A Node startup reinvents online security

UNLOQ started out of the desire to completely remove passwords from users’ lives. We’re Internet addicts and we all have at least a dozen accounts on a website somewhere that we don’t use or that we only use occasionally. To make things simpler we often use the same password (because who would want to hack you, right?) or the same variation of that password. It’s easier to remember and it’s just simpler. Yes, and it’s also the weakest link in online security. Yes, you are the weakest link!


Most people use generic names and combination of letters on the principle that it should be easier to remember. Well, easy to remember means easy to hack and recent events showed us just that (i.e. the Linkedin password leak). Mark Zuckerberg reportedly used “dadada” as a password and I know that at least one of you has a password called “cabbage” or your cat’s name or something that you think nobody could guess.

You might be one of the few that tries as hard as possible to bulletproof their passwords with numbers, upper and lower case,  special characters anything short of virgin blood but in the end any and every password can be hacked. And most people are easily hackable. And we’re not just talking about losing your social media account, there are a lot more valuable things that you could lose than just that. People are the weakest link through the way they use passwords. 70% of people have the same password for more than one account.

By completely removing passwords, UNLOQ helps companies strengthen their cyber security by toughening the weakest link.  Passwordless is the new security!

Unloq uses JavaScript as its main language for both the front end and the backend side, where it uses Node.js in a very interesting way. The Unloq team actually created their own framework for this project, a framework called Crux that worked for a time, but because it had all of its features bundled together it wasn’t very practical. So they moved from Crux to Thorin, a modular framework, where you can pick and choose exactly what you need without having to install the whole package.

Thorin is the core module, the chassis of the framework, binding all the other modules together. The core module abstracts away HTTP/TCP/WS requests, treating them as a set of input/output data. The transport provides the input data, (called an Intent, encapsulating the incoming request information, client IP, headers, etc) and passes it to the centralized dispatcher. The dispatcher will then route the intent through a set of authorization and middleware functions. The intent can be terminated (with success or error) in any of these functions (almost like express middlewares, but more complex). Once the intent is terminated, the transport will then know to return the result to the client (browser, device, etc).

This approach was inspired by the Flux architecture (especially redux), where actions are routed through a dispatcher and reduced by the middleware functionalities. Thorin has 4 main categories of modules:

  • Transports (currently http and websockets) – abstract away the transport layer, providing the dispatcher with an intent.

  • Stores (think MySQL, Redis, ElasticSearch) – wrappers over different store modules (Sequelize, Redis, elasticsearch) that provide better error handling, structure, auto-loading, connection handling, etc. (stores can be requested by calling“{storeName}”)

  • Plugins – modules that extend functionality of either the core module or other transports or stores. As an example, thorin-plugin-render adds render capability to the HTTP transport, extending the intent/action class and using different render engines (currently nunjucks). The thorin-plugin-auth-password plugin adds authorization handlers that correctly handles user login (using scrypt, hashing passwords correctly, protecting against timing attacks, etc). Transports can be requested by calling thorin.transport(“{transportName}”). Plugins can be requested from anywhere by calling thorin.plugin(“{pluginName}”).

  • Libraries – a set of additional code that can be used throughout the application. You can look at these libraries as singleton services, that do one thing and do it good. Libraries can be requested from anywhere by calling thorin.lib(“{libraryName}”)

The really cool thing is that anyone can write their own module and integrate it with Thorin. Do you have a special transport protocol that you want to use in your app? Write a thorin-transport module! You want to write authorization functionalities for other service providers? Write a plugin and load it up! It’s easy, it’s practical and it works!

Here are the current modules that thorin has implemented (that you can also find in :

  • Plugin-auth-password – provides authorization middlewares for password checking and login

  • Plugin-auth-history – keeps a login history with ip/headers for other auth plugins

  • Plugin-auth-unloq – implements UNLOQ authentication

  • Plugin-docs – generates markdown documentation based on your application’s actions (action name, input data)

  • Plugin-less – less css processor integration and watcher

  • Plugin-loglet – client for centralized log storing and live streaming

  • Plugin-react – provides boilerplate setup for a react application with webpack and hot reload (work in progress)

  • Plugin-render – adds rendering capabilities for the transport layer, (currently) using nunjucks

  • Plugin-sass – sass css processor integration and watcher

  • Plugin-session – adds secure session capabilities for the thorin intent

  • Plugin-stripe – adds authorization middlewares for Stripe payments and implements webhook callbacks

  • Plugin-tasks – plugin that provides cron tasks, at specific intervals of time that persist after the app restart.

  • Plugin-upload – utility function that handles file uploading

  • Plugin-upload-aws – storage solution for uploading files to AWS S3

  • Sanitize – core module used by thorin to sanitize intent input data.

  • Store-elastic – ElasticSearch wrapper

  • Store-redis – Redis wrapper with seamless publish/subscribe and multi execs

  • Store-sql – Sequelize wrapper that provides auto model loading, CRUDL functionalities for entities and error handling, so that DB errors never reach the end client.

  • Transport-http – the HTTP Transport, with security functionalities built-in

  • Transport-ws – the Websocket transport, using

Check out all the modules, their technology is truly innovative, made from the ground up for a product that is in itself innovative. Unloq offers passwordless security through a combination of: multi-factor authentication, encryption keys and transaction authorisation. It’s not just another example of a successful node.js startup, but a poster boy for node.js as a powerful backend language. Check out their listing on our site and follow them on Facebook here.