Your biggest security problem might be inside your own network. Hackers don’t break in anymore – they just log in with stolen passwords. Old security systems trusted anyone who got inside the network. But now there’s no clear “inside” or “outside.” People work from home, use cloud services, and fall for fake emails. Attackers can pretend to be real users for weeks without being caught.
Zero-Trust Authentication fixes this. Instead of trusting people once they log in, it checks every person, every device, and every request, every single time. The rule is simple: “Trust no one, verify everything.”
This isn’t just theory – it works. Companies using zero-trust security have smaller breaches, meet compliance rules easier, and control who sees what data. This matters because 95% of data breaches happen due to human mistakes, and the average breach now costs $4.88 million.
In this article, you will learn how to build a complete Zero-Trust Authentication system into your web app step by step. From multi-factor authentication (MFA) to behavioral anomaly detection, we will discuss the architecture decisions, code examples, and some real-world approaches you are likely able to implement right away.
Table of Contents
Prerequisites
Before implementing zero-trust, make sure your stack aligns with frequent calls for token checks, volumes of logging, and the additional auth step, all without impairing system performance on the users’ end.
You should at least have knowledge of:
-
JWT and secure session handling
-
MFA, specifically understanding TOTP
-
Basic understanding of middleware design
Audit your system: examine login flows, token handling, protected routes, session termination, and identify weak spots like long sessions or unprotected routes.
What Is Zero-Trust Authentication?
Zero-Trust Authentication (ZTA) redefines how access is granted in contemporary applications. It doesn’t take network location or a single login event into account – it demands the continuous validation of an identity, context, and intent.
Whereas perimeter-based models consider anyone inside a network “safe,” zero-trust presumes every request can be compromised. This means that access decisions are made in real time over verified identity, device posture, and behavioral signals. In short, it’s a “security-first” approach designed for a cloud-native, threat-aware world.
Architecture Overview
Building a ZTA system means checking everyone and everything, all the time. The architecture you can see below demonstrates this “never trust, always verify” approach in action:
Image source: civilsdaily
Here’s how it works:
-
Every request gets checked: When anyone tries to access your network (from office, home, or mobile), they hit the authentication layer first. No exceptions.
-
Identity + context verification: The system doesn’t just check passwords. It looks at who you are, what device you’re using, where you’re connecting from, and what you’re trying to access.
-
Continuous protection: Once inside, the system keeps watching. It protects your data, devices, networks, people, and workloads through constant monitoring and access controls.
-
The big change: Traditional security created a “trusted inside” and “untrusted outside.” Zero-trust eliminates this boundary. Whether you’re connecting to cloud services (AWS, Office 365) or internal systems, every request goes through the same verification process.
Multi-factor Authentication (MFA)
MFA is the foundation of zero-trust security. It requires users to prove who they are with multiple pieces of evidence before getting access. In ZTA, even the strongest password isn’t enough on its own.
To begin, start with a strong password, then add a second factor. For example, Time-based One-Time Password (TOTP) is the most secure. TOTP is the best second factor because it works offline and doesn’t rely on SMS or email (which can be intercepted). Apps like Google Authenticator generate a new code every 30 seconds.
Here’s an example of what that would look like:
<span class="hljs-keyword">const</span> speakeasy = <span class="hljs-built_in">require</span>(<span class="hljs-string">'speakeasy'</span>);
<span class="hljs-keyword">const</span> QRCode = <span class="hljs-built_in">require</span>(<span class="hljs-string">'qrcode'</span>);
<span class="hljs-comment">// Generate TOTP secret for new user</span>
<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">generateTOTPSecret</span>(<span class="hljs-params">userEmail</span>) </span>{
<span class="hljs-keyword">const</span> secret = speakeasy.generateSecret({
<span class="hljs-attr">name</span>: userEmail,
<span class="hljs-attr">issuer</span>: <span class="hljs-string">'YourApp'</span>,
<span class="hljs-attr">length</span>: <span class="hljs-number">32</span>
});
<span class="hljs-keyword">return</span> {
<span class="hljs-attr">secret</span>: secret.base32,
<span class="hljs-attr">qrCodeUrl</span>: secret.otpauth_url
};
}
When a new user signs up, this function creates a unique secret key just for them. The name is their email, issuer is your app name, and length: 32 makes it extra secure. It returns two things: the secret key (in base32 format) and a special URL that creates a QR code for easy setup.
To verify the code from their app, you check it against the stored secret:
<span class="hljs-comment">// Verify TOTP token</span>
<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">verifyTOTP</span>(<span class="hljs-params">token, secret</span>) </span>{
<span class="hljs-keyword">return</span> speakeasy.totp.verify({
<span class="hljs-attr">secret</span>: secret,
<span class="hljs-attr">token</span>: token,
<span class="hljs-attr">window</span>: <span class="hljs-number">2</span>,
<span class="hljs-attr">encoding</span>: <span class="hljs-string">'base32'</span>
});
}
When the user enters their 6-digit code, this function checks if it’s correct. The window: 2 is smart – it allows for timing differences (like if their phone clock is slightly off). It returns true if the code is valid, false if not.
SMS verification can serve as a backup option. It’s less secure than TOTP but can work as a backup. Always limit how many SMS codes someone can request to prevent abuse:
<span class="hljs-comment">// SMS verification with rate limiting</span>
<span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">sendSMSVerification</span>(<span class="hljs-params">phoneNumber, userId</span>) </span>{
<span class="hljs-keyword">const</span> attempts = <span class="hljs-keyword">await</span> getRecentSMSAttempts(userId);
<span class="hljs-keyword">if</span> (attempts >= <span class="hljs-number">3</span>) {
<span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Too many SMS attempts. Please try again later.'</span>);
}
<span class="hljs-keyword">const</span> code = generateRandomCode(<span class="hljs-number">6</span>);
<span class="hljs-keyword">await</span> storeSMSCode(userId, code, <span class="hljs-number">300</span>); <span class="hljs-comment">// 5-minute expiry</span>
<span class="hljs-keyword">await</span> smsProvider.send(phoneNumber, <span class="hljs-string">`Your verification code: <span class="hljs-subst">${code}</span>`</span>);
}
Before sending an SMS, it checks how many times this user has already requested codes. If they’ve tried 3 times, it blocks them (prevents spam/abuse). If they’re under the limit, it creates a random 6-digit code, saves it for 5 minutes (300 seconds), then sends it via SMS.
But what happens if a user loses their phone or authenticator app? Backup codes provide emergency access:
<span class="hljs-comment">// Generate backup codes</span>
<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">generateBackupCodes</span>(<span class="hljs-params">userId</span>) </span>{
<span class="hljs-keyword">const</span> codes = [];
<span class="hljs-keyword">for</span> (<span class="hljs-keyword">let</span> i = <span class="hljs-number">0</span>; i < <span class="hljs-number">10</span>; i++) {
codes.push(generateRandomCode(<span class="hljs-number">8</span>));
}
<span class="hljs-keyword">const</span> hashedCodes = codes.map(<span class="hljs-function"><span class="hljs-params">code</span> =></span> hashCode(code));
storeBackupCodes(userId, hashedCodes);
<span class="hljs-keyword">return</span> codes; <span class="hljs-comment">// Only show to user once</span>
}
This creates 10 emergency backup codes (each 8 characters long). The for loop runs 10 times, creating a new random code each time. Before storing them in the database, it “hashes” them (scrambles them for security). Then it returns the original codes to show the user once, but stores the scrambled versions so even if someone hacks your database, they can’t see the real codes.
JWT Management
JSON Web Tokens (JWTs) are stateless authentication in a zero-trust system. Using them safely is critical because you need to carefully think through payload design, implement short expiration policies, and implement token rotation and blocklisting that could prevent token theft, token reuse, or privilege escalation.
Let’s walk through how to securely implement and manage JWTs in your web application.
First, define a minimal and secure structure for your access tokens. Only add information that’s necessary for making authorization decisions, and never put anything sensitive even if it is encrypted.
<span class="hljs-comment">// JWT payload structure</span>
<span class="hljs-keyword">const</span> tokenPayload = {
<span class="hljs-attr">sub</span>: userId, <span class="hljs-comment">// Subject (user ID)</span>
<span class="hljs-attr">email</span>: userEmail, <span class="hljs-comment">// User identifier</span>
<span class="hljs-attr">roles</span>: userRoles, <span class="hljs-comment">// User roles array</span>
<span class="hljs-attr">permissions</span>: userPermissions, <span class="hljs-comment">// Specific permissions</span>
<span class="hljs-attr">iat</span>: <span class="hljs-built_in">Math</span>.floor(<span class="hljs-built_in">Date</span>.now() / <span class="hljs-number">1000</span>), <span class="hljs-comment">// Issued at</span>
<span class="hljs-attr">exp</span>: <span class="hljs-built_in">Math</span>.floor(<span class="hljs-built_in">Date</span>.now() / <span class="hljs-number">1000</span>) + <span class="hljs-number">900</span>, <span class="hljs-comment">// Expires in 15 minutes</span>
<span class="hljs-attr">jti</span>: generateUniqueId(), <span class="hljs-comment">// JWT ID for blocklisting</span>
<span class="hljs-attr">aud</span>: <span class="hljs-string">'your-app'</span>, <span class="hljs-comment">// Audience</span>
<span class="hljs-attr">iss</span>: <span class="hljs-string">'your-auth-service'</span> <span class="hljs-comment">// Issuer</span>
};
In the code above, the payload consists of the user identity, roles, permissions, and metadata such as the issued time (iat), expiration (exp), and unique token ID (jti). While aud and iss describe the token’s origin and audience for validation, jti is used for revocation. Thus, it keeps the payload as lean as possible to minimize exposure and overhead.
