Skip to content

Authentication

Overview

Our platform integrates Auth0 for user authentication and authorization. We utilize Auth0's Universal Login Page for handling the login process, ensuring secure and streamlined authentication across our microservices architecture. Below is a detailed explanation of how the authentication flow works within our system.

Authentication Flow

  1. Universal Login with Auth0
    When a user tries to log in, they are redirected to the Auth0 Universal Login Page. This page handles the login process, performs authorization, and returns an access token if successful.

  2. Token Validation
    Once the user logs in and receives the token, our Next.js application validates the token before allowing any requests to our backend microservices, which communicate via gRPC.

  3. Token Expiration
    The token is valid for 30 minutes. After that, the platform uses refresh tokens to create new tokens automatically, ensuring that users stay logged in until they log out or the session ends.

  4. Session Expiry and Hard Logout
    If the user remains logged in without manual logout, a hard logout will occur after 3 days of inactivity. This ensures enhanced security by terminating long-term inactive sessions.

User Information and Storage

  • Auth0 Management
    Auth0 stores all user information, including email and passwords. Our platform does not store passwords directly; instead, we rely on Auth0 to securely manage these details.

  • Basic Information
    Our platform stores only essential details, such as the user’s first name, last name, and industry. This information is maintained in our database for personalization purposes.

  • Metadata Updates
    Every time a user logs in, Auth0 updates the platform-specific information via the auth.grepsr.com API. This information is stored in Auth0's metadata and includes essential user details.

Security Features

  • Invalid Login Attempts
    For security, if a user attempts to log in with an incorrect password more than 5 times, Auth0 will block the user account. To unblock the account, an admin must manually unblock the user through the Auth0 management portal.

  • Social Login
    Users from Grepsr are restricted to logging in only via Gmail using social login. They cannot sign up or log in using traditional credentials (username/password). Other users can sign up and log in using their credentials.

Key Points

  • Token Lifetime: 30 minutes
  • Hard Logout: After 3 days of inactivity
  • Refresh Token: Used to generate a new token post expiration
  • User Blocking: After 5 invalid login attempts, admin intervention required to unblock
  • Social Login: Only Gmail for Grepsr users; other users can use normal credentials

Admin Actions

For blocked users, administrators can unblock accounts by logging into the Auth0 portal and manually resetting the user's status.

flowchart TD
    User -->|Login Request| Platform
    Platform -->|Login Request| Auth0
    Auth0 -->|Update Metadata| AuthAPI
    Auth0 -->|Send Token| Platform
    Platform -->|Provide Access| User