Gravity
Search…
Gravity
Welcome to Gravity
Getting Started
Stack
Updates
Changelog
Gravity Server
Introduction
Installation
Application Structure
REST API
Authentication
Social Sign On
Two-Factor Authentication
Config
Environment Variables
Database Queries
Handling Errors
Logging
Push Notifications
Email Notifications
User Feedback
Permissions (Roles)
File Uploads
Payments
Free Accounts
CLI Toolbelt
Testing
Gravity Web
Introduction
Tailwind & SCSS
Routing
Events
Authentication
Hooks
Components
Views
Handling Errors
Deployment
Gravity Native
Introduction
Prerequisites
Installation
App Context
Authentication
Magic Links
Handling Errors
Navigation
Config
Events
Views
Components
Push Notifications
Payments
Building Your App
Mission Control
Introduction
Installation
User Management
Feedback
Events
Logs
Powered By GitBook
Authentication
The sign in authentication process is managed in the authController located in /controller directory.
This method checks that:
  • the user exists
  • the correct password has been provided
  • an active subscription exists
If these conditions are met, an auth token is generated and returned to the client along with the user permission level, name and subscription.

The authentication model is located in /model directory and contains several methods for encoding and decoding the JSON web token.

Users can sign in using their username or password, or via a magic link that sends a time-sensitive JWT for authentication.
You may need to open and close the expo app before clicking a magic link with Gravity Native.

Each sign in attempt is stored in the login table along with the device, browser and IP address. On each login attempt, the authController checks this table to check for suspicious activity based on past behaviour. If the IP address, device or browser differs from what the user normally uses to sign in, they will be notified via email.

If all three parameters (IP, browser and device) differ from past behaviour. The user's account will be disabled and the sign-in attempt blocked. The user will then receive a magic sign-in link via email to sign-in and unlock their account.

You can check the auth status of a user by making a GET request to /api/auth. This will return an object with the following values:
Key
Value
Description
jwt_token
true or false
determines if the user has an active JWT provided by the app
​
social_token
true or false
determines of the user has an active access token for a social network
subscription
string
returns the stripe subscription status
authenticated
true or false
true if the user has an app JWT or social token

You can sign out the user and delete the auth tokens by making a DELETE request to /api/auth
​
Previous
API Scopes
Next
Social Sign On
Last modified 9mo ago
Copy link
On this page
Authentication Model
Magic Sign-in Links
Suspicious Sign In Attempts
Blocked Sign In Attempts
Check the Auth Status
Deleting Auth Tokens