This is a sample implementation of authentication system without storing user's password in the database. This authentication system is built using NuID. NuID leverages zero knowledge cryptography and distributed ledger technology that enables users the ability to not trust any system to store their passwords.
npm install
npm run start
Open the authRequests.rest
file. This file has sample request examples guiding you to use the authentication system. If you have the visual studio's Rest.Client
plugin, you can directly send the requests by clicking on the Send Request
button at the top of every API call listed.
The trustless authentication system has 2 parts to it:
- User enters his details such as
emailid
andpassword
and signs up. - The user
password
is used to create a onetime verifyablesecret
. - An API call is made to create user credentails on
Nu.ID
portal. The credentails API gives back an ID calledNu.ID
- The user's
email
andid
is stored in the system.
- User enters his
email
andpassword
. - Retrieve user's
Nu.Id
(public id) from his email and obtainnuid.credential.challenge/jwt
. - Decode this
JWT
to get thechallenge
value - Use the
password
andchallenge
to obtainproof
- Hit
/verifyProof
to confirm it is the right user. If the password is correct, the API returns a success response. - Once user is verified create a session using users
Nu.Id
for further authentication to the APIs.
Note that the secret
used for credential creation and proof
created when the user tries to login should be obtained from client side. This way, we are avoiding making any API calls to the server with the user's password and hence mitigating the risk of a potential breech.