Authentication & Security

CronJS uses Firebase Authentication to provide secure, reliable user authentication. This guide covers the authentication methods available and security best practices.

Authentication Overview

CronJS employs Firebase Authentication for all user access, ensuring enterprise-grade security without the complexity of managing authentication infrastructure.

Supported Authentication Methods

CronJS supports multiple authentication providers through Firebase:

1. Email/Password Authentication

  • Standard email and password registration
  • Secure password requirements enforced
  • Email verification required for account activation

2. Google OAuth

  • One-click sign-in with Google accounts
  • No need to remember additional passwords
  • Leverages Google’s security infrastructure

3. Additional OAuth Providers

  • Additional social login providers available through Firebase
  • GitHub, Twitter, and other providers can be enabled

Getting Started with Authentication

Account Registration

  1. Visit the App: Navigate to https://app.cronjs.com
  2. Choose Method: Click “Sign Up” and select your preferred authentication method
  3. Complete Process: Follow the Firebase authentication flow
  4. Verify Email: Check your email and verify your account (required)
  5. Access Dashboard: You’re now ready to create cron jobs

Login Process

  1. Visit Login Page: Go to https://app.cronjs.com
  2. Select Method: Choose the same authentication method you used to register
  3. Authenticate: Complete the Firebase login process
  4. Access Account: You’ll be redirected to your dashboard

Firebase ID Token

When you authenticate, Firebase automatically generates an ID token that:

  • Secures your session - Used for all platform interactions
  • Expires automatically - Tokens refresh automatically for security
  • Validates permissions - Ensures you can only access your own jobs
  • Encrypts communication - All data transmission is secured

Note: You don’t need to manage this token manually - it’s handled automatically by the web interface.

Security Features

Email Verification

  • Required for all accounts - Ensures email ownership
  • Prevents unauthorized access - Blocks unverified accounts
  • Account recovery - Enables secure password reset

Password Requirements

  • Minimum complexity - Strong password policies enforced
  • Firebase security - Leverages Google’s password security standards
  • Secure storage - Passwords never stored in plain text

Account Management

  • Profile updates - Change email or password through Firebase
  • Account deactivation - Temporarily disable your account
  • Account deletion - Permanently remove your account and data

Environment Variable Security

Secure Storage

Environment variables in your jobs are:

// Environment variables are encrypted at rest
const apiKey = process.env.API_KEY;
const dbPassword = process.env.DATABASE_PASSWORD;

// Variables are only accessible during job execution
console.log("Connecting with secure credentials...");

Best Practices

  1. Never log sensitive data:
// ❌ Don't do this
console.log("API Key:", process.env.API_KEY);

// ✅ Do this instead
console.log("API Key configured:", !!process.env.API_KEY);
  1. Use descriptive variable names:
// ✅ Clear and descriptive
const databaseUrl = process.env.DATABASE_URL;
const slackWebhook = process.env.SLACK_WEBHOOK_URL;
const apiToken = process.env.EXTERNAL_API_TOKEN;
  1. Validate environment variables:
// ✅ Check required variables
if (!process.env.API_URL) {
  throw new Error("API_URL environment variable is required");
}

Variable Management

  • Write-only after creation - Environment variables cannot be viewed once saved
  • Overwrite capability - Update variables by providing new values
  • Encryption at rest - All variables encrypted in our database
  • Runtime access only - Variables only accessible during job execution

Container Security

Each job runs in a secure, isolated environment:

Docker Isolation

  • Individual containers - Each job execution gets its own container
  • Resource limits - CPU, memory, and timeout restrictions enforced
  • Network isolation - Jobs cannot interfere with each other
  • No privilege escalation - Containers run with minimal privileges

File System Security

  • Temporary filesystem - No persistent storage between executions
  • Read-only base image - Core system files cannot be modified
  • Isolated workspace - Each job has its own temporary directory

Network Security

  • Outbound internet access - Jobs can make external API calls
  • No inbound connections - Jobs cannot receive external connections
  • Secure environment - No access to internal CronJS infrastructure

Data Privacy

Personal Data

  • Minimal collection - Only necessary account information stored
  • Secure transmission - All data encrypted in transit
  • Access controls - Strict access limitations on personal data

Job Data

  • User isolation - Complete separation between user accounts
  • Execution logs - Stored securely with appropriate retention
  • Code privacy - Your job code is never shared or accessible to others

Current Limitations (MVP)

The current MVP version has some limitations:

API Access

  • Web interface only - No programmatic API access yet
  • Manual management - Jobs must be managed through the web app
  • Future development - API access planned for future releases

Advanced Security Features

  • No 2FA yet - Two-factor authentication not available in MVP
  • Basic account settings - Limited security configuration options
  • Enterprise features - Advanced security features planned for paid tiers

Troubleshooting Authentication

Common Issues

Login Problems

Problem: Can't sign in with Google
Solution: Ensure pop-ups are enabled and try incognito mode

Email Verification

Problem: Didn't receive verification email
Solution: Check spam folder, wait a few minutes, or request new verification

Session Expiry

Problem: Automatically logged out
Solution: Firebase tokens expire for security - simply log in again

Getting Help

If you encounter authentication issues:

  1. Check browser settings - Ensure cookies and JavaScript are enabled
  2. Clear browser cache - Sometimes helps with authentication problems
  3. Try incognito mode - Isolates potential browser extension issues
  4. Contact support - Email [email protected] for assistance

Security Best Practices

For Job Code

  1. Validate inputs - Always validate external data
  2. Handle errors gracefully - Don’t expose sensitive information in error messages
  3. Use environment variables - Never hardcode credentials
  4. Log responsibly - Avoid logging sensitive data

For Account Security

  1. Use strong passwords - If using email/password authentication
  2. Keep email secure - Your email is your account recovery method
  3. Monitor job execution - Review logs for unexpected behavior
  4. Report issues promptly - Contact support for any security concerns

Future Security Enhancements

Planned security features for future releases:

  • Two-factor authentication (2FA) - Additional account security layer
  • API key management - Programmatic access with secure key rotation
  • Advanced audit logging - Detailed security event tracking
  • SSO integration - Enterprise single sign-on capabilities
  • Advanced permissions - Team and role-based access controls

Stay tuned for these security enhancements as CronJS continues to evolve!

Next Steps