sign In\n\nPOST \"/credentials/signin\"\n\nLogs in an user using a credentials providers\n\n// TODO: ask for user if they would like to create an account\n\n## Sign Up\n\nPOST \"/credentials/signup\"\n\nRegisters an user using a credentials providers\n\n## Sign Out (Session JWT Revoke)\n\nPOST \"/jwt/revoke\"\n\nLogs out an user. The access tokens are not revoked, only the refresh token is revoked. The session is updated so the `endedAt` date is set to the current timestamp and a session ended event is saved.\n\n### Sign Out multiple sessions\n\n// TODO: Not implemented. Manage multiple sessions\n\n## JSON Web Tokens (JWT)\n\n// TODO: Encryption\n\n### Multiple Sessions\n\n### Multiple Devices\n\n### Refresh Token\n\nPOST \"/jwt/refresh\"\n\nRetrieves a new access token from a refresh token. Return Unauthorized if the refresh token has been [revoked](#sign-out-session-jwt-revoke).\n\n## OAuth2 Callbacks\n\n### OAuth2 Notifications Webhooks\n\nGET or POST \"oauth/callback/\u003cproviderId\u003e\"\n\nThe OAuth2 authentication providers will send a request to this endpoint with the result of the authentication flow.\n\n# Access Tokens and Authentication Headers\n\nWe use JSON Web Tokens (JWT) for managing user authentication and a session for revoking access. The token should be sent through the `Authorization` HTTP header.\n\n## JSON Web Tokens (JWT)\n\nWe use the [`package:jose`](https://pub.dev/packages/jose)\n## Sessions\n\nA session contains the information about the authentication state and other metadata such as the device, platform, last login date the authentication providers used.\n\n# Providers\n\n## OAuth2 and OpenID Connect\n\nWe implement multiple predefined authentication providers for social sign in though OAuth2 and OpenID Connect.\n\n## Scopes\n\nYou may add additional scopes, for example for the `GoogleProvider`, you may add a scope to access the user's  Google Drive and backup you application data, the `TwitterProvider` to write tweets, the `DiscordProvider` to send messages or the `GithubProvider` to access private repositories.\n\n\n\n| provider  | logo                                                                | scope                                  | documentation                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | implicit flow | device flow | email | phone | picture | OpenId                                                                                   |\n| --------- | ------------------------------------------------------------------- | -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------- | ----- | ----- | ------- | ---------------------------------------------------------------------------------------- |\n| Apple     | ![Apple](./lib/assets/oauth_providers_icons/apple.svg)              | \"openid name email\"                    | [OpenIdConnect](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api), [Revoke](https://developer.apple.com/documentation/sign_in_with_apple/revoke_tokens), [Apps](https://developer.apple.com/documentation/sign_in_with_apple/configuring_your_environment_for_sign_in_with_apple)                                                                                                                                                                                                                                                  | ❌             | ❌           | ✅*    | ❌     | ❌       | [config](https://appleid.apple.com/.well-known/openid-configuration)                     |\n| Discord   | ![Discord](./lib/assets/oauth_providers_icons/discord.svg)          | \"identify email\"                       | [OAuth2](https://discord.com/developers/docs/topics/oauth2), [Apps](https://discord.com/developers/applications), [User](https://discord.com/api/oauth2/@me), [Scopes](https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-scopes)                                                                                                                                                                                                                                                                                                                   | ✅             | ❌           | ✅     | ❌     | ✅*      | ❌                                                                                        |\n| Facebook  | ![Facebook](./lib/assets/oauth_providers_icons/facebook.svg)        | \"public_profile,email\"                 | [OAuth2](https://developers.facebook.com/docs/facebook-login/guides/advanced/manual-flow#confirm), [Device](https://developers.facebook.com/docs/facebook-login/for-devices), [Revoke](https://developers.facebook.com/docs/facebook-login/guides/permissions/request-revoke#revokelogin), [User](https://graph.facebook.com/v16.0/me), [Scopes](https://developers.facebook.com/docs/permissions/reference)                                                                                                                                                               | ❌             | ✅           | ✅     | ❌     | ✅       | ✅*                                                                                       |\n| Github    | ![Github](./lib/assets/oauth_providers_icons/github.svg)            | \"read:user user:email\"                 | [OAuth2](https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps), [Device](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow), [Revoke](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation), [User](https://api.github.com/applications/$clientId/token), [Scopes](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)                                                                        | ❌             | ✅           | ✅     | ❌     | ✅       | ❌                                                                                        |\n| Google    | ![Google](./lib/assets/oauth_providers_icons/google.svg)            | \"openid email profile\"                 | [OAuth2](https://developers.google.com/identity/protocols/oauth2/web-server), [OpenIDConnect](https://developers.google.com/identity/openid-connect/openid-connect), [Scopes Device](https://developers.google.com/identity/protocols/oauth2/limited-input-device#allowedscopes)                                                                                                                                                                                                                                                                                           | ❌             | ✅           | ✅     | ❌     | ✅       | [config](https://accounts.google.com/.well-known/openid-configuration)                   |\n| Microsoft | ![Microsoft Azure AD](./lib/assets/oauth_providers_icons/azure.svg) | \"openid email profile offline_access\"  | [OpenIDConnect](https://learn.microsoft.com/en-us/azure/active-directory/develop/scopes-oidc), [Apps](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app), [User](https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo)                                                                                                                                                                                                                                                                                         | ✅             | ✅           | ✅     | ❌     | ✅       | [config](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) |\n| Reddit    | ![Reddit](./lib/assets/oauth_providers_icons/reddit.svg)            | \"identity\"                             | [OAuth2](https://github.com/reddit-archive/reddit/wiki/OAuth2), [ClientCredentials](https://github.com/reddit-archive/reddit/wiki/OAuth2#application-only-oauth), [Apps](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app), [User](https://www.reddit.com/dev/api/#GET_api_v1_me)                                                                                                                                                                                                                                                  | ✅             | ❌           | ❌*    | ❌     | ❌*      | ❌                                                                                        |\n| Spotify   | ![Spotify](./lib/assets/oauth_providers_icons/spotify.svg)          | \"user-read-private user-read-email\"    | [OAuth2](https://developer.spotify.com/documentation/general/guides/authorization/), [Revoke](https://developer.spotify.com/community/news/2016/07/25/app-ready-token-revoke/), [User](https://developer.spotify.com/documentation/web-api/reference/#/operations/get-current-users-profile)                                                                                                                                                                                                                                                                               | ✅             | ❌           | ✅     | ❌     | ✅       | ❌                                                                                        |\n| Twitch    | ![Twitch](./lib/assets/oauth_providers_icons/twitch.svg)            | \"user:read:email openid\"               | [Scopes](https://dev.twitch.tv/docs/authentication/scopes/)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | ✅             | ❌           | ✅     | ❌     | ✅       | [config](https://id.twitch.tv/oauth2/.well-known/openid-configuration)                   |\n| Twitter   | ![Twitter](./lib/assets/oauth_providers_icons/twitter.svg)          | \"users.read tweet.read offline.access\" | [OAuth2](https://developer.twitter.com/en/docs/authentication/oauth-2-0/authorization-code), [Revoke](https://api.twitter.com/oauth2/invalidate_token), [User](https://developer.twitter.com/en/docs/twitter-api/v1/accounts-and-users/manage-account-settings/api-reference/get-account-verify_credentials), [UserModel](https://developer.twitter.com/en/docs/twitter-api/data-dictionary/object-model/user), [TokenModel](https://developer.twitter.com/en/docs/twitter-api/v1/accounts-and-users/manage-account-settings/api-reference/get-account-verify_credentials) | ❌             | ❌           | ✅*    | ❌     | ✅       | ❌                                                                                        |\n\n\n\n### Other Custom Provider\n### apple\n### discord\n### facebook\n### github\n### google\n### linkedin\n### microsoft\n### reddit\n### steam\n### twitter\n### spotify\n\nGitLab\nTikTok\nDropbox\nAtlassian\nSlack\n\n## OAuth2 and OpenIdConnect server\n\n// TODO: \n\n## Credentials: Username or Email and Password\n\nWe use [Argon2](https://en.wikipedia.org/wiki/Argon2) though the [`package:argon2`](https://pub.dev/packages/argon2) for hashing the passwords. The `passwordHash` is stored in the [account Model](#account-model) with the Argon2 configuration used to create it.\n\n### Isolates\n\nYou may use isolates for hashing. This allows to share the compute load between isolates.\n\n## Email, Phone and Magic Link\n\nPasswordless login is also implemented for email and phone providers through magic links or authentication codes sent to the email or phone. The provider gives you the authentication code, you may choose to only presente it as a link or show the code to the user. You can configure the way the code is generated. \n\nYou have to use an external provider for sending the verification email or sms. For email you may use a services such as Mailjet and send the email using [`package:mailer`](https://pub.dev/packages/mailer), or perhaps by using an API given by the email or sms provider (some expose REST APIs, for example).\n\n\n## Multi-Factor Authentication (MFA or 2FA)\n\nMulti-Factor authentication allows you to increase the security of your users' accounts by adding other authentication steps before an user can be signed in. For that, we provide the following configuration:\n\n- Required providers: The set of required providers to sign in.\n- Optional providers: The set of optional providers to sign in.\n- Optional amount: The number of optional providers to satisfy in order to sign in into the account.\n\nYou may combine any OAuth2 or Credential provider in your configuration.\n\n### Example:\n\nIf you have the following configuration:\n\n- Required providers: [`provider1`]\n- Optional providers: [`provider2`, `provider3`] \n- Optional amount: 1\n\nYou will need to sign in with `provider1` since it is required as well as at least one (the optional amount) of `provider2` or `provider3`.\n\n## Time-based One-Time Password (TOTP)\n\nWe use the [`package:otp`](https://pub.dev/packages/otp) for computing the TOTP from the shared secret.\n\nThis allows the user to sign in with an authenticator application that supports Time-Base One-Time Passwords (TOTP) such as Google Authenticator, Twilio Authy or Microsoft Authenticator.\n\n# Persistence and Models\n\nWhen using the backend server, the information should be stored to maintain the user's authentication providers, the user's account, sessions and other authentication information.\n\nYou may use any database or service for storing the information by implementing the [`Persistence Interface`](./lib/src/data.dart). We provide a `InMemoryPersistence` for testing and an `SQLPersistence` for SQL databases.\n\n## SQL Databases Table Schemas\n\nThe tables used by the authentication server are the following:\n\n### User Model\n\nThe main user table saves the user's `id`, `name`, `picture`, the creation date and the multi factor authentication configuration as a JSON String (`multiFactorAuth`). The userId is the primary key and it is immutable along with the `createdAt`.\n\n```sql\nCREATE TABLE IF NOT EXISTS ${tables.user} (\n  userId TEXT NOT NULL,\n  name TEXT NULL,\n  picture TEXT NULL,\n  createdAt DATE NOT NULL DEFAULT CURRENT_TIMESTAMP,\n  multiFactorAuth $jsonType NOT NULL,\n  PRIMARY KEY (userId)\n);\n```\n\n### Account Model\n\nEach user can have multiple authentication provider accounts. They save the information required to access the user's data `rawUserData` and expose typical user information such as the `email`, `phone`, `name` and `picture` retrieved from the authentication provider.