An example authentication system with registration and login forms

• Page URL /
• Field for username
• Field for password
• "Login" button
• "Sign Up" button
  • When clicked, show registration form at /signup

• Page URL /signup
• Field for username
  • Regex pattern: alphanumeric w/ underscore, 3-30 characters
  • Show error in form when pattern does not match
• Field for email
  • Regex pattern: https://www.emailregex.com/
• Field for password
  • Regex pattern: at least 1 uppercase, 1 lowercase, 1 decimal digit, 8+ characters
  • Show error in form when pattern does not match
• Field for confirm password
  • Valid only if it matches password
  • Show error in form when pattern does not match
• "Create account" button
• On successful signup, redirect to login page at /

• Base URL /
• Redirect to here when login successful
• Main content is placeholder kanban columns (just backgrounds)
• Logout button

• POST /signup - Create new account
  • Request body contains username, email and password
  • Hashes password with salt
  • Persists new user account in database
    • Field for verified email status
    • If email unverified, delete account after 15 minutes
    • If email verified, set verified email status to true, don't delete
  • Sends email verification with one-time code, set to expire in 10 minutes
  • Respond with status code 201 Created on success
  • Respond with status code 500 Internal Server Error on failure
• POST /login - Login with credentials
  • Request body contains username and password
  • Retrieves user from database by username
  • Compares password hashes with stored hash
  • Sends email verification with one-time code, set to expire in 10 minutes
  • Sends limited use access token (1 hr) to use in browser as response
    • Has max age (time of expiration)
    • If expired, a new token will have to be generated using refresh token
  • Respond with status code 200 OK on success
  • Respond with status code 403 Forbidden on failure
  • Respond with status code 500 Internal Server Error on general failure
• GET /refresh - Generate new access token using refresh token
  • Header contains authorization bearer refresh token
  • If there's no token, return 406 Not Acceptable
  • If token is wrong or expired, return 406 Not Acceptable
  • If token is verified, return 200 OK with new access token as payload
• GET / - Gain authorized access to homepage (verification middleware)
  • Header contains authorization bearer access token
  • If there's no token, return 401 Unauthorized
  • If token is wrong or expired, return 403 Forbidden
  • If token is verified, return 200 OK
• GET /verify - Verify new account
  • Request body contains accountId and otp
  • Checks if otp has expired (compare current time to expiry timestamp)
  • Verifies one-time code, allows sending access token to user after next login
  • Allows only 3 failed attempts before voiding the code
    • Redirects to login page after voiding

• Setup MongoDB