F2: Authentication Flow - Feature Analysis

Overview

The Authentication Flow for Futr Connect provides secure user registration, login, and account management. The system supports both traditional email/password authentication and OAuth providers (Google, LinkedIn). The flow includes email verification via Link, password management with secure requirements, and proper session handling. This system ensures that only authorized users can access protected parts of the application while providing a smooth user experience with appropriate redirects and error handling.

API Endpoints

1. User Registration

POST /auth/registration/

Request Body:

{
  "full_name": "John Doe",
  "email": "john.doe@example.com",
  "password": "SecureP@ss123",
  "is_terms_agreed": true
}

Response (Success - 201 Created):

{
  "message": "Please verify your email."
}

2. User Login

POST /auth/login/

Request Body:

{
  "email": "john.doe@example.com",
  "password": "SecureP@ss123"
}

Response (Success - 200 OK):

{
  "user": {
    "id": "user-id-string",
    "full_name": "John Doe",
    "email": "john.doe@example.com",
    "avatar": "https://storage.futrconnect.com/profile_images/user123.jpg",
    "is_email_primary": true
  },
  "access_token": "jwt-access-token",
  "refresh_token": "jwt-refresh-token"
}

3. Social Login (Google)

POST /social-auth/google/

Request Body:

{
  "access_token": "google-access-token"
}

4. Social Login (LinkedIn)

POST /social-auth/linkedin/

Request Body:

{
  "code": "linkedin-access-code"
}

5. Password Reset Request

POST /auth/password/reset/

Request Body:

{
  "email": "john.doe@example.com"
}

6. Password Reset Confirmation

POST /auth/password/reset/confirm/

Request Body:

{
  "new_password1": "string",
  "new_password2": "string",
  "uid": "string",
  "token": "string"
}

7. Logout

POST /auth/logout/

8. Token Refresh

POST /auth/token/refresh/

Request Body:

{
  "refresh": "jwt-refresh-token"
}

State Management

MobX-State-Tree Models

AuthStore

Model AuthStore {
   loggedInUserData: types.maybeNull(UserSchemas.LoggedInUser),
   userData: types.maybeNull(UserSchemas.User),
   is_logged_in: types.maybeNull(types.boolean),
   JoinAsACompany: types.maybeNull(types.frozen<JoinAsACompanyType>()),
   userSignupData: types.maybeNull(types.frozen<UserSignupTypes>()),
   isFetchRefreshTokenAllowed: false,
   isFetchingRefreshToken: false,
   isAuthModalOpen: false,
   isNewTicketRaised: false

  // Actions
  logOutUser()
  updateAuthModalState()
  loginUser({ email, password })
  signupAsACompany(FormData)
  logout()
  signupUser(FormData)
  confirmNewPassword(FormData)
  changePassword(FormData)
  verifyEmail(otp)
  resendVerificationEmail()
  resetPassword()
  resendVerificationEmailLink()
  setUserAccessToken(token)
}

UserModel

Model UserModel {
  title: string,
  professional_email: string,
  is_terms_agreed:boolean,
  is_professional_email_primary: boolean,
  last_login: string,
  phone: string,
  full_name: string,
  groups: array(string),
  is_email_primary: boolean,
  is_soft_delete: boolean,
  about: string,
  avatar: string,
  organization_name: string,
  email: string,
  location: string,
  is_email_verified: boolean,
}

Database Models

PostgreSQL Models

User

  • id (UUID, primary key)
  • email (varchar, unique, required)
  • full_name (varchar, nullable)
  • avatar (ImageField, nullable)
  • password (varchar, required)
  • title (varchar, nullable)
  • location (varchar, nullable)
  • organization_name (varchar, nullable)
  • about (text, nullable)
  • is_soft_delete (boolean, default: false)
  • is_terms_agreed (boolean, default: false)
  • professional_email (varchar, unique, nullable)
  • is_professional_email_primary (boolean, default: false)

Backend Logic

Password Validation

The backend leverages Django’s built-in authentication system for password validation. The password validation rules are configured in the settings.py file and can include checks for minimum length, common sequences, and numeric characters. The django-password-validators library is also used to enforce password history, preventing users from reusing old passwords.

