RestingOwl owl logo RestingOwl
Authentication Library

Meet owlauth

Block credential stuffing, detect breached passwords and enforce strong authentication in Node.js. Built to the OWASP Authentication Cheat Sheet and ASVS 5.0.

Install via npm
$ npm install @restingowlorg/owlauth
๐Ÿฆ‰

owlauth

@restingowlorg/owlauth
npm version MIT license

Credentials login, passwordless magic links, password hygiene controls, audit logging, and PostgreSQL & MongoDB adapters, all in one consistent API surface.

๐Ÿ”
Credentials Auth

Signup, login, and password rotation with consistent AuthResult<T> responses.

โœ‰๏ธ
Passwordless Magic Links

CSPRNG tokens, hashed at rest, 15-min expiry, single-use enforced.

๐Ÿ”
Breached Password Check

k-anonymity HaveIBeenPwned API, raw password never leaves your process.

๐Ÿง 
Password Strength

zxcvbn scoring + context-aware blocking (email, username, custom terms).

๐Ÿ“‹
Security Audit Logging

Structured events with automatic sensitive-field masking and correlation IDs.

๐Ÿ—„๏ธ
PostgreSQL & MongoDB

Two first-class adapters with the same auth API. Swap at any time.

๐Ÿ›ก๏ธ
Built OWASP-first

Every control is traced to the OWASP Authentication Cheat Sheet, ASVS 5.0, and OWASP Top 10:2025. See full alignment table โ†’

OwlAuth FAQ

OwlAuth focuses on the authentication logic (verifying who the user is). Session management is typically handled by your framework (e.g., Express sessions, JWTs), but we provide the hooks to integrate easily.
We currently provide first-class adapters for PostgreSQL and MongoDB. You can also implement your own adapter by following our standard interface.
OwlAuth uses the HaveIBeenPwned API with k-anonymity. This means only the first 5 characters of the password hash are sent, so the raw password never leaves your server process.
Copied!