Comment on page
The sign-in authentication process is managed in the
This method checks that:
- the user exists
- the correct password has been provided
- the account is active
- the sign-in is not suspicious (see sections below for more information)
If these conditions are met, an auth token is generated and returned to the client along with a user object.
Users can sign in using their username or password, or via a magic link that sends a time-sensitive JWT for authentication.
You may need to open and close the expo app before clicking a magic link with Gravity Native.
Each sign-in attempt is stored in the login table along with the device, browser and IP address. On each login attempt,
authController.signinchecks this table for suspicious activity based on past behaviour. If the IP address, device or browser differs from what the user typically uses to sign in, they will be notified via email.
If all three parameters (IP, browser and device) differ from past behaviour. The user's account will be disabled and the sign-in attempt blocked. The user will then receive a magic sign-in link via email to sign-in and unlock their account.
The auth status of a user can be checked by making a GET request to
/api/auth. This request is performed every time the app is loaded or reloaded.
This will return an object with the following values:
You can sign out the user and delete the auth tokens by making a DELETE request to