Authorization
Auth flow
Registration
Email confirmation
Login
If user has not confirmed its account and trying to sign in, then user will see text like: "You have to confirm you account. Go to your email box and find confirmation link"
Register Req/Res Types
Then user must activate its account by clicking on confirmation link in a mail from backend.
I want to propose this url:
http://backend.com/auth/confirm-account?token=its-access-token-1231123
This is just GET request to /auth/confirm endpoint with ?token query.
If confirming was successful, then we need to redirect user to frontend.com/login (just ask Oleksandr Shtonda about some HTML/JS code for redirecting).
Login Req/Res Types
The user must be able to sign in ONLY AFTER account confirmation, otherwise we need to send mail to its e-mail again. Frontend must show info about this.
Also, we need GET endpoint backend.com/auth/me to get ability to user to request info about him.
Backend should take accessToken from HTTP header Authorization, decode it, get e-mail from this one, find user in DB and return info.
Reset a password flow
User clicks "forgot a password?"
Frontend redirects the user to reset-password page
User provides its e-mail
User provides a code from its e-mail
User provides a new password
Frontend redirects the user to login page to sign-in
Providing e-mail
If e-mail is not e-mail
If e-mail was not found
If everything is OK
Providing confirmation code
If code does not pass validation
If confirm code is incorrect
If everything is OK
Providing a new password
If access token was not provided
If password does not pass validation rules
If new password equals current one
If everything is OK
Logout
The user must be able to log out
Req/Res types
The frontend sends HTTP GET request to the backend. The backend decodes access token and finds the user by user_id (PK) and sets refresh_token field to null. The null value means, that now user is not logged in its account.