An example authentication system with registration and login forms
- Page URL
/
- Field for username
- Field for password
- "Login" button
- "Sign Up" button
- When clicked, show registration form at
/signup
- When clicked, show registration form at
- Page URL
/signup
- Field for username
- Regex pattern: alphanumeric w/ underscore, 3-30 characters
- Show error in form when pattern does not match
- Field for email
- Regex pattern: https://www.emailregex.com/
- Field for password
- Regex pattern: at least 1 uppercase, 1 lowercase, 1 decimal digit, 8+ characters
- Show error in form when pattern does not match
- Field for confirm password
- Valid only if it matches password
- Show error in form when pattern does not match
- "Create account" button
- On successful signup, redirect to login page at
/
- Base URL
/
- Redirect to here when login successful
- Main content is placeholder kanban columns (just backgrounds)
- Logout button
-
POST /signup
- Create new account- Request body contains
username
,email
andpassword
- Hashes password with salt
- Persists new user account in database
- Field for verified email status
- If email unverified, delete account after 15 minutes
- If email verified, set verified email status to true, don't delete
- Sends email verification with one-time code, set to expire in 10 minutes
- Respond with status code
201 Created
on success - Respond with status code
500 Internal Server Error
on failure
- Request body contains
-
POST /login
- Login with credentials- Request body contains
username
andpassword
- Retrieves user from database by
username
- Compares password hashes with stored hash
- Sends email verification with one-time code, set to expire in 10 minutes
- Sends limited use access token (1 hr) to use in browser as response
- Has max age (time of expiration)
- If expired, a new token will have to be generated using refresh token
- Respond with status code
200 OK
on success - Respond with status code
403 Forbidden
on failure - Respond with status code
500 Internal Server Error
on general failure
- Request body contains
-
GET /refresh
- Generate new access token using refresh token- Header contains authorization bearer refresh token
- If there's no token, return
406 Not Acceptable
- If token is wrong or expired, return
406 Not Acceptable
- If token is verified, return
200 OK
with new access token as payload
-
GET /
- Gain authorized access to homepage (verification middleware)- Header contains authorization bearer access token
- If there's no token, return
401 Unauthorized
- If token is wrong or expired, return
403 Forbidden
- If token is verified, return
200 OK
-
GET /verify
- Verify new account- Request body contains
accountId
andotp
- Checks if
otp
has expired (compare current time to expiry timestamp) - Verifies one-time code, allows sending access token to user after next login
- Allows only 3 failed attempts before voiding the code
- Redirects to login page after voiding
- Request body contains
- Setup MongoDB