Ideon Logo
Ideon
GitHub

Authentication

Ideon implements a secure, self-hosted authentication system using NextAuth.js (v5) with a custom Kysely adapter.

Features

  • Email/Password: Secure login using Argon2 password hashing (via Credentials provider).
  • Magic Links: Passwordless login via email (via Nodemailer provider).
  • SSO (Single Sign-On): Support for major providers:
    • Google
    • Discord
    • Slack
    • GitLab
    • Microsoft Entra ID (Azure AD)
  • Registration Control: Admins can enable/disable public registration globally via systemSettings.
  • Invitations: Invite-only mode supported via invitations table.
  • Role-Based Access Control (RBAC):
    • superadmin: Full system control.
    • admin: Can manage users and projects.
    • member: Standard user access.

Implementation Details

The authentication flow uses JSON Web Tokens (JWT) for session management, keeping the server stateless regarding sessions.

Rate Limiting

Login attempts are rate-limited to prevent brute-force attacks:

  • Limit: 5 attempts per 15 minutes.
  • Storage:
    • Production: Uses a PostgreSQL-backed limiter (table rateLimits).
    • Development: Uses an in-memory limiter.

Password Security

Passwords are hashed using Argon2, a memory-hard hashing algorithm that is highly resistant to GPU-based brute-force attacks.

Security Events

All significant authentication events are logged in the auditLogs table for security monitoring.

Logged Events:

  • loginPassword: Tracks success and failure of password-based logins.
  • loginRatelimit: Tracks blocked attempts due to rate limiting.