For security and usability, it’s better to use access tokens with a short lifespan and refresh tokens with a considerably longer duration, which minimizes the window for potential utilization of compromised tokens while providing a smooth user session.
Let’s take this example:
<span class="hljs-comment">// Token generation service</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">TokenService</span> </span>{
generateTokenPair(user) {
<span class="hljs-keyword">const</span> accessToken = jwt.sign(
<span class="hljs-built_in">this</span>.createAccessTokenPayload(user),
process.env.JWT_SECRET,
{ <span class="hljs-attr">expiresIn</span>: <span class="hljs-string">'15m'</span>, <span class="hljs-attr">algorithm</span>: <span class="hljs-string">'HS256'</span> }
);
<span class="hljs-keyword">const</span> refreshToken = jwt.sign(
{ <span class="hljs-attr">sub</span>: user.id, <span class="hljs-attr">type</span>: <span class="hljs-string">'refresh'</span> },
process.env.REFRESH_SECRET,
{ <span class="hljs-attr">expiresIn</span>: <span class="hljs-string">'7d'</span>, <span class="hljs-attr">algorithm</span>: <span class="hljs-string">'HS256'</span> }
);
<span class="hljs-keyword">return</span> { accessToken, refreshToken };
}
<span class="hljs-keyword">async</span> refreshAccessToken(refreshToken) {
<span class="hljs-keyword">try</span> {
<span class="hljs-keyword">const</span> decoded = jwt.verify(refreshToken, process.env.REFRESH_SECRET);
<span class="hljs-comment">// Check if refresh token is blocklisted</span>
<span class="hljs-keyword">if</span> (<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.isTokenBlocklisted(decoded.jti)) {
<span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Token has been revoked'</span>);
}
<span class="hljs-keyword">const</span> user = <span class="hljs-keyword">await</span> getUserById(decoded.sub);
<span class="hljs-keyword">return</span> <span class="hljs-built_in">this</span>.generateTokenPair(user);
} <span class="hljs-keyword">catch</span> (error) {
<span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Invalid refresh token'</span>);
}
}
}
generateTokenPair will generate two signed JWTs – that is, an access token with a 15-minute expiration and a refresh token with a validity of 7 days. The refresh tokens are verified to grant new ones and are checked against a blocklist. This ensures that revoked tokens can’t be reused, even if they’re still technically valid.
If you choose, a sliding session can be implemented to reduce friction by renewing tokens for an active user without violating your expiration strategy.
Now, let’s implement a sliding session that automatically refreshes JWTs when they’re close to expiring and the user is still active.
<span class="hljs-comment">// Sliding session implementation</span>
<span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">extendSessionIfActive</span>(<span class="hljs-params">token</span>) </span>{
<span class="hljs-keyword">const</span> decoded = jwt.decode(token);
<span class="hljs-keyword">const</span> timeUntilExpiry = decoded.exp - <span class="hljs-built_in">Math</span>.floor(<span class="hljs-built_in">Date</span>.now() / <span class="hljs-number">1000</span>);
<span class="hljs-comment">// If token expires within 5 minutes and user is active, refresh</span>
<span class="hljs-keyword">if</span> (timeUntilExpiry < <span class="hljs-number">300</span> && <span class="hljs-keyword">await</span> isUserActive(decoded.sub)) {
<span class="hljs-keyword">const</span> user = <span class="hljs-keyword">await</span> getUserById(decoded.sub);
<span class="hljs-keyword">return</span> <span class="hljs-built_in">this</span>.generateTokenPair(user);
}
<span class="hljs-keyword">return</span> <span class="hljs-literal">null</span>;
}
The above function checks for token expiration. If the token expires within 5 minutes and the user continues to interact, a new access token pair is issued. This way, the session is kept alive during real activity but still forces expiration for idle users.
<span class="hljs-comment">// Token blocklist service</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">TokenBlocklistService</span> </span>{
<span class="hljs-keyword">async</span> blocklistToken(token) {
<span class="hljs-keyword">const</span> decoded = jwt.decode(token);
<span class="hljs-keyword">const</span> expiresAt = <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>(decoded.exp * <span class="hljs-number">1000</span>);
<span class="hljs-comment">// Store in Redis with automatic expiry</span>
<span class="hljs-keyword">await</span> redis.setex(
<span class="hljs-string">`blocklist:<span class="hljs-subst">${decoded.jti}</span>`</span>,
<span class="hljs-built_in">Math</span>.max(<span class="hljs-number">0</span>, <span class="hljs-built_in">Math</span>.floor((expiresAt - <span class="hljs-built_in">Date</span>.now()) / <span class="hljs-number">1000</span>)),
<span class="hljs-string">'revoked'</span>
);
}
<span class="hljs-keyword">async</span> isTokenBlocklisted(jti) {
<span class="hljs-keyword">const</span> result = <span class="hljs-keyword">await</span> redis.get(<span class="hljs-string">`blocklist:<span class="hljs-subst">${jti}</span>`</span>);
<span class="hljs-keyword">return</span> result !== <span class="hljs-literal">null</span>;
}
}
In the above code, when users log out or tokens are compromised, the jti is stored in Redis with an expiration time of the remaining life of the token. You can block future uses of a token by checking if its ID exists on the blocklist. This allows for instant invalidation, even though JWTs are stateless.
Session Security
In zero-trust environments, session management goes far beyond keeping users logged in. A session must be treated as a constantly evaluated contract between the user, their device, and the system – and should be revoked the moment trust breaks down.
Here, we’ll build a session system that incorporates adaptive trust scoring, dynamic timeouts, real-time visibility, and revocation mechanisms – all aligned with zero-trust principles.
For example, when a user successfully authenticates, you don’t just store a session ID. Instead, you collect contextual metadata to evaluate ongoing risk. The function below demonstrates how to initialize a session that’s both secure and context-aware.
<span class="hljs-comment">// Comprehensive session creation</span>
<span class="hljs-keyword">async</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">createSecureSession</span>(<span class="hljs-params">userId, deviceInfo, clientInfo</span>) </span>{
<span class="hljs-keyword">const</span> sessionId = generateSecureSessionId();
<span class="hljs-keyword">const</span> session = {
<span class="hljs-attr">id</span>: sessionId,
<span class="hljs-attr">userId</span>: userId,
<span class="hljs-attr">deviceFingerprint</span>: generateDeviceFingerprint(deviceInfo),
<span class="hljs-attr">ipAddress</span>: clientInfo.ipAddress,
<span class="hljs-attr">userAgent</span>: clientInfo.userAgent,
<span class="hljs-attr">location</span>: <span class="hljs-keyword">await</span> resolveLocation(clientInfo.ipAddress),
<span class="hljs-attr">createdAt</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>(),
<span class="hljs-attr">lastActivity</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>(),
<span class="hljs-attr">trustScore</span>: calculateInitialTrustScore(deviceInfo, clientInfo),
<span class="hljs-attr">securityLevel</span>: determineSecurityLevel(userId, deviceInfo)
};
<span class="hljs-keyword">await</span> storeSession(session);
<span class="hljs-keyword">return</span> session;
}
Many other tools are tracking concerning details during session creation. The device fingerprint, IP address, geolocation, and browser agent data are collected. These metadata are used to compute a trust score, and finally, a security level is assigned to the session to be used for dynamically adjusting policies later.
With this contextual information captured during session creation, the system can spot suspicious behavior during the sessions and, in turn, adapt policies like re-authentication of users or termination of the session.
Not all sessions should be treated equally. If a user logs in via an unfamiliar device or risky location, they should have less time for their session lifespan compared to a trusted setup’s time. The following implementation changes timeout periods on the basis of trust and risk factors:
<span class="hljs-comment">// Adaptive session timeout</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">SessionTimeoutManager</span> </span>{
calculateTimeoutPeriod(session) {
<span class="hljs-keyword">const</span> baseTimeout = <span class="hljs-number">30</span> * <span class="hljs-number">60</span> * <span class="hljs-number">1000</span>; <span class="hljs-comment">// 30 minutes</span>
<span class="hljs-keyword">const</span> trustMultiplier = session.trustScore / <span class="hljs-number">100</span>;
<span class="hljs-keyword">const</span> securityMultiplier = <span class="hljs-built_in">this</span>.getSecurityMultiplier(session.securityLevel);
<span class="hljs-keyword">return</span> <span class="hljs-built_in">Math</span>.max(
<span class="hljs-number">5</span> * <span class="hljs-number">60</span> * <span class="hljs-number">1000</span>, <span class="hljs-comment">// Minimum 5 minutes</span>
baseTimeout * trustMultiplier * securityMultiplier
);
}
<span class="hljs-keyword">async</span> checkSessionValidity(sessionId) {
<span class="hljs-keyword">const</span> session = <span class="hljs-keyword">await</span> getSession(sessionId);
<span class="hljs-keyword">if</span> (!session) <span class="hljs-keyword">return</span> <span class="hljs-literal">false</span>;
<span class="hljs-keyword">const</span> now = <span class="hljs-built_in">Date</span>.now();
<span class="hljs-keyword">const</span> timeout = <span class="hljs-built_in">this</span>.calculateTimeoutPeriod(session);
<span class="hljs-comment">// Check both idle timeout and absolute timeout</span>
<span class="hljs-keyword">const</span> idleExpired = (now - session.lastActivity) > timeout;
<span class="hljs-keyword">const</span> absoluteExpired = (now - session.createdAt) > <span class="hljs-number">8</span> * <span class="hljs-number">60</span> * <span class="hljs-number">60</span> * <span class="hljs-number">1000</span>; <span class="hljs-comment">// 8 hours max</span>
<span class="hljs-keyword">return</span> !idleExpired && !absoluteExpired;
}
}
The above code keeps session duration adaptable to the risk context at hand. The timeout is calculated by adjusting the base value according to trust and security level, while imposing minimum and maximum bounds.
