App Logo
Plugins

Email & Password Plugin

Email/password authentication with various email-based flows.

Overview

The Email & Password plugin provides email/password authentication with various email-based flows. It integrates with the Email plugin to send verification and password reset emails, and supports configurable password policies and sign-up controls.

Features

  • User Registration — Sign-up with email and password with optional email verification
  • User Authentication — Sign-in with email and password credentials
  • Email Verification — Optional email verification flow with expiring verification links
  • Password Reset — Secure password reset flow with expiring reset links
  • Email Change — Email change requests with verification to both old and new addresses
  • Password Policy — Configurable minimum and maximum password length requirements
  • Sign-Up Control — Option to disable new user registration
  • Auto Sign-In — Optional automatic sign-in after successful registration

Configuration

Standalone Mode

[plugins.email_password]
enabled = true
# Minimum password length requirement (8 recommended)
min_password_length = 8
# Maximum password length requirement
max_password_length = 128
# Disable new user registration
disable_sign_up = false
# Require email verification before sign-in
require_email_verification = true
# Whether to automatically sign in the user after sign-up
auto_sign_in = true
# Send verification email on sign-up
send_email_on_sign_up = true
# Send email on sign-in (optional)
send_email_on_sign_in = false
# Expiration time for email verification links
email_verification_expires_in = "24h"
# Expiration time for password reset links
password_reset_expires_in = "1h"
# Expiration time for email change requests
request_email_change_expires_in = "1h"

Library Mode

import (
	authulamodels "github.com/Authula/authula/models"
	emailpasswordplugin "github.com/Authula/authula/plugins/email-password"
	emailpasswordplugintypes "github.com/Authula/authula/plugins/email-password/types"
)

emailpasswordplugin.New(emailpasswordplugintypes.EmailPasswordPluginConfig{
	Enabled:                  true,
	MinPasswordLength:        8,
	MaxPasswordLength:        128,
	DisableSignUp:            false,
	RequireEmailVerification: true,
	AutoSignIn:               true,
	SendEmailOnSignUp:        true,
	SendEmailOnSignIn:        false,
	EmailVerificationExpiresIn: 24 * time.Hour,
	PasswordResetExpiresIn:     time.Hour,
	RequestEmailChangeExpiresIn: time.Hour,
	// Optional: custom email sending logic
	SendEmailVerification: func() { /* ... */},
	SendPasswordResetEmail: func() { /* ... */},
	SendChangedPasswordEmail: func() { /* ... */},
	SendRequestEmailChangeEmail: func() { /* ... */},
	SendChangedEmailToOldEmail: func() { /* ... */},
	SendChangedEmailToNewEmail: func() { /* ... */},
}),

API Reference

MethodEndpointDescription
POST/email-password/sign-upRegister a new user with email/password
POST/email-password/sign-inSign in with email/password
GET/email-password/verify-emailVerify email address
POST/email-password/send-email-verificationSend email verification link
POST/email-password/request-password-resetRequest password reset email
POST/email-password/change-passwordChange user password
POST/email-password/request-email-changeRequest email change verification

Database Schema

This plugin does not create any database tables.

Plugin Capabilities

This plugin doesn't have any plugin hooks and capabilities.

Security Recommendations

  • Password Length Requirements — Set appropriate min_password_length (at least 8) and max_password_length values
  • Email Verification — Enable require_email_verification = true in production to prevent fake accounts
  • Token Expiration — Use short expiration times for password reset tokens (1h recommended)
  • Disable Sign-Up — Set disable_sign_up = true for closed user bases or invite-only applications
  • HTTPS Required — Always use HTTPS in production to protect credentials in transit
  • Rate Limiting — Consider rate limiting sign-in and password reset endpoints to prevent brute-force attacks using the rate limit plugin.
  • Password Hashing — Passwords are automatically hashed using argon2 so plain text passwords are never stored in the database.

Client Plugin

If you're using the Authula SDK, add the plugin to the client instance as follows:

import { createClient } from "authula";
import { EmailPasswordPlugin } from "authula/plugins";

export const authulaClient = createClient({
  url: "http://localhost:8080/auth",
  plugins: [
    // other plugins...
    new EmailPasswordPlugin(),
  ],
});

CSRF Plugin

Server-side protection against Cross-Site Request Forgery attacks using the Double-Submit Cookie pattern

Email Plugin

Send transactional emails with support for multiple providers and automatic failover

On this page

OverviewFeaturesConfigurationStandalone ModeLibrary ModeAPI ReferenceDatabase SchemaPlugin CapabilitiesSecurity RecommendationsClient Plugin