Email Verification

Email verification is handled by the dj-rest-auth library. Upon registration, an email with a unique verification link is sent to the user. The user must click this link to activate their account. This process does not involve a one-time password (OTP).

Authentication Flow

The authentication flow is managed by a combination of dj-rest-auth and django-allauth:

  1. Registration: When a user registers, a new User object is created in the database, and an email verification link is sent.

  2. Login: For standard email/password login, dj-rest-auth handles the authentication process and issues JWT tokens (access and refresh) upon successful login.

  3. Social Login: django-allauth manages the OAuth2 flow for Google and LinkedIn. It handles the token exchange with the social providers and creates or links a user account in the backend.

  4. Token Management: The backend uses djangorestframework-simplejwt to manage JWT tokens, including token refreshing.

Performance and Security

Authentication Performance

The backend relies on the performance of the underlying libraries, dj-rest-auth and django-allauth, for authentication. The key performance considerations are:

  1. Database Queries: The authentication flow is optimized to minimize database queries. User and social account data is fetched efficiently.

  2. Token Generation: JWT token generation is a fast, stateless operation, ensuring minimal overhead during login and token refresh.

Security Measures

The backend implements several security measures to protect the authentication flow:

  1. Password Hashing: Passwords are not stored in plaintext. Django’s default password hashing mechanism is used to securely store password hashes.

  2. HTTPS: The application should be deployed with HTTPS to ensure that all communication between the client and server is encrypted.

  3. CORS Policies: The django-cors-headers library is used to enforce Cross-Origin Resource Sharing (CORS) policies, preventing unauthorized cross-domain requests.

  4. CSRF Protection: Django’s built-in Cross-Site Request Forgery (CSRF) protection is enabled to prevent CSRF attacks on form submissions.

  5. Throttling: Django REST Framework’s throttling can be configured to prevent brute-force attacks on authentication endpoints.

Technical Considerations

Cross-Platform Authentication

  • Implement consistent authentication across web and potential mobile platforms
  • Use Firebase Auth which provides SDKs for web, iOS, and Android
  • Store authentication state in a consistent format across platforms
  • Ensure token refresh works smoothly across platforms

Authentication UX

  • Implement inline validation feedback
  • Show password strength meter during registration
  • Provide clear error messages for authentication failures
  • Use modal dialogs for authentication to prevent context switching
  • Implement “remember me” functionality
  • Support auto-fill for password managers

Potential Bottlenecks

  1. Firebase Rate Limiting:
  • Firebase has rate limits for authentication operations
  • Solution: Implement client-side caching and throttling
  1. Email Verification Delays:
  • Email delivery can be slow or unreliable
  • Solution: Offer alternative verification methods (SMS) and clear instructions
  1. OAuth Provider Outages:
  • Reliance on third-party OAuth providers introduces external dependencies
  • Solution: Implement fallback authentication methods and proper error handling
  1. Database Synchronization:
    - Delays between Firebase Auth and PostgreSQL database updates
    - Solution: Implement a queue system for synchronization and handle potential inconsistencies

Implementation Considerations

Development Approach

  • Implement authentication flow early in development cycle
  • Create authentication UI components in Storybook
  • Use feature flags for new authentication methods
  • Develop comprehensive test suite for authentication flows

Testing Strategy

  • Unit tests for validation logic
  • Integration tests for API endpoints
  • E2E tests for complete authentication flows
  • Libraries: Playwright

Error Handling

  • Develop comprehensive error mapping from Firebase to user-friendly messages
  • Implement logging for authentication error
  • Create recovery flows for common error scenarios

Enhanced Authentication UI

  • Implement a visually appealing slide-in authentication modal
  • Add subtle animations for form transitions
  • Use micro-interactions to indicate field validation status
  • Implement a password strength visualization that updates in real-time

Enhanced User Verification

  1. Authentication:
    - Implement Gmail verification
    - Implement magic link email authentication

Additional Considerations

Data Privacy and Compliance

  • Add user consent tracking for data processing
  • Document all data processing in privacy policy

Recovery Options

  • Implement account recovery
  • Provide verification channels (email)

Further Reading & Best Practices

  1. Firebase Authentication Best Practices:
  1. Authentication Security:
  1. OAuth Implementation:
  1. Authentication UX:
  1. Password Security:
    - NIST Password Guidelines
    - Have I Been Pwned API Integration