Backend: User Auth etc

[ashishkarki]

1. User Authentication (Login)

• Why: After registration and OTP verification, users should be able to log in securely.
• What to Use: Implement a login feature using JWT (JSON Web Tokens) or session-based authentication. This will allow users to authenticate and access protected routes.
• Next Step: Implement a login mutation that verifies the user's email and hashed password, and returns a JWT for subsequent authenticated requests.

2. Token-Based Email Verification (Optional)

• Why: OTP-based verification is already in place, but for future scalability, you could also implement token-based email verification (for example, sending a link that users click to verify their account).
• What to Use: You could create a unique verification token linked to the user and send it via email.
• Next Step: This is an optional enhancement but could replace or supplement OTP verification for email verification in the future.

3. Password Reset Flow

• Why: Allow users to reset their password if they forget it. This is a standard feature in modern applications.
• What to Use: Implement a password reset feature that allows users to request a password reset email containing a token, which they can use to reset their password.
• Next Step: Add a mutation to send a password reset email and handle password reset tokens.

4. Rate Limiting and Security Enhancements

• Why: To protect against brute-force attacks or abuse of the OTP or login systems.
• What to Use: Use rate-limiting middleware to limit requests from a single IP address (especially for sensitive routes like login and OTP verification).
• Next Step: Integrate rate-limiting and consider adding CAPTCHA to prevent bot abuse.

---

Summary of Next Steps:

1. User Authentication – Implement a login feature using JWT or session-based authentication.
2. Password Reset Flow – Allow users to reset their passwords.
3. Security Enhancements – Add rate limiting and other security measures like CAPTCHA