Ideon Logo
Ideon
GitHub

Authentication

Ideon implements a secure, self-hosted authentication system using NextAuth.js (v5) with a custom Kysely adapter.

Features

  • Email/Password: Secure login using Argon2 password hashing.
  • Magic Links: Passwordless login via email.
  • SSO (Single Sign-On): Support for major providers:
    • Google
    • Discord
    • Slack
    • Microsoft Entra ID (Azure AD)
  • Registration Control: Admins can enable/disable public registration globally.
  • Invitations: Invite-only mode supported via invitations table.
  • Role-Based Access Control (RBAC):
    • superadmin: Full system control.
    • admin: Can manage users and projects.
    • member: Standard user access.

Implementation Details

The authentication flow uses JSON Web Tokens (JWT) for session management, keeping the server stateless regarding sessions.

Registration Flow

  1. User submits email/password or authenticates via SSO.
  2. System checks systemSettings.publicRegistrationEnabled.
  3. If disabled, checks for a valid pending invitation in invitations table.
  4. If allowed, creates user in users table.

Password Security

Passwords are hashed using Argon2, a memory-hard hashing algorithm that is highly resistant to GPU-based brute-force attacks.

Security Events

All authentication attempts (success and failure) are logged in the auditLogs table for security monitoring.