REST / Web based authentication-as-a-service a possibility?

Question

I've developped a REST based service using Express and initially started implementing authentication myself. A simple username/password authentication where

• passwords are encrypted using BCrypt
• user info + hashed passwords are stored in a mongoDB
• password verification checks are done.
• authentication tokens (limited TTL) are generated / validated

I have some knowledge on Node.JS, but not nearly sufficient to make me feel comfortable about rolling out my own authentication (login/signup) mechanism.

For that reason I would like to replace my in-house mechanism with something else.

Something proven, extendable, pluggable and easy to use.

Given the amount of secure websites / REST APIs out there based on Node.JS, I'm sure there are out-of-the box solutions that people / companies have to offer that can get service implementors up and running very quickly, without having to worry about the security/user aspect.

I'm looking for an even higher level of abstraction than that of libraries like passport or everyauth. Something that provides out-of-the-box functionality, capable of fulfilling my requirements including :

• providing a login page / signup page / profile page
• different authentication modules (google,facebook,github,....)
• storing user info (+credentials if required) in a datastore (mongoDB).
• remember me
• forgot password / reset password

So the question here is :

• Are there out-of-the-box solutions like that available that offer a higher level of abstraction than passport/everyauth/... ?
• If any, would you recommend some of these out-the-box solutions ?
• Should I instead forget about the notion of outsourcing my user authentication and just start looking at passport and everyauth and start implementing my requirements using those libraries ?
• Is it possible to focus on my business logic and not worry at all about any aspect regarding user authentication (writing login / signup pages , implementing forgot password / reset password flows, storing user info in the DB).

Answer 1

I guess you could use https://stormpath.com/ . I'm looking for a free alternative myself..

Answer 2

The service API should largely live independent of your authentication mechanism, so I'd recommend starting this behind a simple password protected folder or some such. In my opinion it would be better to make sure you're API works and can gain traction. Meaning it'll be more a long term project. Nothing kills a project quicker than focusing on the painful stuff right out of the box.

As far as what service to use? It's non-trivial to setup security well. So for a small startup project, it's probably more cost-effective to integrate with another service. Might take a look at Mozilla Persona. It's built on Node and pretty straight forward.

If you do try to roll your own get some outside expertise, and DON'T do stupid stuff like use a hashing algorithm like SHA1 to store passwords. Instead use something like bcrypt. Then there are other things like, don't store server logs on the server they're created. Pipe out all logs elsewhere so if there's an intrusion you have a forensics trail back to what happened.