feat: Implement passwordless authentication system

- Add passwordless login option via email links
- Add passwordless signup option with automatic login link
- Refactor email verification system for unified security settings
- Add IP hash verification to prevent MITM attacks
- Add token expiration and automatic cleanup via middleware
- Add database indexes for token fields
- Improve email templates with security instructions
- Enhance flash messages for better user feedback
- Add token verification checks before processing links
- Consolidate email sending logic for maintainability
- Add security headers and CSRF protection for email links
- Implement automatic cleanup of expired tokens on save
- Add more restrictive rate limiting to auth routes

This major update improves security and user experience by adding
passwordless authentication while hardening the existing email
verification system against common attack vectors.

Author: YasharF

README.md

@@ -70,7 +70,7 @@ I also tried to make it as **generic** and **reusable** as possible to cover mos
 ## Features
 
 - Login
-  - **Local Authentication** using Email and Password
+  - **Local Authentication** using Email and Password, as well as Passwordless
   - **OAuth 2.0 Authentication:** Sign in with Google, Facebook, X (Twitter), Twitch, Github
   - **OpenID Connect:** Sign in with LinkedIn
 - **User Profile and Account Management**

app.js

@@ -24,13 +24,34 @@ dotenv.config({ path: '.env.example' });
  */
 const secureTransfer = process.env.BASE_URL.startsWith('https');
 
-// Consider adding a proxy such as cloudflare for production.
+/**
+ * Rate limiting configuration
+ * This is a basic rate limiting configuration. You may want to adjust the settings
+ * based on your application's needs and the expected traffic patterns.
+ * Alos, consider adding a proxy such as cloudflare for production.
+ */
+// Global Rate Limiter Config
 const limiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
   max: 200, // Limit each IP to 200 requests per `window` (here, per 15 minutes)
   standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
   legacyHeaders: false, // Disable the `X-RateLimit-*` headers
 });
+// Strict Auth Rate Limiter Config for signup, password recover, account verification, login by email
+const strictLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: 5, // 5 attempts per hour
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+// Login Rate Limiter Config
+const loginLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: 10, // 10 attempts per hour
+  standardHeaders: true,
+  legacyHeaders: false,
+});
 
 // This logic for numberOfProxies works for local testing, ngrok use, single host deployments
 // behind cloudflare, etc. You may need to change it for more complex network settings.
@@ -158,15 +179,16 @@ app.locals.FACEBOOK_PIXEL_ID = process.env.FACEBOOK_PIXEL_ID ? process.env.FACEB
  */
 app.get('/', homeController.index);
 app.get('/login', userController.getLogin);
-app.post('/login', userController.postLogin);
+app.post('/login', loginLimiter, userController.postLogin);
+app.get('/login/verify/:token', loginLimiter, userController.getLoginByEmail);
 app.get('/logout', userController.logout);
 app.get('/forgot', userController.getForgot);
-app.post('/forgot', userController.postForgot);
+app.post('/forgot', strictLimiter, userController.postForgot);
 app.get('/reset/:token', userController.getReset);
-app.post('/reset/:token', userController.postReset);
+app.post('/reset/:token', loginLimiter, userController.postReset);
 app.get('/signup', userController.getSignup);
 app.post('/signup', userController.postSignup);
-app.get('/contact', contactController.getContact);
+app.get('/contact', strictLimiter, contactController.getContact);
 app.post('/contact', contactController.postContact);
 app.get('/account/verify', passportConfig.isAuthenticated, userController.getVerifyEmail);
 app.get('/account/verify/:token', passportConfig.isAuthenticated, userController.getVerifyEmailToken);
@@ -199,7 +221,7 @@ app.get('/api/paypal/success', apiController.getPayPalSuccess);
 app.get('/api/paypal/cancel', apiController.getPayPalCancel);
 app.get('/api/lob', apiController.getLob);
 app.get('/api/upload', lusca({ csrf: true }), apiController.getFileUpload);
-app.post('/api/upload', apiController.uploadMiddleware, lusca({ csrf: true }), apiController.postFileUpload);
+app.post('/api/upload', strictLimiter, apiController.uploadMiddleware, lusca({ csrf: true }), apiController.postFileUpload);
 app.get('/api/here-maps', apiController.getHereMaps);
 app.get('/api/google-maps', apiController.getGoogleMaps);
 app.get('/api/google/drive', passportConfig.isAuthenticated, passportConfig.isAuthorized, apiController.getGoogleDrive);