This is a sample implementation of authentication system without storing user's password in the database. This authentication system is built using NuID. NuID leverages zero knowledge cryptography and distributed ledger technology that enables users the ability to not trust any system to store their passwords.
npm install
npm run start
Open the authRequests.rest file. This file has sample request examples guiding you to use the authentication system. If you have the visual studio's Rest.Client plugin, you can directly send the requests by clicking on the Send Request button at the top of every API call listed.
The trustless authentication system has 2 parts to it:
- User enters his details such as
emailidandpasswordand signs up. - The user
passwordis used to create a onetime verifyablesecret. - An API call is made to create user credentails on
Nu.IDportal. The credentails API gives back an ID calledNu.ID - The user's
emailandidis stored in the system.
- User enters his
emailandpassword. - Retrieve user's
Nu.Id(public id) from his email and obtainnuid.credential.challenge/jwt. - Decode this
JWTto get thechallengevalue - Use the
passwordandchallengeto obtainproof - Hit
/verifyProofto confirm it is the right user. If the password is correct, the API returns a success response. - Once user is verified create a session using users
Nu.Idfor further authentication to the APIs.
Note that the secret used for credential creation and proof created when the user tries to login should be obtained from client side. This way, we are avoiding making any API calls to the server with the user's password and hence mitigating the risk of a potential breech.