Ideon Logo
Ideon

Authentication

Ideon implements a secure, self-hosted authentication system using NextAuth.js (v5) with a custom Kysely adapter.

Features

  • Email/Password: Secure login using Argon2 password hashing (via Credentials provider).
  • Magic Links: Passwordless login via email (via Nodemailer provider).
  • OAuth Providers: Native support for major providers:
    • Google
    • Discord
    • Slack
    • GitLab
    • Microsoft Entra ID (Azure AD)
  • Enterprise SSO: SAML 2.0 support via SAML Jackson (BoxyHQ), allowing integration with Okta, OneLogin, JumpCloud, etc.
  • Dynamic Configuration: Authentication providers and SSO settings are managed directly from the Admin Panel and stored in the database, allowing runtime updates without restarting the server.
  • Registration Control: Admins can configure registration modes:
    • Public: Open to everyone.
    • Invite Only: Requires an invitation from an admin.
    • SSO Only: Restricts new account creation to SSO providers.
  • Role-Based Access Control (RBAC):
    • superadmin: Full system control.
    • admin: Can manage users and projects.
    • member: Standard user access.
  • Rate Limiting: Protects against brute-force attacks on login and registration endpoints.
    • Production: Uses PostgreSQL for distributed rate limiting.
    • Development: Uses in-memory storage.

Implementation Details

The authentication flow uses JSON Web Tokens (JWT) for session management, keeping the server stateless regarding sessions.

Kysely Adapter

A custom database adapter bridges NextAuth.js with Kysely to handle:

  • User Creation: Automatically generates unique usernames and assigns a deterministic profile color based on the username hash.
  • Invitation Handling: Links new users to pending invitations and automatically accepts them upon registration.
  • Security Logging: Records successful registrations and blocked attempts in the audit log.

Rate Limiting

Login attempts are rate-limited to prevent brute-force attacks:

  • Limit: 5 attempts per 15 minutes.
  • Storage:
    • Production: Uses a PostgreSQL-backed limiter (table rateLimits).
    • Development: Uses an in-memory limiter.

Password Security

Passwords are hashed using Argon2, a memory-hard hashing algorithm that is highly resistant to GPU-based brute-force attacks.

Security Events

All significant authentication events are logged in the auditLogs table for security monitoring.

Logged Events:

  • loginPassword: Tracks success and failure of password-based logins.
  • loginRatelimit: Tracks blocked attempts due to rate limiting.
  • register:success: New user registration.
  • register:blocked: Blocked registration attempt (e.g., when public registration is disabled).