RestingOwl owl logo RestingOwl

Meet owlauth

Block credential stuffing, detect breached passwords and enforce strong authentication in Node.js. Built to the OWASP Authentication Cheat Sheet and ASVS 5.0.

Install via npm
$ npm install @restingowlorg/owlauth

What OwlAuth Blocks

Every control is traced to a specific OWASP standard. No guesswork, no checkbox security.

๐Ÿšซ
Credential Stuffing
HaveIBeenPwned k-anonymity check blocks use of known-breached passwords at signup and password change.
OWASP A07:2021
๐Ÿ”’
Brute Force Attacks
Rate limiting hooks, account lockout strategies and failed-attempt tracking built into the auth flow.
OWASP A07:2021
๐Ÿ”‘
Weak Password Reuse
zxcvbn strength scoring with context-aware blocking on email, username and custom terms.
OWASP A07:2021
๐Ÿ“ง
Password Exfiltration
Passwordless magic links use CSPRNG tokens, stored as SHA-256 hashes, single-use and 15-minute expiry.
OWASP A07:2021
๐Ÿ“‹
Missing Security Logs
Structured audit events with automatic sensitive-field masking and correlation IDs on every auth action.
OWASP A09:2021
๐Ÿ”
Insecure Password Storage
bcrypt and Argon2 for password hashing, SHA-256 for token storage, aligned with OWASP ASVS 5.0.
OWASP A02:2021

OwlAuth FAQ

OwlAuth focuses on the authentication logic (verifying who the user is). Session management is typically handled by your framework (e.g., Express sessions, JWTs), but we provide the hooks to integrate easily.
We currently provide first-class adapters for PostgreSQL and MongoDB. You can also implement your own adapter by following our standard interface.
OwlAuth uses the HaveIBeenPwned API with k-anonymity. This means only the first 5 characters of the password hash are sent, so the raw password never leaves your server process.
Copied!