[RFC0009] User Login

[lobsam]

Table of Contents

• Housekeeping
• Named Concepts
• Summary
• Reference-Level Explanation
• Alternatives
• Drawbacks
• Useful References
• Unresolved questions
• Parts of the system affected
• Future possibilities
• Infrastructure
• Version History
• Recordings
• Work Phases
  • Implementation
  • Testing

Housekeeping

This RFC is related to RFW0009 #10

Named Concepts

Auth0 : platform that provides authentication and authorization services for applications and API.

Flowbite : Vue 3 component library which provides lot of basic components needed to build webapp. such as button, login forms etc. Server: The entity responsible for authenticating user credentials and granting access. For example : Auth0

Authentication Request: The message sent by the user to the server containing user credentials.

Authentication Response: The message sent by the server to the user indicating the success or failure of the authentication process.

Session Token: A unique identifier generated by the server and associated with the user's session, used for subsequent requests to identify the user.

User Credentials: Information provided by the user to authenticate their identity, such as a username and password.

SSO (Single Sign-On): allow users to access multiple applications or systems using a single set of credentials. It eliminates the need for users to remember multiple usernames and password.

Magic Link: is an authentication method used in SSO systems where users receive an email containing a unique, time-limited link. Clicking the Magic Link authenticates the user and grants them access to the application without requiring a password. It offers a convenient and secure way for users to log in without the need for traditional credentials.

Summary

This RFC proposes a standardized process for user authentication and access to systems or services. It involves the user sending an authentication request with their credentials to the server, which responds with an authentication response containing a session token. The session token is used by the user to identify themselves in subsequent requests.

Reference Level Explanation

The User Login operates as follows:

• User Authentication Request User can login by making a request to the Auth0 login API using the Auth0 SDK/API. This request includes the user's credentials, such as a (username and password) or Email.
• Server Authentication Response: Server (Auth0) validates the user's credentials. If the credentials are valid, the server generates a session token in the form of a JSON Web Token (JWT). and returns it to the user as part of the authentication response.

• User Session Management: Once the user receives the session token, it will be combined requests to the server to identify themselves and gain access to protected resources. The server verifies the session token's validity and grants access accordingly.

  • Handling expiry session Token : The client application keeps track of the expiry time of the token. In case of Auth0, The token has an expiration timestamp specified by the Auth0 server. Config. Session Lifetime in AUth0

Two methods to login :

1. Through Magic Link: Magic Link is an authentication method that allows users to log in to an application without a password. Here's how it works:
   • User requests a Magic Link: The user enters their email address on the login page and requests a Magic Link.
   • Email with Magic Link: Auth0 sends an email to the user's address containing a unique, time-limited link.
   • Clicking the Magic Link: The user clicks the Magic Link, which securely authenticates them and grants access to the application.
   • Seamless Login: After clicking the Magic Link, the user is seamlessly logged in without needing to enter a password, enhancing user experience and convenience.
2. The user will click the SSO button of their choice. They will then go through the prompts of that SSO. If the sign-in is valid, the user then is allowed to come in.

Alternatives

NA

Drawbacks

NA

Useful References

• Auth0 Documentation: https://auth0.com/docs
• Auth0 SDKs and Libraries: https://auth0.com/docs/libraries
• Passwordless Authentication with Magic Links in Auth0: https://auth0.com/docs/authenticate/passwordless/authentication-methods/email-magic-link
• Hasura and Auth0 integration: https://hasura.io/learn/graphql/hasura-authentication/integrations/auth0/
• JWT: https://jwt.io/

Unresolved Questions

NA

Parts of the system affected

• Which parts of the current system affacted by this request? We will be created login page in vue3 app

• What other requests are related with this request? RFC0008 User-management

Future possibilities

How do you see the particular system or part of the system affected by this request be alter or extended in the future?

• Future versions of the User Login RFC may include password recovery mechanisms

Infrastructure

User Login requires a secure communication channel (e.g. HTTPS) and server-side infrastructure to handle authentication requests, validate credentials, manage sessions, and access control.

Version history

History of changes made to this RFC

NA

Recordings

List of audio recording of related discussion.

NA

Work phases

• [x] Planning

Implementation

Phase 1: User Registration

• [x] Implement a user registration form to allow new users to create accounts.
• [x] Validate user input data, such as email format and password strength.

• [x] Store user account information securely in a database.

  Phase 2: User Login

  • [x] Create a login page to accept user credentials.
  • [x] Verify user credentials against stored account information in the database
  • [x] Implement session management to maintain user authentication across requests.
  • [x] Utilize secure protocols (e.g., HTTPS) to transmit sensitive data

Testing

Phase 1: Unit Testing:

• [x] Verify the functionality of individual components, such as registration and login modules.

• [x] Test input validation and error handling scenarios.

  Phase 2: Integration Testing

• [x] Perform integration tests to ensure seamless communication between different system components, such as the login page, database and Server (e.g Auth0).
• [x] Validate session management.
• [x] Test the integration of password reset functionality with the user login system.

[pdey]

Can we specify, just for clarity, what "time-limited" mean in the case of magic-link generation? One aspect is time of the link, also another aspect is lifespan of the session token generated by Auth server once the link is used for login.

[pdey]

How does client handle the expiry of a session token, does it refresh the token silently?, A functional description of how client uses the Auth0 sdk/api for using login api and handling session token will be useful.

[lobsam]

Magic Link: is an authentication method used in SSO systems where users receive an email containing a unique, time-limited link.

Here as of now "time-limited" means magic link can only be used within a timeframe.

[lobsam]

How does client handle the expiry of a session token, does it refresh the token silently?, A functional description of how client uses the Auth0 sdk/api for using login api and handling session token will be useful.

@pdey :

• expiry session token: The client application keeps track of the expiry time of the token. In case of Auth0, The token has an expiration timestamp specified by the Auth0 server
• refresh session token : Auth0 sdk/api does it silently after if session token has been expired.