Authentication

The sign in authentication process is managed in the authController located in /controller directory.

This method checks that:

  • the user exists

  • the correct password has been provided

  • an active subscription exists

If these conditions are met, an auth token is generated and returned to the client along with the user permission level, name and subscription.

Authentication Model

The authentication model is located in /model directory and contains several methods for encoding and decoding the JSON web token.

Magic Sign-in Links

Users can sign in using their username or password, or via a magic link that sends a time-sensitive JWT for authentication.

You may need to open and close the expo app before clicking a magic link with Gravity Native.

Suspicious Sign In Attempts

Each sign in attempt is stored in the login table along with the device, browser and IP address. On each login attempt, the authController checks this table to check for suspicious activity based on past behaviour. If the IP address, device or browser differs from what the user normally uses to sign in, they will be notified via email.

Blocked Sign In Attempts

If all three parameters (IP, browser and device) differ from past behaviour. The user's account will be disabled and the sign-in attempt blocked. The user will then receive a magic sign-in link via email to sign-in and unlock their account.

Check the Auth Status

You can check the auth status of a user by making a GET request to /api/auth. This will return an object with the following values:

Key

Value

Description

jwt_token

true or false

determines if the user has an active JWT provided by the app

social_token

true or false

determines of the user has an active access token for a social network

subscription

string

returns the stripe subscription status

authenticated

true or false

true if the user has an app JWT or social token

Deleting Auth Tokens

You can sign out the user and delete the auth tokens by making a DELETE request to /api/auth