Authentication forms have a lot of attack vectors endpoints that could be potential weak security issue. Both custom registration forms and third-party authentication systems can be susceptible to various security threats, but the nature of the risks differ. Let’s discuss the potential attack vectors associated with each.
How many Endpoints are needed for custom Authentication?
The number of endpoints needed for a custom authentication form can vary depending on the requirements of your application and the authentication process you want to implement. However, there are few essential endpoints commonly used in any custom authentication system.
Registration Endpoint
URL: /register
or similar
Purpose: Handles user registration by receiving and processing registration data.
- It must check for existing users
- It should check for automated profile creations (from the same IPs, too close in time or with similar data).
- Passwords must have a minimal complexity: https://programtom.com/dev_examples/StrongPasswordGeneratorApp/
- If you are strict – you should NOT activate profiles before sms/email confirmation/activation.
Login Authentication Endpoint
URL: /login
or similar
Purpose: Authenticates users based on provided credentials (username/email and password). This is probably the most critical endpoint. All kinds of protection should be integrated here.
- Brute force protection
- Captchas
- Attempt limitations
- Time based checks
Password Reset Request Endpoint
URL: /password/reset-request
or similar
Purpose: Initiates the process for users to reset their forgotten passwords. Place a time limit to sending new reset. You don’t want to allow users to use this endpoint for spam.
Password Reset Confirm Endpoint
URL: /password/reset-confirm
or similar
Purpose: Confirms and processes the user’s request to reset their password. Limit the time between sending the reset request and confirmation.
Profile Update Endpoint
URL: /profile/update
or similar
Purpose: Allows users to update their profile information (e.g., change password, update email). Always include user id in the database operations – so no update may happen to non-the current user.
JWT Token Verification & Regeneration Endpoints
URL: /token/verify
Purpose: Verifies the validity of an authentication token (if using token-based authentication). This check you must also execute not to a specific endpint, but to all protected endpoints where an existing user does something.
URL: /token/refresh or similar
Renew the tokens for temporary access to the user profile. More on the strategies for this regeneration you could read in a previous article Ways to refresh JWT Access Token. These types of endpoints are so important, because JWTs has won the fight against cookies. Separate Products and Services are being made that do specifically that. One sample is https://connect2id.com/
User Information Endpoint
URL: /user/info
or similar
Purpose: Retrieves information about the currently authenticated user. Take special care of the access to personal information.
Logout Endpoint
URL: /logout
or similar
Purpose: Logs out the currently authenticated user, ending their session. In general apps, especially web apps – involved in money, banking – apps should be logged out automatically.
These are just basic examples, and your application may require additional endpoints based on specific features or requirements. It is important to implement as much security best practices as possible. More about potential issues you may reat at my previous post.