Gravity
  • Welcome to Gravity
  • Getting Started
  • Stack
  • Updates
  • Rules For AI
  • Troubleshooting
  • Gravity Server
    • Introduction
    • Installation
      • Install Node.js
      • Database Setup
      • Stripe Setup
      • Mailgun Setup
      • Install Gravity
    • Application Structure
    • REST API
      • API Scopes
      • Webhooks
    • Authentication
      • Email Verification
      • Social Sign On
      • Two-Factor Authentication
    • Authorization
      • Feature Access and Plan Restrictions
      • Permissions (Roles)
    • Config
    • Environment Variables
    • Database Queries
    • Handling Errors
    • Logging
    • Localization
    • Push Notifications
    • Email Notifications
    • User Feedback
    • User Onboarding
    • File Uploads
    • Billing
      • Seat Billing
      • Usage Billing
    • Free Accounts
    • CLI Toolbelt
    • Testing
    • AI Tools
    • Background Jobs
    • Deployment
  • Gravity Web
    • Introduction
    • Tailwind & SCSS
    • Routing
    • Events
    • Authentication
    • Localization
    • Hooks
      • useAPI
      • usePlans
      • usePermissions
    • Components
      • Alert
      • Animate
      • Avatar
      • Badge
      • Breadcrumb
      • Button
      • Calendar
      • Card
      • Chart
      • Checklist
      • Credit Card
      • Detail
      • Dialog
      • Dropdown
      • Feedback
      • Form
      • Grid
      • Header
      • Helper
      • Icon
      • Image
      • Layout
      • Link
      • List
      • Loader
      • Logo
      • Nav
      • Onboarding
      • Pagination
      • Popover
      • Progress
      • Row
      • Search
      • Separator
      • Sheet
      • Social
      • Stat
      • Table
      • Tabs
      • Toast (Notification)
      • Tooltip
      • User
      • View
    • Views
    • Handling Errors
    • Deployment
  • Gravity Native
    • Introduction
    • Prerequisites
    • Installation
    • App Context
    • Authentication
    • Localisation
    • External Linking
    • Handling Errors
    • Navigation
    • Config
    • Events
    • Views
    • Components
      • Badge
      • Blankslate
      • Button
      • Card
      • Chart
      • Form
      • Global
      • Grid
      • Icon
      • List
      • Logo
      • Message
      • Modal
      • Nav
      • Notification
      • Progress Bar
      • Search
      • Separator
      • Social
      • Stat
      • View
    • Push Notifications
    • Payments
    • Building Your App
  • Mission Control
    • Introduction
    • Installation
    • User Management
    • Feedback
    • Events
    • Logs
  • Website Template
    • Introduction
    • Environment Variables
    • Styling
    • Components
      • Article
      • Feature List
      • Footer
      • Hero
      • Layout
      • Pricing
      • Meta Data
      • Nav
      • Testimonial
    • Build and Deploy
Powered by GitBook
On this page
  • Authentication Model
  • Magic Sign-in Links
  • Suspicious Sign-In Attempts
  • Blocked Sign-In Attempts
  • Check the Auth Status
  • Deleting Auth Tokens

Was this helpful?

  1. Gravity Server

Authentication

PreviousWebhooksNextEmail Verification

Last updated 1 year ago

Was this helpful?

The sign-in authentication process is managed in the authController.

This method checks that:

  • the user exists

  • the correct password has been provided

  • the account is active

  • the sign-in is not suspicious (see sections below for more information)

If these conditions are met, an auth token is generated and returned to the client along with a user object.

Authentication Model

The authentication model is located in /model directory and contains several methods for encoding and decoding the JSON web token and also the for protecting the API endpoints.

Magic Sign-in Links

Users can sign in using their username or password, or via a magic link that sends a time-sensitive JWT for authentication.

You may need to open and close the expo app before clicking a magic link with Gravity Native.

Suspicious Sign-In Attempts

Each sign-in attempt is stored in the login table along with the device, browser and IP address. On each login attempt, authController.signin checks this table for suspicious activity based on past behaviour. If the IP address, device or browser differs from what the user typically uses to sign in, they will be notified via email.

Blocked Sign-In Attempts

If all three parameters (IP, browser and device) differ from past behaviour. The user's account will be disabled and the sign-in attempt blocked. The user will then receive a magic sign-in link via email to sign-in and unlock their account.

Check the Auth Status

The auth status of a user can be checked by making a GET request to /api/auth. This request is performed every time the app is loaded or reloaded.

This will return an object with the following values:

Key

Value

Description

jwt_token

true or false

determines if the user has an active JWT

social_token

true or false

determines of the user has an active access token from a social network

subscription

string

returns the stripe subscription status

accounts

array

a list of the account IDs the user belongs too

account_id

UUID

the currently authenticated account id

authenticated

true or false

true if the user has an app JWT or social token

Deleting Auth Tokens

You can sign out the user and delete the auth tokens by making a DELETE request to /api/auth

verify middleware