The system then periodically intervenes to see if the session has become invalid due to inactivity (idle timeout) or simply outlives its initial duration (absolute timeout). This provides a more flexible yet enforceable way of mitigating the risk behind stale or hijacked sessions.
Zero-trust should also mean visibility across all access points. The user should be able to view all active sessions associated with their account, and security systems should also allow them to control these sessions in fine-grained detail. The following code lets you manage those active sessions across devices.
<span class="hljs-comment">// Cross-device session management</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">SessionManager</span> </span>{
<span class="hljs-keyword">async</span> getUserSessions(userId) {
<span class="hljs-keyword">const</span> sessions = <span class="hljs-keyword">await</span> getActiveSessionsForUser(userId);
<span class="hljs-keyword">return</span> sessions.map(<span class="hljs-function"><span class="hljs-params">session</span> =></span> ({
<span class="hljs-attr">id</span>: session.id,
<span class="hljs-attr">deviceType</span>: <span class="hljs-built_in">this</span>.identifyDeviceType(session.userAgent),
<span class="hljs-attr">location</span>: session.location,
<span class="hljs-attr">lastActivity</span>: session.lastActivity,
<span class="hljs-attr">current</span>: session.id === currentSessionId
}));
}
<span class="hljs-keyword">async</span> revokeSession(sessionId, requestingSessionId) {
<span class="hljs-keyword">const</span> session = <span class="hljs-keyword">await</span> getSession(sessionId);
<span class="hljs-keyword">if</span> (!session) <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Session not found'</span>);
<span class="hljs-comment">// Verify requesting session has permission</span>
<span class="hljs-keyword">const</span> requestingSession = <span class="hljs-keyword">await</span> getSession(requestingSessionId);
<span class="hljs-keyword">if</span> (requestingSession.userId !== session.userId) {
<span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Unauthorized'</span>);
}
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.terminateSession(sessionId);
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.logSecurityEvent(<span class="hljs-string">'session_revoked'</span>, session);
}
}
Here, users fetch a list of their active sessions along with identifying information such as device type and location. Any session can be securely revoked by the user who owns it, preventing unauthorized access if the session ID is compromised.
This also allows the user to detect suspicious activities in time. All revocations are logged for auditing purposes to enable post-incident investigations as well as compliance reports.
When a trust breaks due to credential theft, suspicious activity, or user-level actions such as password reset, all sessions have to be immediately revoked. This example guarantees a full revocation, promptly applied to all devices:
<span class="hljs-comment">// Real-time session revocation</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">SessionRevocationService</span> </span>{
<span class="hljs-keyword">async</span> revokeAllUserSessions(userId, reason) {
<span class="hljs-keyword">const</span> sessions = <span class="hljs-keyword">await</span> getActiveSessionsForUser(userId);
<span class="hljs-comment">// Blocklist all tokens for this user</span>
<span class="hljs-keyword">await</span> <span class="hljs-built_in">Promise</span>.all(sessions.map(<span class="hljs-function"><span class="hljs-params">session</span> =></span>
<span class="hljs-built_in">this</span>.blocklistSessionTokens(session.id)
));
<span class="hljs-comment">// Notify all active clients</span>
<span class="hljs-keyword">await</span> <span class="hljs-built_in">Promise</span>.all(sessions.map(<span class="hljs-function"><span class="hljs-params">session</span> =></span>
<span class="hljs-built_in">this</span>.notifySessionTermination(session.id, reason)
));
<span class="hljs-comment">// Clear session data</span>
<span class="hljs-keyword">await</span> clearUserSessions(userId);
<span class="hljs-comment">// Log security event</span>
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.logSecurityEvent(<span class="hljs-string">'all_sessions_revoked'</span>, {
userId,
reason,
<span class="hljs-attr">sessionCount</span>: sessions.length
});
}
}
The above code permits full-scale revocation. It blocklists all session tokens, sends out termination notices to active clients (for example, through WebSockets), clears the session records on the server-side, and logs the event for auditing. It is an instantaneous and complete response to compromised accounts or states where user risk is very high. It is the foremost component of real-time zero-trust enforcement in any serious authentication system.
Role-Based Access Control (RBAC)
Identity verification determines what users can access once they’re logged in. As the basis for any system that is aware of permissions and follows least privilege, RBAC doesn’t grant access on an individual basis – it groups users into roles that define the operations they are permitted to perform.
Before assigning roles to users, you need a structured system to define what each role can do. A set of granular permissions is first identified and then aggregated under these roles, optionally allowing inheritance and hierarchy. The code below shows how to build a basic permission system:
<span class="hljs-comment">// RBAC permission system</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">PermissionSystem</span> </span>{
<span class="hljs-keyword">constructor</span>() {
<span class="hljs-built_in">this</span>.permissions = <span class="hljs-keyword">new</span> <span class="hljs-built_in">Map</span>();
<span class="hljs-built_in">this</span>.roles = <span class="hljs-keyword">new</span> <span class="hljs-built_in">Map</span>();
<span class="hljs-built_in">this</span>.roleHierarchy = <span class="hljs-keyword">new</span> <span class="hljs-built_in">Map</span>();
}
<span class="hljs-comment">// Define granular permissions</span>
definePermission(name, description, resource, action) {
<span class="hljs-built_in">this</span>.permissions.set(name, {
name,
description,
resource,
action,
<span class="hljs-attr">createdAt</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>()
});
}
<span class="hljs-comment">// Create role with inherited permissions</span>
createRole(name, description, parentRole = <span class="hljs-literal">null</span>) {
<span class="hljs-keyword">const</span> role = {
name,
description,
<span class="hljs-attr">permissions</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Set</span>(),
<span class="hljs-attr">createdAt</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>()
};
<span class="hljs-comment">// Inherit permissions from parent role</span>
<span class="hljs-keyword">if</span> (parentRole && <span class="hljs-built_in">this</span>.roles.has(parentRole)) {
<span class="hljs-keyword">const</span> parent = <span class="hljs-built_in">this</span>.roles.get(parentRole);
role.permissions = <span class="hljs-keyword">new</span> <span class="hljs-built_in">Set</span>(parent.permissions);
<span class="hljs-built_in">this</span>.roleHierarchy.set(name, parentRole);
}
<span class="hljs-built_in">this</span>.roles.set(name, role);
<span class="hljs-keyword">return</span> role;
}
<span class="hljs-comment">// Add permission to role</span>
addPermissionToRole(roleName, permissionName) {
<span class="hljs-keyword">const</span> role = <span class="hljs-built_in">this</span>.roles.get(roleName);
<span class="hljs-keyword">if</span> (!role) <span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Role not found'</span>);
<span class="hljs-keyword">if</span> (!<span class="hljs-built_in">this</span>.permissions.has(permissionName)) {
<span class="hljs-keyword">throw</span> <span class="hljs-keyword">new</span> <span class="hljs-built_in">Error</span>(<span class="hljs-string">'Permission not found'</span>);
}
role.permissions.add(permissionName);
}
}
The code above lets you specify fine-grained permissions like documents.read.own and organizes them into roles such as employee or manager that you can independently reuse. You can define roles to inherit from other roles, which avoids redundancy and promotes a consistent, scalable access control logic.
As a general rule to avoid privilege creep, permissions should always be as fine-grained as possible. This lets the application refine access decisions to specific actions or scopes: for example, allowing users to read only their documents versus reading all documents for their team.
<span class="hljs-comment">// Fine-grained permission definitions</span>
<span class="hljs-keyword">const</span> permissions = {
<span class="hljs-comment">// User management</span>
<span class="hljs-string">'users.read'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'users'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'read'</span> },
<span class="hljs-string">'users.create'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'users'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'create'</span> },
<span class="hljs-string">'users.update'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'users'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'update'</span> },
<span class="hljs-string">'users.delete'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'users'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'delete'</span> },
<span class="hljs-comment">// Document management</span>
<span class="hljs-string">'documents.read.own'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'documents'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'read'</span>, <span class="hljs-attr">scope</span>: <span class="hljs-string">'own'</span> },
<span class="hljs-string">'documents.read.team'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'documents'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'read'</span>, <span class="hljs-attr">scope</span>: <span class="hljs-string">'team'</span> },
<span class="hljs-string">'documents.read.all'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'documents'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'read'</span>, <span class="hljs-attr">scope</span>: <span class="hljs-string">'all'</span> },
<span class="hljs-string">'documents.create'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'documents'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'create'</span> },
<span class="hljs-string">'documents.update.own'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'documents'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'update'</span>, <span class="hljs-attr">scope</span>: <span class="hljs-string">'own'</span> },
<span class="hljs-string">'documents.delete.own'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'documents'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'delete'</span>, <span class="hljs-attr">scope</span>: <span class="hljs-string">'own'</span> },
<span class="hljs-comment">// System administration</span>
<span class="hljs-string">'system.logs.read'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'system'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'read'</span>, <span class="hljs-attr">subresource</span>: <span class="hljs-string">'logs'</span> },
<span class="hljs-string">'system.config.update'</span>: { <span class="hljs-attr">resource</span>: <span class="hljs-string">'system'</span>, <span class="hljs-attr">action</span>: <span class="hljs-string">'update'</span>, <span class="hljs-attr">subresource</span>: <span class="hljs-string">'config'</span> }
};
With an array of permissions at its disposal, the app can undertake very precise access control decisions. Instead of merely addressing the binary “is admin” question, this capability enables the system to answer questions such as “can this user delete their own document but not others?”
