Introducing Aberrant Authentication

Coleman Beiler — Wed, 16 Oct 2019 01:10:22 +0000

Something aberrant has wandered away from the usual path or form. The word is generally used in a negative way; aberrant behavior, for example, may be a symptom of other problems. But the discovery of an aberrant variety of a species can be exciting news to a biologist, and identifying an aberrant gene has led the way to new treatments for diseases.

Aberrant Authentication GitHub

What is Aberrant Authentication

Aberrant aims to make session tracking and user authentication a breeze. Within minutes, you can have a fully secure solution to a tough problem.
Set-up requires no sign-up, it doesn't track your users usage, and it doesn't require internet access to work.

I believe that access control, session tracking, and authentication should be the first thing done when creating an application. Security doesn't have to be an after-thought anymore; even if you aren't developing online.

Technology and Methodology

The application is built on top of the Spring framework, and requires a running database compatible with liquibase; that's it! I am looking to talk to people who are interested in security / authentication / session tracking and learn about what more I can do to make my solution as secure as possible. The current iteration involves a simple 'username' and 'password' combination which returns a session object if successful. The session object consists of three key things.

SessionToken: String: Unique key to identify the session
RefreshToken: String: Random key, Random size. A new key is generated and sent with every request.
RequestNumber: int: Which number request the session is on. The client side application is responsible for incrementing this number themselves. A successful request will always increment the number, otherwise it's safe to assume it'll remain the same.

Upon creation of the account, 2 different randomly generated strings are stored, then combined with the password to create a hash.

Feature Wishlist

In the interest of getting a little help during Hacktoberfest, I'm adding the features I wish to see in the application.

Request header ("host") stored in a new table and determine if the login is coming from a new ip address.
Locking account if there are more than 3 attempts. Email / security questions required to unlock the account.
Security questions feature.
More verbose group / membership.

I've got a small Vue.js project that I've been using to interact with the project. I can provide that upon request.

Example Usage

In this example, we will be using javascript to request information on a specific user. It's important to note that this example assumes you've already authenticated.

  fetch('/api/auth/v1/users/select/user', {
    method: 'GET',
    headers: {
      'sessionToken': localStorage.sessionToken,
      'refreshToken': localStorage.refreshToken,
      'requestNumber': localStorage.requestNumber
    }
  }).then((result) => {
    localStorage.refreshToken = result.headers.get("refreshtoken");
    return result.json();
  }).then((data) => {
    let user = data[0];
    localStorage.requestNumber++;
    console.log("Found the user: "+user);
  }).catch((error) => {
    console.error(error);
  });

I would love some feedback on what is good/bad about my ideas / application.