Security
Auth-Kit-JS implements security best practices by default.
OAuth Security
State Parameter
CSRF protection using cryptographically random state:
typescript
import { generateState } from "auth-kit-js/core";
const state = generateState(); // 32-byte random stringThe state is:
- Generated using Web Crypto API
- Stored in session before redirect
- Validated on callback
PKCE (Proof Key for Code Exchange)
Enabled by default for Google OAuth:
typescript
createAuthRouter({
google: { ... },
usePKCE: true, // default
});PKCE prevents authorization code interception attacks.
Telegram Security
HMAC-SHA256 Verification
typescript
// Step 1: SHA256(botToken) → secretKey
// Step 2: HMAC_SHA256(secretKey, dataCheckString) → hash
// Step 3: Compare hash with provided hashTiming-Safe Comparison
Prevents timing attacks:
typescript
import { timingSafeEqual } from "auth-kit-js/core";
// Safe comparison that takes constant time
const isValid = timingSafeEqual(computedHash, providedHash);auth_date TTL
Rejects old authentications:
typescript
telegram: {
botToken: '...',
authDateTTL: 86400, // 24 hours (default)
}Cookie Security
When using successRedirect, cookies are set with:
typescript
{
httpOnly: true, // No JS access
secure: true, // HTTPS only (in production)
sameSite: 'lax', // CSRF protection
maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
}Best Practices
- Always use HTTPS in production
- Validate redirect URIs - don't accept arbitrary URLs
- Store secrets securely - use environment variables
- Rotate tokens - implement token refresh
- Log authentication events - monitor for suspicious activity