\n\n```sql\nCREATE TABLE IF NOT EXISTS ${tables.account} (\n  userId TEXT NOT NULL,\n  providerId TEXT NOT NULL,\n  providerUserId TEXT NOT NULL,\n  name TEXT NULL,\n  picture TEXT NULL,\n  email TEXT NULL,\n  emailIsVerified BOOL NOT NULL,\n  phone TEXT NULL,\n  phoneIsVerified BOOL NOT NULL,\n  rawUserData $jsonType NOT NULL,\n  createdAt DATE NOT NULL DEFAULT CURRENT_TIMESTAMP,\n  PRIMARY KEY (providerId, providerUserId),\n  FOREIGN KEY (userId) REFERENCES ${tables.user} (userId)\n);\n```\n\n### Session Model\n\nAn user can have multiple sessions. This is used to revoke sessions, when the `endedAt` Date is not null, then the session has ended and the `refreshToken` can not be used to retrieve a new access token. `mfa` contains the authentication providers used to authenticate the session. `meta` is other custom user or session information and `deviceId` maybe set to identify sessions within a given device.\n\n```sql\nCREATE TABLE IF NOT EXISTS ${tables.session} (\n  sessionId TEXT NOT NULL,\n  deviceId TEXT NULL,\n  refreshToken TEXT NULL,\n  userId TEXT NOT NULL,\n  meta $jsonType NULL,\n  mfa $jsonType NOT NULL,\n  endedAt DATE NULL,\n  createdAt DATE NOT NULL DEFAULT CURRENT_TIMESTAMP,\n  PRIMARY KEY (sessionId),\n  FOREIGN KEY (userId) REFERENCES ${tables.user} (userId)\n);\n```\n\n### AuthState Model\n\nThe authentication state is a simple key-value table with information of authentication flows. They save the status and other metadata of authentication requests that require user interaction and may unfinished. For example, OAuth2 flows or Email/Phone magic links/codes that require the user to authorize the app or input an authorization code. This is also used for [Multi-Factor Authentication](#multi-factor-authentication-mfa-or-2fa) flows.\n\n```sql\nCREATE TABLE IF NOT EXISTS ${tables.authState} (\n  key TEXT NOT NULL,\n  value $jsonType NOT NULL,\n  createdAt DATE NOT NULL DEFAULT CURRENT_TIMESTAMP,\n  PRIMARY KEY (key)\n);\n```\n\n### UserChangeEvent Model\n\nA table with the events that occur to an user's account. Useful for tracing the account's behavior and identifying unwanted access.\n\n\n```sql\nCREATE TABLE IF NOT EXISTS ${tables.userEvent} (\n  key TEXT NOT NULL,\n  type TEXT NOT NULL,\n  value $jsonType NOT NULL,\n  sessionId TEXT NOT NULL,\n  userId TEXT NOT NULL,\n  createdAt DATE NOT NULL DEFAULT CURRENT_TIMESTAMP,\n  FOREIGN KEY (userId) REFERENCES ${tables.user} (userId)\n  FOREIGN KEY (sessionId, userId) REFERENCES ${tables.session} (sessionId, userId)\n  PRIMARY KEY (createdAt, key),\n  UNIQUE (key)\n);\n```\n\nAt the moment, the following event types are recorder:\n\n- MFA Updated\n- Authentication Provider Created\n- Authentication Provider Updated\n- Authentication Provider Deleted\n- Authentication Provider Revoked\n- Session Created\n- Session Updated\n- Session Revoked\n\n# OAuth2 Authentication Flows\n\nThis provides external APIs access to validate an user's account or accessing and editing their information. In this way you can implement social sign in.\n\n## Authentication Code and Tokens\n\nThe main way to access external APIs to validate the account of an user or accessing or editing their information (though scopes).\n\n## Device Code (Smart TV, CLI app, no redirect uri in browser)\n\nShould only be used if you are certain the device cannot open a browser or have limited input capabilities. You should probably use [Authentication Code flow](#authentication-code-and-tokens) for CLI apps since you may print the url for the user to open the browser on their device. This may be a problem for Smart TVs however. \n\nSome providers requiere additional configuration ([Facebook's CLIENT_TOKEN](https://developers.facebook.com/docs/facebook-login/for-devices)) or limit the scopes that can be requested ([Google device flow allowed scopes](https://developers.google.com/identity/protocols/oauth2/limited-input-device#allowedscopes)).\n\nNot all providers support this flow.\n\n## Implicit Flow (frontend, no client secret, no refresh token)\n\nIn general, you should not use this unless the app is frontend only or the access is one-time only (or you don't care that the user gives permissions every time).\n\nNot all providers support this flow.\n\n\n# Admin Dashboard\n\nDashboard for managing user accounts.\n\n# Backend Config\n\n## Config\n\nlate final Map\u003cString, AuthenticationProvider\u003e allProviders;\nfinal List\u003cTranslations\u003e translations;\nfinal Persistence persistence;\nfinal String baseRedirectUri;\nfinal JsonWebTokenMaker jwtMaker;\n\n## AppCredentialsConfig\n\n// TODO: maybe get it from the database?\n\n## Rate Limiting\n\nYou may provide multiple `RateLimit`s for a given endpoint, which allows you to configure a different amount of requests allowed for different time window sizes. For example, a rate of 100 requests in 1 minute and a 500 requests in an hour allows for bursts of 100 petitions in a single minute, but the can't surpass 500 requests in an hour.