The Auth Service implements several security best practices for user authentication.
Passwords are hashed using bcrypt with a cost factor of 12:
const hash = await bcrypt.hash(password, 12)
Cost factor 12 provides strong brute-force resistance while keeping login times reasonable (~250ms per hash).
useState) β never in localStorageuserId, username, roleEach refresh operation:
refresh_tokens tableThis means each refresh token can only be used once. If a token is replayed (stolen and used by an attacker), the legitimate userβs next refresh will fail, alerting them to the compromise.
const COOKIE_OPTS = {
httpOnly: true, // Not accessible to JavaScript (XSS protection)
secure: true, // Only sent over HTTPS
sameSite: 'strict', // Not sent in cross-site requests (CSRF protection)
path: '/',
maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
}
Auth endpoints are rate-limited to prevent brute-force attacks:
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 20, // 20 attempts per window
message: { error: 'Too many attempts, try again later' }
})
This applies to all /auth/* routes including login, register, and refresh.
app.use(cors({
origin: [
'https://nexus.sebhosting.com',
'http://localhost:3000'
],
credentials: true, // Allow cookies
}))
Only the NeXuS frontend and local development are allowed as origins.
admin roleviewer roleusers table and included in JWT payloadThe frontend refreshes access tokens every 13 minutes (2 minutes before the 15-minute expiry). If the refresh fails, the user is automatically logged out.
On logout: