Crafta

@dax-crafta/auth

Security-first authentication module with JWT, RBAC, 2FA, email workflows, and audit trails.

stable@dax-crafta/authsecurity

Overview

@dax-crafta/auth is a complete authentication module for Crafta and Express-like apps.

  • Register/login/verify/reset/refresh flows
  • Role-based authorization and ownership guards
  • 2FA, backup codes, and account protection

Quick Start

Install, pass config, and ship secure auth without writing the same boilerplate again.

  • npm install @dax-crafta/auth
  • auth(config)(app) setup pattern
  • Works with default routes and optional overrides

Basic integration

const { crafta } = require("crafta");
const { auth } = require("@dax-crafta/auth");

const app = crafta();
auth({
  env: { JWT_SECRET: process.env.JWT_SECRET },
  mongoUrl: process.env.MONGO_URL
})(app);

Configuration

Configuration is JSON-first so teams can tune behavior without rewriting auth internals.

  • Custom routes for API consistency
  • Password policy for compliance and strength
  • SMTP and social provider config where needed

Detailed configuration

auth({
  routes: { login: "/api/auth/login", profile: "/api/me" },
  passwordPolicy: { minLength: 10, minStrength: 3 },
  features: { rateLimit: true, auditLogs: true, twoFactor: true },
  social: { google: { clientID, clientSecret, callbackURL } }
})(app);

Feature Flags

Turn behaviors on or off using JSON config to match project maturity and compliance needs.

  • emailVerification, loginAlerts, twoFactor
  • securityAttempts, rateLimit, auditLogs
  • csrf control and route customization

Flag-driven behavior

auth({
  features: {
    emailVerification: false,
    loginAlerts: false,
    securityAttempts: true,
    rateLimit: true,
    auditLogs: true,
    twoFactor: true
  }
})(app);

Route Map

Includes defaults for register, login, verify, refresh, profile, and role creation.

  • All routes can be remapped
  • Validation and safe update guards included
  • Google OAuth path available with provider config

Security Flows

Refresh token rotation, backup codes, password history checks, and lockout logic are built in.

  • Token revocation and session safety
  • Password policy with strength checks
  • Audit-ready events for auth-sensitive actions

API Reference

Main exports and middleware contracts are designed for practical app integration.

  • auth(config): middleware installer
  • ApiError for consistent error shapes
  • inferFeatureFlags/runAdaptiveTests/testCatalog

Troubleshooting

Most issues are configuration mismatches, env assumptions, or provider setup details.

  • Check JWT secret and mongo connectivity
  • Verify SMTP credentials and from address
  • Confirm OAuth callback URL matches provider

Production Checklist

Before go-live, verify SMTP behavior, OAuth callback domains, and storage-level observability.

  • Set secure JWT secrets and env isolation
  • Validate all auth routes in staging
  • Monitor failed login and suspicious patterns

Next Steps

Continue with implementation in your app, then validate flows using staging-first checks before production rollout.