\n\n\n### PersistenceRateLimiter\n\nWe provide a RateLimiter implementation `PersistenceRateLimiter` that provides an eventually-consistent sliding window algorithm. It tracks the sliding counters in memory and relies on transactions in the persistence store to periodically sync the local count data with the shared persistence.\n\n#### RateLimit Headers\n\nWhen the count reaches the configured rate limit, \n\n| Name                | Type    | Description                                                                                                                                                                                             | Example                           |\n| ------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |\n| RateLimit-Policy    | String  | The configuration of the policy                                                                                                                                                                         | 10;w=60;comment=\"sliding window\"' |\n| RateLimit-Limit     | amount  | The amount of requests available in the time window                                                                                                                                                     | 10                                |\n| RateLimit-Remaining | amount  | The amount of additional requests that can\u003cbr\u003ebe performed given the current count                                                                                                                      | 1                                 |\n| RateLimit-Reset     | seconds | The number of seconds from now where the count will reset.\u003cbr\u003eSince this is a sliding window algorithm, will be the resolution,\u003cbr\u003eotherwise it will be the amount of seconds the client needs to wait. | 15                                |\n| Retry-After         | seconds | Same as RateLimit-Reset                                                                                                                                                                                 | 15                                |\n\n## Session Dates Verification\n\nYou may configure the maximum amount of time that a request can be performed since the session was created.\n\n# Frontend Client\n\nWe provide a client facing API for the front end. \n\n## Frontend Client GlobalState\n\n### Global State\n\nContains translations and global state and settings for the client such as the selected theme brightness and locale.\n\n### AuthClient State\n\nMain authentication logic of the client.\n\n### Admin State\n\nState for the [Admin Dashboard](#admin-dashboard) section of the application.\n\n## Endpoint\n\n## Flutter\n\nYou may also use the Flutter library with pre-made widgets that allow the user to:\n\n- Sign up/in/out\n- View their information such as account events and sessions\n- Change the [multi-factor authentication](#multi-factor-authentication-mfa-or-2fa)\n- View, add, update and delete their authentication providers\n- Manage multiple accounts per device\n\n### Multiple sessions per device\n\n\n\n# Translations, Localization and Internationalization (l10n and i18n)\n\nAt the moment we provide the following translations:\n\n- English\n- Spanish\n\nHowever, other translations may be added in the server or client configuration.\n\n## Backend Translations\n\nContains the messages sent to the client \n\n### Translation class\n\nThis class provides a way to represent a message that can be translated using a Backend [`Translations`](./lib/src/backend_translation.dart) class.\n\n## Frontend Translations\n\nFor the frontend we also provide a way to change the texts shown to the user. You may implement the [`FrontEndTranslations`](./lib/src/frontend/frontend_translations.dart) interface.\n\n\n## Getting started\n\nTODO: List prerequisites and provide or point to information on how to\nstart using the package.\n\n## Usage\n\nTODO: Include short and useful examples for package users. Add longer examples\nto `/example` folder. \n\n```dart\nconst like = 'sample';\n```\n\n## Additional information\n\nTODO: Tell users more about the package: where to find more information, how to \ncontribute to the package, how to file issues, what response they can expect \nfrom the package authors, and more.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjuancastillo0%2Fdart_auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjuancastillo0%2Fdart_auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjuancastillo0%2Fdart_auth/lists"}