Static roles are often insufficient. You may want to give people temporary or conditional access, for example, when the team lead takes over for a manager or when a user approves a higher access level for the sake of incident response.
To support these cases, the RBAC system must allow dynamic role assignment – that is, the ability to assign roles on the basis of time, context, or an external trigger such as a security workflow.
The code below assigns a temporary role to a user, notes the exact time at which the role was assigned to the user, and periodically revokes the right after some fixed amount of time. Also, it has a method to calculate a user’s complete set of active rights, depending on their permanent rights, temporary rights, and role-based contextual rights.
<span class="hljs-comment">// Dynamic role assignment system</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">DynamicRoleAssignment</span> </span>{
<span class="hljs-keyword">async</span> assignTemporaryRole(userId, roleName, duration, reason) {
<span class="hljs-keyword">const</span> assignment = {
userId,
roleName,
<span class="hljs-attr">assignedAt</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>(),
<span class="hljs-attr">expiresAt</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>(<span class="hljs-built_in">Date</span>.now() + duration * <span class="hljs-number">1000</span>),
reason,
<span class="hljs-attr">active</span>: <span class="hljs-literal">true</span>
};
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.storeRoleAssignment(assignment);
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.logRoleAssignment(assignment);
<span class="hljs-comment">// Schedule automatic revocation</span>
<span class="hljs-built_in">setTimeout</span>(<span class="hljs-function">() =></span> {
<span class="hljs-built_in">this</span>.revokeExpiredAssignment(assignment.id);
}, duration * <span class="hljs-number">1000</span>);
<span class="hljs-keyword">return</span> assignment;
}
<span class="hljs-keyword">async</span> getUserEffectivePermissions(userId, context = {}) {
<span class="hljs-keyword">const</span> user = <span class="hljs-keyword">await</span> getUserById(userId);
<span class="hljs-keyword">const</span> permanentRoles = user.roles || [];
<span class="hljs-keyword">const</span> temporaryRoles = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getActiveTemporaryRoles(userId);
<span class="hljs-keyword">const</span> contextualRoles = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getContextualRoles(userId, context);
<span class="hljs-keyword">const</span> allRoles = [...permanentRoles, ...temporaryRoles, ...contextualRoles];
<span class="hljs-keyword">const</span> permissions = <span class="hljs-keyword">new</span> <span class="hljs-built_in">Set</span>();
<span class="hljs-keyword">for</span> (<span class="hljs-keyword">const</span> roleName <span class="hljs-keyword">of</span> allRoles) {
<span class="hljs-keyword">const</span> rolePermissions = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getRolePermissions(roleName);
rolePermissions.forEach(<span class="hljs-function"><span class="hljs-params">permission</span> =></span> permissions.add(permission));
}
<span class="hljs-keyword">return</span> <span class="hljs-built_in">Array</span>.from(permissions);
}
}
This allows for more flexible security configurations. Temporary roles that are granted have an automatic expiration. The context roles may be added dynamically depending on contextual factors such as location or type of device. Permanent roles are combined with temporary and context roles to compute the aggregate permission set for the user on a per-request basis, which maintains flexibility without compromising control.
Using Middleware to Enforce RBAC
The RBAC policies have to be enforced before any request reaches a protected route or protected data. Middleware is a good place to run such checks in the scope of a web application. We’ll now look into how the reusable middleware function for authorization works.
<span class="hljs-comment">// Authorization middleware</span>
<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">createAuthorizationMiddleware</span>(<span class="hljs-params">requiredPermission</span>) </span>{
<span class="hljs-keyword">return</span> <span class="hljs-keyword">async</span> (req, res, next) => {
<span class="hljs-keyword">try</span> {
<span class="hljs-comment">// Extract user from validated JWT</span>
<span class="hljs-keyword">const</span> user = req.user;
<span class="hljs-keyword">if</span> (!user) {
<span class="hljs-keyword">return</span> res.status(<span class="hljs-number">401</span>).json({ <span class="hljs-attr">error</span>: <span class="hljs-string">'Authentication required'</span> });
}
<span class="hljs-comment">// Get user's effective permissions</span>
<span class="hljs-keyword">const</span> context = {
<span class="hljs-attr">ipAddress</span>: req.ip,
<span class="hljs-attr">userAgent</span>: req.get(<span class="hljs-string">'User-Agent'</span>),
<span class="hljs-attr">resourceId</span>: req.params.id,
<span class="hljs-attr">timestamp</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>()
};
<span class="hljs-keyword">const</span> permissions = <span class="hljs-keyword">await</span> roleSystem.getUserEffectivePermissions(
user.id,
context
);
<span class="hljs-comment">// Check if user has required permission</span>
<span class="hljs-keyword">if</span> (!permissions.includes(requiredPermission)) {
<span class="hljs-keyword">await</span> logUnauthorizedAccess(user.id, requiredPermission, context);
<span class="hljs-keyword">return</span> res.status(<span class="hljs-number">403</span>).json({ <span class="hljs-attr">error</span>: <span class="hljs-string">'Insufficient permissions'</span> });
}
<span class="hljs-comment">// Add permissions to request for downstream use</span>
req.userPermissions = permissions;
next();
} <span class="hljs-keyword">catch</span> (error) {
res.status(<span class="hljs-number">500</span>).json({ <span class="hljs-attr">error</span>: <span class="hljs-string">'Authorization check failed'</span> });
}
};
}
<span class="hljs-comment">// Usage in routes</span>
app.get(<span class="hljs-string">'/api/users'</span>,
authenticateToken,
createAuthorizationMiddleware(<span class="hljs-string">'users.read'</span>),
getUsersController
);
In the code above, the middleware will validate user identities in real-time, check if adequate permissions are granted, and allow or deny access accordingly. It’s a central mechanism for enforcing access rules in a uniform way across your routes, and it even records unauthorized attempts for auditing.
Testing Access Control Logic
Once you’ve implemented the RBAC system, testing becomes a must. You want to guarantee that permissions are inherited properly, that access is actually denied when a user isn’t authorized, and that your roles behave as designed in the real world as well as in edge-case scenarios.
The following example uses a testing framework to demonstrate the verification of two fundamental behaviors: inheritance of permissions from parent roles and rejection of unauthorized access.
<span class="hljs-comment">// RBAC testing suite</span>
describe(<span class="hljs-string">'RBAC System'</span>, <span class="hljs-function">() =></span> {
test(<span class="hljs-string">'should inherit permissions from parent roles'</span>, <span class="hljs-keyword">async</span> () => {
<span class="hljs-keyword">const</span> manager = <span class="hljs-keyword">await</span> roleSystem.createRole(<span class="hljs-string">'manager'</span>, <span class="hljs-string">'Team Manager'</span>, <span class="hljs-string">'employee'</span>);
<span class="hljs-keyword">await</span> roleSystem.addPermissionToRole(<span class="hljs-string">'manager'</span>, <span class="hljs-string">'team.manage'</span>);
<span class="hljs-keyword">const</span> permissions = <span class="hljs-keyword">await</span> roleSystem.getRolePermissions(<span class="hljs-string">'manager'</span>);
expect(permissions).toContain(<span class="hljs-string">'documents.read.own'</span>); <span class="hljs-comment">// From employee</span>
expect(permissions).toContain(<span class="hljs-string">'team.manage'</span>); <span class="hljs-comment">// Manager-specific</span>
});
test(<span class="hljs-string">'should deny access without proper permissions'</span>, <span class="hljs-keyword">async</span> () => {
<span class="hljs-keyword">const</span> user = { <span class="hljs-attr">id</span>: <span class="hljs-number">1</span>, <span class="hljs-attr">roles</span>: [<span class="hljs-string">'employee'</span>] };
<span class="hljs-keyword">const</span> req = { user, <span class="hljs-attr">params</span>: { <span class="hljs-attr">id</span>: <span class="hljs-string">'doc123'</span> } };
<span class="hljs-keyword">const</span> res = { <span class="hljs-attr">status</span>: jest.fn().mockReturnThis(), <span class="hljs-attr">json</span>: jest.fn() };
<span class="hljs-keyword">const</span> middleware = createAuthorizationMiddleware(<span class="hljs-string">'documents.delete.all'</span>);
<span class="hljs-keyword">await</span> middleware(req, res, <span class="hljs-function">() =></span> {}); <span class="hljs-comment">// Middleware call simulating request</span>
expect(res.status).toHaveBeenCalledWith(<span class="hljs-number">403</span>);
});
});
The tests represent the positive and negative validations of the access rules. The first test determines whether inherited permissions flow freely from the parent to child roles. The second test blocks any user without the required permission, returning a status code appropriately.
