Comment on page

Authentication

The sign-in authentication process is managed in the authController.
This method checks that:
the user exists
the correct password has been provided
the account is active 
the sign-in is not suspicious (see sections below for more information)
If these conditions are met, an auth token is generated and returned to the client along with a user object.
Authentication Model
The authentication model is located in /model directory and contains several methods for encoding and decoding the JSON web token and also the verify middleware for protecting the API endpoints.
Magic Sign-in Links
Users can sign in using their username or password, or via a magic link that sends a time-sensitive JWT for authentication.
You may need to open and close the expo app before clicking a magic link with Gravity Native.
Suspicious Sign-In Attempts
Each sign-in attempt is stored in the login table along with the device, browser and IP address. On each login attempt, authController.signin checks this table for suspicious activity based on past behaviour. 

If the IP address, device or browser differs from what the user typically uses to sign in, they will be notified via email.
Blocked Sign-In Attempts
If all three parameters (IP,  browser and device) differ from past behaviour. The user's account will be disabled and the sign-in attempt blocked. The user will then receive a magic sign-in link via email to sign-in and unlock their account.
Check the Auth Status
The auth status of a user can be checked by making a GET request to /api/auth. This request is performed every time the app is loaded or reloaded.
This will return an object with the following values:
Key
Value 
Description
jwt_token
true or false
determines if the user has an active JWT 
​
social_token
true or false
determines of the user has an active access token from a social network
subscription
string
returns the stripe subscription status
accounts
array
a list of the account IDs the user belongs too
account_id
UUID
the currently authenticated account id
authenticated
true or false
true if the user has an app JWT or social token
Deleting Auth Tokens
You can sign out the user and delete the auth tokens by making a DELETE request to /api/auth
​

API Scopes

Email Verification

Last modified 2mo ago

Key	Value	Description
jwt_token	true or false	determines if the user has an active JWT
social_token	true or false	determines of the user has an active access token from a social network
subscription	string	returns the stripe subscription status
accounts	array	a list of the account IDs the user belongs too
account_id	UUID	the currently authenticated account id
authenticated	true or false	true if the user has an app JWT or social token