Skip to content
All work

Case study · 2024

AuthEZ

Open-source npm package handling token-based auth for Node.js + Express: routes for register, login, password reset, email verification.

AuthEZ hero

auth-ez is an open-source npm package that handles token-based authentication for Node.js + Express apps. It ships routes and helpers for user registration, login, password reset, and email verification — drop it in and stop rewriting the same flow on every project.

The problem

Every Node.js project re-implements the same auth flow, badly. Devs reach for Passport or roll their own, miss edge cases (timing-safe compare, refresh tokens, email verification), and ship insecure code.

Approach

  • A single configurable module that registers Express routes you can pick à la carte.
  • DB-agnostic — works with Mongo or Postgres via a thin adapter interface.
  • Sensible secure defaults (argon2 / bcrypt hashing, JWT with short access + long refresh, rate-limit-friendly).
  • TypeScript-first with full types exported from the package.

Highlights

  • Adapter pattern, three lines to swap stores. CreateMongoAuthController and CreateSqlAuthController ship in the box, but the real abstraction is AuthController — implement three methods (saveUser, getUser, updateUser) and you're plugged into any store, including ones I'd never anticipate. A Redis-backed prototype took an afternoon.
  • Refresh-token rotation with httpOnly cookies. Short-lived access tokens, rotating refresh tokens, optional cookie storage so the front-end never has to touch the refresh token directly. The pattern most projects know they should follow but don't bother to wire up — auth-ez gives it to you on the default route.
  • Strong defaults you can't accidentally weaken. Password policy (8+ chars, mixed case, number, symbol), per-IP rate limiting (10 req / 15 min), JWT expiration controls, all on by default. Loosening them is explicit; tightening them is too.
  • Pluggable email service. Resend and Nodemailer are built in for the email-verification and password-reset flows, but the integration point is a single function — bring your own.

What I'd do differently

  • WebAuthn / passkeys. Token-based auth was the right baseline two years ago; passkeys are quickly becoming table stakes for new projects. A CreatePasskeyAuthController alongside the existing token controllers is the obvious next step.
  • Make the email service truly provider-agnostic. Hard-coding Resend and Nodemailer as first-class options leaked provider details into the package. A thin EmailService interface would push that decision back to the consumer cleanly.
  • Ship a starter app. "Drop the package in and stop rewriting" lands harder when there's a one-command starter (npx create-auth-ez-app) that wires routes, an example Next.js or Remix client, and seed data. Lowering the time-to-first-login from an hour to five minutes.