JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 63
  • Score
    100M100P100Q96051F
  • License SEE LICENSE IN LICENSE

Multi-factor authentication for Strapi v5 admin panel with license-gated Pro features.

Package Exports

  • strapi-plugin-shieldauth/package.json
  • strapi-plugin-shieldauth/strapi-server

Readme

ShieldAuth – MFA for Strapi v5

Secure your Strapi admin panel with modern multi-factor authentication (MFA).

ShieldAuth adds an extensible authentication layer to Strapi, starting with TOTP and designed for future support of Email OTP, SMS, and WebAuthn.

🚀 Installation

npm install strapi-plugin-shieldauth

⚙️ Configuration

Add the plugin to your Strapi config:

export default ({ env }) => ({
  shieldauth: {
    enabled: true,
    config: {
      licenseKey: env('SHIELDAUTH_LICENSE_KEY'),
      appName: 'Your App Name',
      issuer: 'Your Company Name',
    },
  },
});

🔐 Environment Variables

SHIELDAUTH_ENCRYPTION_KEY=<secure-random-32-byte-key>
SHIELDAUTH_LICENSE_KEY=<your-valid-license-key>

Generate a secure encryption key:

node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"

▶️ Usage

Start your Strapi app:

npm run develop

Then open:

http://localhost:1337/admin

Setup Flow

  1. Navigate to ShieldAuth in the admin panel
  2. Enroll your authenticator app (Google Authenticator, Microsoft Authenticator, etc.)
  3. Save your recovery codes securely
  4. Log out and log back in to activate MFA

✨ Features

  • Time-based One-Time Password (TOTP)
  • Encrypted secrets (AES-256-GCM)
  • Recovery codes (single-use)
  • Replay protection
  • Rate limiting on authentication attempts
  • One-time login nonce (secure step-up flow)
  • Extensible MFA architecture
  • License-based feature control

🔒 License & Usage

ShieldAuth is a commercial plugin.

  • A valid license key is required for production use
  • Unauthorized usage, redistribution, or modification is strictly prohibited
  • License validation is enforced at runtime

To obtain a license, contact: 👉 aniket07013@gmail.com

⚠️ Important Notes

  • Do not share or expose your license key publicly
  • Each license is tied to usage conditions and may be validated remotely
  • Misuse or tampering may result in restricted functionality

🧠 Architecture (Overview)

  • Modular MFA factor system (TOTP, future: Email/SMS/WebAuthn)
  • Factor registry for runtime extensibility
  • Secure encryption & session bridging
  • Pluggable license validation service

📄 License

Proprietary – see LICENSE file for details.