Authentication System

Enterprise-grade authentication powered by Auth.js with OAuth, JWT, sessions, RBAC, and native MoroJS integration.

Enterprise Authentication System

MoroJS includes comprehensive authentication support powered by Auth.js, providing secure, production-ready authentication with support for multiple providers, JWT tokens, sessions, RBAC, and more.

OAuth Providers

GitHub, Google, Discord, Microsoft, LinkedIn

Enterprise SSO

Okta, Auth0, AWS Cognito integration

RBAC System

Role-based access control with permissions

Security Features

CSRF protection, secure sessions, audit logging

Quick Setup

1. Environment Variables

# Required
AUTH_SECRET=your-secret-key-here-32-characters-minimum
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secret

# Optional
AUTH_URL=http://localhost:3000

2. Basic OAuth Integration

1import { Moro } from '@morojs/moro';
2import { auth, providers } from '@morojs/moro/auth';
3
4const app = new Moro();
5
6// Basic OAuth setup
7app.use(auth({
8  providers: [
9    providers.github({
10      clientId: process.env.GITHUB_CLIENT_ID!,
11      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
12    }),
13    providers.google({
14      clientId: process.env.GOOGLE_CLIENT_ID!,
15      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
16    }),
17  ],
18  secret: process.env.AUTH_SECRET,
19}));
20
21// Protected route
22app.get('/dashboard', (req, res) => {
23  if (!req.auth.isAuthenticated) {
24    return res.status(401).json({ error: 'Unauthorized' });
25  }
26  
27  res.json({
28    message: 'Welcome to your dashboard',
29    user: req.auth.user
30  });
31});

Role-Based Access Control (RBAC)

Built-in Route Protection

Protect routes with role-based access control, permissions, and custom authorization logic.

1import { requireAuth, requireRole, requireAdmin } from '@morojs/moro/auth';
2
3// Require authentication
4app.get('/profile', requireAuth(), (req, res) => {
5  res.json({ user: req.auth.user });
6});
7
8// Require specific role
9app.get('/admin', requireRole(['admin']), (req, res) => {
10  res.json({ message: 'Admin panel' });
11});
12
13// Require admin role (shorthand)
14app.get('/admin/users', requireAdmin(), (req, res) => {
15  res.json({ users: getUserList() });
16});
17
18// Custom authorization
19app.get('/org/:id', requireAuth({
20  authorize: async (user, req) => {
21    return user.organizationId === req.params.id;
22  }
23}), (req, res) => {
24  res.json({ data: getOrgData(req.params.id) });
25});

Native Auth.js Adapter

Zero Dependencies

MoroJS includes a native Auth.js adapter with zero external dependencies. No need for @auth/express or other framework adapters.

1import { createAuthMiddleware } from '@morojs/moro/native-auth';
2
3// Native Auth.js adapter (zero Express dependencies)
4app.use(createAuthMiddleware({
5  providers: [
6    {
7      id: 'github',
8      name: 'GitHub',
9      type: 'oauth',
10      authorization: 'https://github.com/login/oauth/authorize',
11      token: 'https://github.com/login/oauth/access_token',
12      userinfo: 'https://api.github.com/user',
13      clientId: process.env.GITHUB_CLIENT_ID!,
14      clientSecret: process.env.GITHUB_CLIENT_SECRET!,
15    },
16  ],
17  secret: process.env.AUTH_SECRET!,
18  callbacks: {
19    async signIn({ user, account }) {
20      console.log(`🔐 User ${user.email} signing in via ${account?.provider}`);
21      return true;
22    },
23    async session({ session, token }) {
24      // Add custom data to session
25      session.customData = {
26        loginTime: new Date(),
27        provider: token.provider,
28      };
29      return session;
30    },
31  },
32}));

What's Included

Authentication Methods

  • OAuth Providers (GitHub, Google, Discord, etc.)
  • Enterprise SSO (Okta, Auth0, AWS Cognito)
  • Email/Magic Link authentication
  • Credentials (username/password)
  • OIDC (OpenID Connect) providers

Security Features

  • JWT and Database session strategies
  • CSRF protection
  • Security audit logging
  • Role-based access control (RBAC)
  • Permission-based authorization

Learn More