Over time, you can enrich test coverage to include temporary role assignments, contextual conditions, and session-aware behavior to alert you to any regressions before they start affecting production access.
Continuous Verification
Modern access security is not a one-shot check but an ongoing process. A strong system must continuously verify user identity and context throughout the ongoing session while adapting to newly emerging risk signals.
In continuous verification, it’s an assurance that access stays appropriate while the user behavior, device posture, or environment changes mid-session.
To uniquely identify a device, you can combine subtle traits like browser settings, hardware specs, and plugin data. This forms a device “fingerprint,” which helps flag new or suspicious devices attempting access.
<span class="hljs-comment">// Advanced device fingerprinting</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">DeviceFingerprintService</span> </span>{
generateFingerprint(deviceInfo) {
<span class="hljs-keyword">const</span> components = [
deviceInfo.userAgent,
deviceInfo.screenResolution,
deviceInfo.timezone,
deviceInfo.language,
deviceInfo.platform,
deviceInfo.hardwareConcurrency,
deviceInfo.memorySize,
deviceInfo.availableFonts?.join(<span class="hljs-string">','</span>),
deviceInfo.plugins?.map(<span class="hljs-function"><span class="hljs-params">p</span> =></span> p.name).join(<span class="hljs-string">','</span>),
deviceInfo.webglRenderer,
deviceInfo.audioContext
];
<span class="hljs-keyword">return</span> <span class="hljs-built_in">this</span>.hashComponents(components);
}
calculateTrustScore(currentFingerprint, knownFingerprints) {
<span class="hljs-keyword">if</span> (knownFingerprints.length === <span class="hljs-number">0</span>) <span class="hljs-keyword">return</span> <span class="hljs-number">50</span>; <span class="hljs-comment">// Neutral for new device</span>
<span class="hljs-keyword">const</span> similarities = knownFingerprints.map(<span class="hljs-function"><span class="hljs-params">known</span> =></span>
<span class="hljs-built_in">this</span>.calculateSimilarity(currentFingerprint, known)
);
<span class="hljs-keyword">return</span> <span class="hljs-built_in">Math</span>.min(<span class="hljs-number">100</span>, <span class="hljs-built_in">Math</span>.max(...similarities) * <span class="hljs-number">100</span>);
}
<span class="hljs-keyword">async</span> updateDeviceTrust(userId, deviceFingerprint, securityEvents) {
<span class="hljs-keyword">const</span> device = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getOrCreateDevice(userId, deviceFingerprint);
<span class="hljs-keyword">let</span> trustAdjustment = <span class="hljs-number">0</span>;
securityEvents.forEach(<span class="hljs-function"><span class="hljs-params">event</span> =></span> {
<span class="hljs-keyword">switch</span> (event.type) {
<span class="hljs-keyword">case</span> <span class="hljs-string">'successful_login'</span>: trustAdjustment += <span class="hljs-number">5</span>; <span class="hljs-keyword">break</span>;
<span class="hljs-keyword">case</span> <span class="hljs-string">'failed_login'</span>: trustAdjustment -= <span class="hljs-number">10</span>; <span class="hljs-keyword">break</span>;
<span class="hljs-keyword">case</span> <span class="hljs-string">'suspicious_activity'</span>: trustAdjustment -= <span class="hljs-number">25</span>; <span class="hljs-keyword">break</span>;
}
});
device.trustScore = <span class="hljs-built_in">Math</span>.max(<span class="hljs-number">0</span>, <span class="hljs-built_in">Math</span>.min(<span class="hljs-number">100</span>, device.trustScore + trustAdjustment));
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.updateDevice(device);
<span class="hljs-keyword">return</span> device.trustScore;
}
}
Generating a fingerprint hash from device traits, this service uses historical events to dynamically adjust the device’s trust score. Step-up authentication may be prompted by low scores, or access may be denied altogether.
Behavioral Analysis
People tend to use apps rather consistently – they type a certain way, move the mouse in a particular manner, or browse varied content. Behavioral analysis tries to detect that anomaly by comparing ongoing activities to known ones.
<span class="hljs-comment">// Behavioral analysis system</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">BehaviorAnalysisService</span> </span>{
<span class="hljs-keyword">async</span> analyzeUserBehavior(userId, currentSession) {
<span class="hljs-keyword">const</span> historicalBehavior = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getUserBehaviorProfile(userId);
<span class="hljs-keyword">const</span> anomalies = [];
<span class="hljs-keyword">const</span> typingAnomaly = <span class="hljs-built_in">this</span>.analyzeTypingPatterns(
currentSession.typingData,
historicalBehavior.typingProfile
);
<span class="hljs-keyword">if</span> (typingAnomaly.score > <span class="hljs-number">0.7</span>) {
anomalies.push({ <span class="hljs-attr">type</span>: <span class="hljs-string">'typing_pattern'</span>, <span class="hljs-attr">score</span>: typingAnomaly.score, <span class="hljs-attr">details</span>: typingAnomaly.details });
}
<span class="hljs-keyword">const</span> navigationAnomaly = <span class="hljs-built_in">this</span>.analyzeNavigationPatterns(
currentSession.navigationData,
historicalBehavior.navigationProfile
);
<span class="hljs-keyword">if</span> (navigationAnomaly.score > <span class="hljs-number">0.6</span>) {
anomalies.push({ <span class="hljs-attr">type</span>: <span class="hljs-string">'navigation_pattern'</span>, <span class="hljs-attr">score</span>: navigationAnomaly.score, <span class="hljs-attr">details</span>: navigationAnomaly.details });
}
<span class="hljs-keyword">const</span> timeAnomaly = <span class="hljs-built_in">this</span>.analyzeTimePatterns(
currentSession.timestamp,
historicalBehavior.timeProfile
);
<span class="hljs-keyword">if</span> (timeAnomaly.score > <span class="hljs-number">0.5</span>) {
anomalies.push({ <span class="hljs-attr">type</span>: <span class="hljs-string">'time_pattern'</span>, <span class="hljs-attr">score</span>: timeAnomaly.score, <span class="hljs-attr">details</span>: timeAnomaly.details });
}
<span class="hljs-keyword">return</span> {
<span class="hljs-attr">overallRiskScore</span>: <span class="hljs-built_in">this</span>.calculateOverallRisk(anomalies),
anomalies,
<span class="hljs-attr">recommendations</span>: <span class="hljs-built_in">this</span>.generateRecommendations(anomalies)
};
}
analyzeTypingPatterns(currentData, historicalProfile) {
<span class="hljs-keyword">if</span> (!currentData || !historicalProfile) <span class="hljs-keyword">return</span> { <span class="hljs-attr">score</span>: <span class="hljs-number">0</span> };
<span class="hljs-keyword">const</span> dwellTimeVariance = <span class="hljs-built_in">this</span>.calculateVariance(currentData.dwellTimes, historicalProfile.averageDwellTime);
<span class="hljs-keyword">const</span> flightTimeVariance = <span class="hljs-built_in">this</span>.calculateVariance(currentData.flightTimes, historicalProfile.averageFlightTime);
<span class="hljs-keyword">const</span> score = <span class="hljs-built_in">Math</span>.max(dwellTimeVariance, flightTimeVariance);
<span class="hljs-keyword">return</span> { score, <span class="hljs-attr">details</span>: { dwellTimeVariance, flightTimeVariance, <span class="hljs-attr">sampleSize</span>: currentData.keystrokes.length } };
}
}
This will detect suspicious changes in user behavior and typing characteristics as early warning indicators of session hijacking or insider threat.
Access from a new country or city can either be harmless or highly suspicious. Comparing login geography against historical patterns helps flag impossible travel or access from banned regions.
