Authentication
Enterprise-grade authentication with MFA, RBAC, and comprehensive security.
Authentication & Security
Overview
AlgorithmShift provides enterprise-grade authentication and security features built-in. The platform supports multiple authentication methods, role-based access control, and comprehensive security measures.
Authentication Methods
Email/Password
typescript
// Registration
const user = await auth.register({
email: 'user@example.com',
password: 'SecurePass123!',
name: 'John Doe'
});
// Login
const session = await auth.login({
email: 'user@example.com',
password: 'SecurePass123!'
});Password Requirements
| Requirement | Default | Configurable |
|---|---|---|
| Minimum length | 8 characters | Yes |
| Uppercase required | Yes | Yes |
| Lowercase required | Yes | Yes |
| Number required | Yes | Yes |
| Special character required | Yes | Yes |
| Common password check | Yes | Yes |
OAuth 2.0 / Social Login
typescript
// Google OAuth
const googleUrl = await auth.getOAuthUrl('google', {
redirectUri: 'https://myapp.com/auth/callback',
scopes: ['email', 'profile']
});
// Handle callback
const user = await auth.handleOAuthCallback('google', {
code: request.query.code
});Multi-Factor Authentication (2FA)
Enable 2FA
typescript
const setup = await auth.setup2FA({
userId: 'user-uuid',
method: 'totp' // or 'sms'
});
// Returns QR code for authenticator apps
{
secret: 'JBSWY3DPEHPK3PXP',
qrCode: 'data:image/png;base64,...',
backupCodes: ['abc123', 'def456', ...]
}Role-Based Access Control (RBAC)
Define Roles
typescript
const roles = [
{
name: 'admin',
displayName: 'Administrator',
permissions: {
'*': { create: true, read: true, update: true, delete: true }
}
},
{
name: 'editor',
displayName: 'Editor',
permissions: {
products: { create: true, read: true, update: true, delete: false },
orders: { create: false, read: true, update: false, delete: false }
}
}
];Check Permissions
typescript
if (!context.user.hasPermission('products', 'delete')) {
throw new ForbiddenError('Cannot delete products');
}
if (context.user.hasRole('admin')) {
// Admin-only logic
}Record-Level Security
Record Sharing
typescript
// Share with user
await sharing.share({
entity: 'projects',
recordId: 'project-uuid',
userId: 'user-uuid',
accessLevel: 'edit' // view, edit, admin
});
// Share with group
await sharing.shareWithGroup({
entity: 'projects',
recordId: 'project-uuid',
groupId: 'team-uuid',
accessLevel: 'view'
});Security Features
Rate Limiting
typescript
{
auth: {
login: {
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // 5 attempts
blockDuration: 60 * 60 * 1000 // 1 hour block
}
}
}Security Headers
typescript
// Automatically applied
{
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'X-XSS-Protection': '1; mode=block'
}Security Best Practices
Development
- Use environment-specific secrets
- Never commit credentials to version control
- Use HTTPS in all environments
Authentication
- Enforce strong passwords
- Enable 2FA for sensitive operations
- Implement session timeout
- Use secure, httpOnly cookies
Authorization
- Apply principle of least privilege
- Validate permissions on every request
- Use RLS for data access control
- Audit permission changes