I’ve been working on a lightweight, zero-dependency middleware for Node.js (Express, Next.js, Fastify) designed to solve a specific pain point: the trade-off between securing login flows and maintaining low-latency infrastructure.
Instead of relying on heavy, third-party fraud APIs that introduce latency and require sending sensitive user telemetry off-server, I’ve built a local, tunable rules engine to handle ATO (Account Takeover) and SIM-swap detection natively.
The Architecture:
- Zero-Latency: The logic runs entirely within the local request/response cycle.
- Privacy-First: All data stays within your private network.
- Fail-Open Design: Your authentication flow remains uninterrupted, even if the scorer encounters a logic exception.
Why I’m opening this up:
I’ve reached a point where I want to pressure-test the rules engine against real-world scenarios. I’ve just open-sourced the project under the DevGuard Labs banner and am currently looking for developers to help beta-test the logic.
How you can help:
If you're building auth-heavy applications, I’d love for you to take a look at the repo, see how the sliding-window velocity checks are handled, and let me know if you spot any edge cases.
Check out the repo here:
https://github.com/blacksanddesignsandbranding-dot/account-takeover-risk-scorer
Any feedback—or even a Star if you find the approach useful for your own stack—would be greatly appreciated as I work on the next phase of the rules engine!
Top comments (0)