<span class="hljs-comment">// Location-based access control</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">LocationAccessControl</span> </span>{
<span class="hljs-keyword">async</span> validateLocationAccess(userId, ipAddress, session) {
<span class="hljs-keyword">const</span> location = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.resolveLocation(ipAddress);
<span class="hljs-keyword">const</span> user = <span class="hljs-keyword">await</span> getUserById(userId);
<span class="hljs-keyword">const</span> historicalLocations = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getUserLocations(userId);
<span class="hljs-keyword">const</span> locationRisk = <span class="hljs-built_in">this</span>.assessLocationRisk(location, historicalLocations);
<span class="hljs-keyword">const</span> lastLocation = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getLastKnownLocation(userId);
<span class="hljs-keyword">if</span> (lastLocation) {
<span class="hljs-keyword">const</span> impossibleTravel = <span class="hljs-built_in">this</span>.checkImpossibleTravel(lastLocation, location, session.lastActivity);
<span class="hljs-keyword">if</span> (impossibleTravel.detected) {
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.logSecurityEvent(<span class="hljs-string">'impossible_travel'</span>, {
userId, <span class="hljs-attr">fromLocation</span>: lastLocation, <span class="hljs-attr">toLocation</span>: location,
<span class="hljs-attr">timeWindow</span>: impossibleTravel.timeWindow,
<span class="hljs-attr">minimumTravelTime</span>: impossibleTravel.minimumTravelTime
});
<span class="hljs-keyword">return</span> { <span class="hljs-attr">allowed</span>: <span class="hljs-literal">false</span>, <span class="hljs-attr">reason</span>: <span class="hljs-string">'impossible_travel'</span>, <span class="hljs-attr">requiresStepUp</span>: <span class="hljs-literal">true</span> };
}
}
<span class="hljs-keyword">if</span> (user.allowedCountries && !user.allowedCountries.includes(location.country)) {
<span class="hljs-keyword">return</span> { <span class="hljs-attr">allowed</span>: <span class="hljs-literal">false</span>, <span class="hljs-attr">reason</span>: <span class="hljs-string">'country_restriction'</span>, <span class="hljs-attr">requiresStepUp</span>: <span class="hljs-literal">true</span> };
}
<span class="hljs-keyword">const</span> highRiskCountries = [<span class="hljs-string">'XX'</span>, <span class="hljs-string">'YY'</span>, <span class="hljs-string">'ZZ'</span>];
<span class="hljs-keyword">if</span> (highRiskCountries.includes(location.country)) {
<span class="hljs-keyword">return</span> { <span class="hljs-attr">allowed</span>: <span class="hljs-literal">true</span>, <span class="hljs-attr">reason</span>: <span class="hljs-string">'high_risk_location'</span>, <span class="hljs-attr">requiresStepUp</span>: <span class="hljs-literal">true</span>, <span class="hljs-attr">additionalVerification</span>: [<span class="hljs-string">'sms'</span>, <span class="hljs-string">'email'</span>] };
}
<span class="hljs-keyword">return</span> { <span class="hljs-attr">allowed</span>: <span class="hljs-literal">true</span>, <span class="hljs-attr">riskScore</span>: locationRisk, location };
}
checkImpossibleTravel(fromLocation, toLocation, lastActivity) {
<span class="hljs-keyword">const</span> distance = <span class="hljs-built_in">this</span>.calculateDistance(fromLocation, toLocation);
<span class="hljs-keyword">const</span> timeElapsed = <span class="hljs-built_in">Date</span>.now() - lastActivity;
<span class="hljs-keyword">const</span> maximumSpeed = <span class="hljs-number">900</span>; <span class="hljs-comment">// km/h</span>
<span class="hljs-keyword">const</span> minimumTravelTime = (distance / maximumSpeed) * <span class="hljs-number">3600000</span>;
<span class="hljs-keyword">return</span> { <span class="hljs-attr">detected</span>: timeElapsed < minimumTravelTime, <span class="hljs-attr">timeWindow</span>: timeElapsed, minimumTravelTime, distance };
}
}
This logic prevents abuse via VPNs or stolen credentials by requiring step-up verification when impossible travel or unusual locations are detected.
Step-Up Authentication
Step-up security introduces friction only when truly needed. With lower risk considered, users move freely. When risk levels rises, they’re asked for stronger proofs, such as biometrics or hardware tokens.
<span class="hljs-comment">// Step-up authentication system</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">StepUpAuthenticationService</span> </span>{
<span class="hljs-keyword">async</span> evaluateStepUpRequirement(userId, requestContext, resourceSensitivity) {
<span class="hljs-keyword">const</span> riskFactors = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.calculateRiskFactors(userId, requestContext);
<span class="hljs-keyword">const</span> stepUpRequired = <span class="hljs-built_in">this</span>.shouldRequireStepUp(riskFactors, resourceSensitivity);
<span class="hljs-keyword">if</span> (stepUpRequired.required) {
<span class="hljs-keyword">return</span> {
<span class="hljs-attr">required</span>: <span class="hljs-literal">true</span>,
<span class="hljs-attr">methods</span>: <span class="hljs-built_in">this</span>.selectAuthenticationMethods(riskFactors, stepUpRequired.level),
<span class="hljs-attr">expiresIn</span>: <span class="hljs-built_in">this</span>.calculateStepUpDuration(stepUpRequired.level),
<span class="hljs-attr">reason</span>: stepUpRequired.reason
};
}
<span class="hljs-keyword">return</span> { <span class="hljs-attr">required</span>: <span class="hljs-literal">false</span> };
}
<span class="hljs-keyword">async</span> calculateRiskFactors(userId, context) {
<span class="hljs-keyword">return</span> {
<span class="hljs-attr">deviceTrust</span>: <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getDeviceTrustScore(userId, context.deviceFingerprint),
<span class="hljs-attr">locationRisk</span>: <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getLocationRiskScore(userId, context.ipAddress),
<span class="hljs-attr">behaviorAnomaly</span>: <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getBehaviorAnomalyScore(userId, context.sessionData),
<span class="hljs-attr">timeSinceLastAuth</span>: <span class="hljs-built_in">Date</span>.now() - context.lastAuthTime,
<span class="hljs-attr">resourceSensitivity</span>: context.resourceSensitivity || <span class="hljs-string">'medium'</span>
};
}
shouldRequireStepUp(riskFactors, sensitivity) {
<span class="hljs-keyword">let</span> score = <span class="hljs-number">0</span>;
<span class="hljs-keyword">if</span> (riskFactors.deviceTrust < <span class="hljs-number">70</span>) score += <span class="hljs-number">30</span>;
<span class="hljs-keyword">if</span> (riskFactors.deviceTrust < <span class="hljs-number">40</span>) score += <span class="hljs-number">20</span>;
<span class="hljs-keyword">if</span> (riskFactors.locationRisk > <span class="hljs-number">0.6</span>) score += <span class="hljs-number">25</span>;
<span class="hljs-keyword">if</span> (riskFactors.locationRisk > <span class="hljs-number">0.8</span>) score += <span class="hljs-number">15</span>;
<span class="hljs-keyword">if</span> (riskFactors.behaviorAnomaly > <span class="hljs-number">0.5</span>) score += <span class="hljs-number">20</span>;
<span class="hljs-keyword">if</span> (riskFactors.behaviorAnomaly > <span class="hljs-number">0.7</span>) score += <span class="hljs-number">10</span>;
<span class="hljs-keyword">const</span> hours = riskFactors.timeSinceLastAuth / (<span class="hljs-number">1000</span> * <span class="hljs-number">60</span> * <span class="hljs-number">60</span>);
<span class="hljs-keyword">if</span> (hours > <span class="hljs-number">8</span>) score += <span class="hljs-number">10</span>;
<span class="hljs-keyword">if</span> (hours > <span class="hljs-number">24</span>) score += <span class="hljs-number">15</span>;
score *= { <span class="hljs-attr">low</span>: <span class="hljs-number">0.7</span>, <span class="hljs-attr">medium</span>: <span class="hljs-number">1.0</span>, <span class="hljs-attr">high</span>: <span class="hljs-number">1.3</span>, <span class="hljs-attr">critical</span>: <span class="hljs-number">1.6</span> }[sensitivity] || <span class="hljs-number">1.0</span>;
<span class="hljs-keyword">if</span> (score >= <span class="hljs-number">80</span>) <span class="hljs-keyword">return</span> { <span class="hljs-attr">required</span>: <span class="hljs-literal">true</span>, <span class="hljs-attr">level</span>: <span class="hljs-string">'high'</span>, <span class="hljs-attr">reason</span>: <span class="hljs-string">'high_risk_detected'</span> };
<span class="hljs-keyword">if</span> (score >= <span class="hljs-number">50</span>) <span class="hljs-keyword">return</span> { <span class="hljs-attr">required</span>: <span class="hljs-literal">true</span>, <span class="hljs-attr">level</span>: <span class="hljs-string">'medium'</span>, <span class="hljs-attr">reason</span>: <span class="hljs-string">'moderate_risk_detected'</span> };
<span class="hljs-keyword">if</span> (score >= <span class="hljs-number">25</span>) <span class="hljs-keyword">return</span> { <span class="hljs-attr">required</span>: <span class="hljs-literal">true</span>, <span class="hljs-attr">level</span>: <span class="hljs-string">'low'</span>, <span class="hljs-attr">reason</span>: <span class="hljs-string">'low_risk_detected'</span> };
<span class="hljs-keyword">return</span> { <span class="hljs-attr">required</span>: <span class="hljs-literal">false</span> };
}
selectAuthenticationMethods(riskFactors, level) {
<span class="hljs-keyword">const</span> methods = [];
<span class="hljs-keyword">if</span> (level === <span class="hljs-string">'high'</span>) {
methods.push(<span class="hljs-string">'hardware_token'</span>, <span class="hljs-string">'biometric'</span>);
<span class="hljs-keyword">if</span> (riskFactors.deviceTrust < <span class="hljs-number">30</span>) methods.push(<span class="hljs-string">'admin_approval'</span>);
} <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (level === <span class="hljs-string">'medium'</span>) {
methods.push(<span class="hljs-string">'totp'</span>, <span class="hljs-string">'sms'</span>);
<span class="hljs-keyword">if</span> (riskFactors.locationRisk > <span class="hljs-number">0.7</span>) methods.push(<span class="hljs-string">'email_verification'</span>);
} <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (level === <span class="hljs-string">'low'</span>) {
methods.push(<span class="hljs-string">'totp'</span>);
}
<span class="hljs-keyword">return</span> methods;
}
}
The service uses this balancing technique between critical resources and risks while keeping normal workflows intact when things look safe.
Security Monitoring
Security monitoring provides the observability layer that’s essential for detecting, analyzing, and responding to threats in real time. A strong system must log every authentication event, highlight anomalies, and allow for rapid and automated response to threats. This phase further builds trust by constantly evaluating access patterns and acting on them when signals of risk emerge.
Logging is visibility at its base. These days, every authentication attempt, be it successful, failed, or suspicious, needs to be logged with exhaustive context. This very information helps forensic analysis, alerting, and compliance reporting.
<span class="hljs-comment">// Comprehensive authentication event logging</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">AuthenticationLogger</span> </span>{
<span class="hljs-keyword">async</span> logAuthenticationEvent(eventType, userId, context, result) {
<span class="hljs-keyword">const</span> logEntry = {
<span class="hljs-attr">timestamp</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>().toISOString(),
eventType,
userId,
<span class="hljs-attr">sessionId</span>: context.sessionId,
<span class="hljs-attr">ipAddress</span>: context.ipAddress,
<span class="hljs-attr">userAgent</span>: context.userAgent,
<span class="hljs-attr">deviceFingerprint</span>: context.deviceFingerprint,
<span class="hljs-attr">location</span>: context.location,
<span class="hljs-attr">authenticationMethod</span>: context.authMethod,
<span class="hljs-attr">result</span>: result.success ? <span class="hljs-string">'success'</span> : <span class="hljs-string">'failure'</span>,
<span class="hljs-attr">failureReason</span>: result.failureReason,
<span class="hljs-attr">riskScore</span>: result.riskScore,
<span class="hljs-attr">additionalFactorsRequired</span>: result.stepUpRequired,
<span class="hljs-attr">processingTime</span>: result.processingTime,
<span class="hljs-attr">correlationId</span>: context.correlationId
};
<span class="hljs-comment">// Store in multiple destinations for redundancy</span>
<span class="hljs-keyword">await</span> <span class="hljs-built_in">Promise</span>.all([
<span class="hljs-built_in">this</span>.writeToDatabase(logEntry),
<span class="hljs-built_in">this</span>.sendToLogAggregator(logEntry),
<span class="hljs-built_in">this</span>.updateRealTimeMetrics(logEntry)
]);
<span class="hljs-comment">// Trigger real-time alerts for critical events</span>
<span class="hljs-keyword">if</span> (<span class="hljs-built_in">this</span>.isCriticalEvent(logEntry)) {
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.triggerSecurityAlert(logEntry);
}
}
isCriticalEvent(logEntry) {
<span class="hljs-keyword">const</span> criticalConditions = [
logEntry.result === <span class="hljs-string">'failure'</span> && logEntry.failureReason === <span class="hljs-string">'brute_force_detected'</span>,
logEntry.riskScore > <span class="hljs-number">80</span>,
logEntry.eventType === <span class="hljs-string">'impossible_travel_detected'</span>,
logEntry.eventType === <span class="hljs-string">'account_takeover_suspected'</span>
];
<span class="hljs-keyword">return</span> criticalConditions.some(<span class="hljs-function"><span class="hljs-params">condition</span> =></span> condition);
}
<span class="hljs-keyword">async</span> generateSecurityReport(userId, timeRange) {
<span class="hljs-keyword">const</span> events = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.getAuthenticationEvents(userId, timeRange);
<span class="hljs-keyword">const</span> analysis = {
<span class="hljs-attr">totalEvents</span>: events.length,
<span class="hljs-attr">successfulLogins</span>: events.filter(<span class="hljs-function"><span class="hljs-params">e</span> =></span> e.result === <span class="hljs-string">'success'</span>).length,
<span class="hljs-attr">failedAttempts</span>: events.filter(<span class="hljs-function"><span class="hljs-params">e</span> =></span> e.result === <span class="hljs-string">'failure'</span>).length,
<span class="hljs-attr">uniqueDevices</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Set</span>(events.map(<span class="hljs-function"><span class="hljs-params">e</span> =></span> e.deviceFingerprint)).size,
<span class="hljs-attr">uniqueLocations</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Set</span>(events.map(<span class="hljs-function"><span class="hljs-params">e</span> =></span> e.location?.country)).size,
<span class="hljs-attr">averageRiskScore</span>: events.reduce(<span class="hljs-function">(<span class="hljs-params">sum, e</span>) =></span> sum + e.riskScore, <span class="hljs-number">0</span>) / events.length,
<span class="hljs-attr">timePatterns</span>: <span class="hljs-built_in">this</span>.analyzeTimePatterns(events),
<span class="hljs-attr">locationPatterns</span>: <span class="hljs-built_in">this</span>.analyzeLocationPatterns(events),
<span class="hljs-attr">devicePatterns</span>: <span class="hljs-built_in">this</span>.analyzeDevicePatterns(events)
};
<span class="hljs-keyword">return</span> analysis;
}
}
In the above code, the class logs detailed authentication events such as the approximate device and location from which it was initiated, the authentication methods used, and the risk score.
From a security perspective, it’s envisaged to generate security reports with the advantage of flagging critical events such as brute-force attempts or logins from suspicious geographies that can send real-time alerts.
Monitoring authentication events isn’t enough – the system must be able to interpret patterns and flag suspicious behavior. This detection system combines static rule-based checks with dynamic anomaly detection powered by machine learning. It identifies threats like brute-force attacks, credential stuffing, and unusual geographic access, then escalates them automatically for further action.
The following code performs real-time threat detection by analyzing recent authentication events and contextual data. Here’s what it does, broken down clearly:
<span class="hljs-comment">// Suspicious activity detection system</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">SuspiciousActivityDetector</span> </span>{
<span class="hljs-keyword">constructor</span>() {
<span class="hljs-built_in">this</span>.detectionRules = <span class="hljs-built_in">this</span>.initializeDetectionRules();
<span class="hljs-built_in">this</span>.mlModel = <span class="hljs-built_in">this</span>.loadAnomalyDetectionModel();
}
<span class="hljs-keyword">async</span> analyzeActivity(userId, recentEvents, context) {
<span class="hljs-keyword">const</span> suspiciousPatterns = [];
<span class="hljs-comment">// Rule-based detection</span>
<span class="hljs-keyword">const</span> ruleViolations = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.checkDetectionRules(userId, recentEvents);
suspiciousPatterns.push(...ruleViolations);
<span class="hljs-comment">// ML-based anomaly detection</span>
<span class="hljs-keyword">const</span> anomalies = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.detectAnomalies(userId, recentEvents, context);
suspiciousPatterns.push(...anomalies);
<span class="hljs-comment">// Threat intelligence correlation</span>
<span class="hljs-keyword">const</span> threatMatches = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.correlateThreatIntelligence(context);
suspiciousPatterns.push(...threatMatches);
<span class="hljs-keyword">if</span> (suspiciousPatterns.length > <span class="hljs-number">0</span>) {
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.escalateSuspiciousActivity(userId, suspiciousPatterns);
}
<span class="hljs-keyword">return</span> {
<span class="hljs-attr">suspicious</span>: suspiciousPatterns.length > <span class="hljs-number">0</span>,
<span class="hljs-attr">patterns</span>: suspiciousPatterns,
<span class="hljs-attr">riskScore</span>: <span class="hljs-built_in">this</span>.calculateSuspiciousActivityRisk(suspiciousPatterns)
};
}
initializeDetectionRules() {
<span class="hljs-keyword">return</span> [
{
<span class="hljs-attr">name</span>: <span class="hljs-string">'brute_force_detection'</span>,
<span class="hljs-attr">condition</span>: <span class="hljs-function">(<span class="hljs-params">events</span>) =></span> {
<span class="hljs-keyword">const</span> failedAttempts = events.filter(<span class="hljs-function"><span class="hljs-params">e</span> =></span>
e.result === <span class="hljs-string">'failure'</span> &&
<span class="hljs-built_in">Date</span>.now() - <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>(e.timestamp).getTime() < <span class="hljs-number">300000</span> <span class="hljs-comment">// 5 minutes</span>
);
<span class="hljs-keyword">return</span> failedAttempts.length >= <span class="hljs-number">5</span>;
},
<span class="hljs-attr">severity</span>: <span class="hljs-string">'high'</span>,
<span class="hljs-attr">action</span>: <span class="hljs-string">'temporary_lockout'</span>
},
{
<span class="hljs-attr">name</span>: <span class="hljs-string">'credential_stuffing'</span>,
<span class="hljs-attr">condition</span>: <span class="hljs-function">(<span class="hljs-params">events</span>) =></span> {
<span class="hljs-keyword">const</span> recentFailures = events.filter(<span class="hljs-function"><span class="hljs-params">e</span> =></span>
e.result === <span class="hljs-string">'failure'</span> &&
<span class="hljs-built_in">Date</span>.now() - <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>(e.timestamp).getTime() < <span class="hljs-number">3600000</span> <span class="hljs-comment">// 1 hour</span>
);
<span class="hljs-keyword">const</span> uniqueUsernames = <span class="hljs-keyword">new</span> <span class="hljs-built_in">Set</span>(recentFailures.map(<span class="hljs-function"><span class="hljs-params">e</span> =></span> e.username));
<span class="hljs-keyword">return</span> uniqueUsernames.size >= <span class="hljs-number">10</span>;
},
<span class="hljs-attr">severity</span>: <span class="hljs-string">'medium'</span>,
<span class="hljs-attr">action</span>: <span class="hljs-string">'rate_limiting'</span>
},
{
<span class="hljs-attr">name</span>: <span class="hljs-string">'suspicious_location_pattern'</span>,
<span class="hljs-attr">condition</span>: <span class="hljs-function">(<span class="hljs-params">events</span>) =></span> {
<span class="hljs-keyword">const</span> locations = events.map(<span class="hljs-function"><span class="hljs-params">e</span> =></span> e.location?.country).filter(<span class="hljs-built_in">Boolean</span>);
<span class="hljs-keyword">const</span> uniqueCountries = <span class="hljs-keyword">new</span> <span class="hljs-built_in">Set</span>(locations);
<span class="hljs-keyword">return</span> uniqueCountries.size >= <span class="hljs-number">3</span> && events.length >= <span class="hljs-number">5</span>;
},
<span class="hljs-attr">severity</span>: <span class="hljs-string">'medium'</span>,
<span class="hljs-attr">action</span>: <span class="hljs-string">'enhanced_verification'</span>
}
];
}
<span class="hljs-keyword">async</span> detectAnomalies(userId, events, context) {
<span class="hljs-keyword">const</span> features = <span class="hljs-built_in">this</span>.extractFeatures(events, context);
<span class="hljs-keyword">const</span> anomalyScore = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.mlModel.predict(features);
<span class="hljs-keyword">if</span> (anomalyScore > <span class="hljs-number">0.7</span>) {
<span class="hljs-keyword">return</span> [{
<span class="hljs-attr">type</span>: <span class="hljs-string">'ml_anomaly'</span>,
<span class="hljs-attr">score</span>: anomalyScore,
<span class="hljs-attr">features</span>: features,
<span class="hljs-attr">description</span>: <span class="hljs-string">'Machine learning model detected anomalous behavior pattern'</span>
}];
}
<span class="hljs-keyword">return</span> [];
}
}
This class applies multiple techniques to detect threats. It first evaluates authentication history using static rules for brute-force attempts, large-scale credential reuse, or location anomalies. It then passes behavioral data through a trained ML model to spot subtle patterns missed by rules. If any suspicious pattern is detected, it returns a structured risk report and initiates escalation.
Automating Threat Response
Most times, systems respond in real-time. Automated threat response follows predefined actions and includes locking an account, alerting users, or blocking an IP, among others, when a high-risk event occurs.
<span class="hljs-comment">// Automated threat response system</span>
<span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">AutomatedThreatResponse</span> </span>{
<span class="hljs-keyword">constructor</span>() {
<span class="hljs-built_in">this</span>.responsePlaybooks = <span class="hljs-built_in">this</span>.initializeResponsePlaybooks();
<span class="hljs-built_in">this</span>.escalationPolicies = <span class="hljs-built_in">this</span>.loadEscalationPolicies();
}
<span class="hljs-keyword">async</span> processSecurityEvent(event) {
<span class="hljs-keyword">const</span> threatLevel = <span class="hljs-built_in">this</span>.assessThreatLevel(event);
<span class="hljs-keyword">const</span> applicablePlaybooks = <span class="hljs-built_in">this</span>.selectPlaybooks(event, threatLevel);
<span class="hljs-keyword">const</span> responses = [];
<span class="hljs-keyword">for</span> (<span class="hljs-keyword">const</span> playbook <span class="hljs-keyword">of</span> applicablePlaybooks) {
<span class="hljs-keyword">const</span> response = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.executePlaybook(playbook, event);
responses.push(response);
}
<span class="hljs-keyword">if</span> (threatLevel === <span class="hljs-string">'critical'</span> || responses.some(<span class="hljs-function"><span class="hljs-params">r</span> =></span> !r.success)) {
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.escalateToHuman(event, responses);
}
<span class="hljs-keyword">return</span> {
event,
threatLevel,
responses,
<span class="hljs-attr">timestamp</span>: <span class="hljs-keyword">new</span> <span class="hljs-built_in">Date</span>()
};
}
initializeResponsePlaybooks() {
<span class="hljs-keyword">return</span> [
{
<span class="hljs-attr">name</span>: <span class="hljs-string">'brute_force_response'</span>,
<span class="hljs-attr">triggers</span>: [<span class="hljs-string">'brute_force_detected'</span>],
<span class="hljs-attr">actions</span>: [
{ <span class="hljs-attr">type</span>: <span class="hljs-string">'temporary_lockout'</span>, <span class="hljs-attr">duration</span>: <span class="hljs-number">900</span> },
{ <span class="hljs-attr">type</span>: <span class="hljs-string">'rate_limiting'</span>, <span class="hljs-attr">factor</span>: <span class="hljs-number">10</span> },
{ <span class="hljs-attr">type</span>: <span class="hljs-string">'notify_user'</span>, <span class="hljs-attr">method</span>: <span class="hljs-string">'email'</span> },
{ <span class="hljs-attr">type</span>: <span class="hljs-string">'log_security_event'</span>, <span class="hljs-attr">level</span>: <span class="hljs-string">'high'</span> }
]
},
{
<span class="hljs-attr">name</span>: <span class="hljs-string">'account_takeover_response'</span>,
<span class="hljs-attr">triggers</span>: [<span class="hljs-string">'impossible_travel'</span>, <span class="hljs-string">'behavior_anomaly_high'</span>],
<span class="hljs-attr">actions</span>: [
{ <span class="hljs-attr">type</span>: <span class="hljs-string">'terminate_all_sessions'</span> },
{ <span class="hljs-attr">type</span>: <span class="hljs-string">'require_password_reset'</span> },
{ <span class="hljs-attr">type</span>: <span class="hljs-string">'notify_user'</span>, <span class="hljs-attr">method</span>: <span class="hljs-string">'multiple'</span> },
{ <span class="hljs-attr">type</span>: <span class="hljs-string">'freeze_account'</span>, <span class="hljs-attr">duration</span>: <span class="hljs-number">7200</span> }
]
}
];
}
<span class="hljs-keyword">async</span> executePlaybook(playbook, event) {
<span class="hljs-keyword">const</span> execution = {
<span class="hljs-attr">playbookName</span>: playbook.name,
<span class="hljs-attr">eventId</span>: event.id,
<span class="hljs-attr">actions</span>: [],
<span class="hljs-attr">success</span>: <span class="hljs-literal">true</span>
};
<span class="hljs-keyword">for</span> (<span class="hljs-keyword">const</span> action <span class="hljs-keyword">of</span> playbook.actions) {
<span class="hljs-keyword">try</span> {
<span class="hljs-keyword">const</span> result = <span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.executeAction(action, event);
execution.actions.push(result);
<span class="hljs-keyword">if</span> (!result.success) {
execution.success = <span class="hljs-literal">false</span>;
<span class="hljs-keyword">break</span>;
}
} <span class="hljs-keyword">catch</span> (err) {
execution.success = <span class="hljs-literal">false</span>;
execution.error = err.message;
}
}
<span class="hljs-keyword">return</span> execution;
}
<span class="hljs-keyword">async</span> executeAction(action, event) {
<span class="hljs-keyword">switch</span> (action.type) {
<span class="hljs-keyword">case</span> <span class="hljs-string">'temporary_lockout'</span>:
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.lockoutUser(event.userId, action.duration);
<span class="hljs-keyword">return</span> { <span class="hljs-attr">success</span>: <span class="hljs-literal">true</span>, <span class="hljs-attr">type</span>: action.type };
<span class="hljs-keyword">case</span> <span class="hljs-string">'notify_user'</span>:
<span class="hljs-keyword">await</span> <span class="hljs-built_in">this</span>.notifyUser(event.userId, action.method, event);
<span class="hljs-keyword">return</span> { <span class="hljs-attr">success</span>: <span class="hljs-literal">true</span>, <span class="hljs-attr">type</span>: action.type };
<span class="hljs-keyword">default</span>:
<span class="hljs-keyword">return</span> { <span class="hljs-attr">success</span>: <span class="hljs-literal">false</span>, <span class="hljs-attr">type</span>: action.type, <span class="hljs-attr">error</span>: <span class="hljs-string">'Unknown action'</span> };
}
}
}
Here, the system uses playbooks – predefined actions to be taken in response to threats. For example, locks user from further brute-force attempts for some time and sends them an email notification. Freezing the account and ending all sessions are some reactive measures you can take if suspicious behavior indicates a takeover. These measures ensure fast and consistent action to mitigate damage even before humans can get involved.
Conclusion
Zero-trust authentication creates a strong line of distinction going against classic perimeter-based security. It must be painstakingly planned, implemented in layers, and constantly improved. This article offers a structured path, from basic MFA to intelligent behavioral monitoring and automated threat response.
Complementing the improvement of security, zero-trust promises better user experience, compliance readiness, and decreased incident risk. When organizations maintain a perpetual position of zero trust, we can see an actual positive impact on their ability to detect, prevent, and respond to threats in real time.
To have long-term success with this approach, you’ll need to continuously monitor your setup, perform periodic assessments, and be responsive to evolving attack patterns. Feedback loops and performance data are essential to keep the system secure yet user-friendly.
As threats grow more sophisticated, so must our defenses. ZTA provides a durable foundation – ready to evolve with emerging technologies like adaptive biometrics and AI-driven risk engines. Organizations investing in it today will be better equipped to meet tomorrow’s security and usability demands.
Source: freeCodeCamp Programming Tutorials: Python, JavaScript, Git & MoreÂ