Security

  JWT Structure The token is composed of three parts, separated by dots: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Im9wZW5zb3VyY2VqZWdhbkBnbWFpbC5jb20iLCJyb2xlcyI6WyJ1c2VyIl0sImV4cCI6MTczMzU3MzA2MX0.nxBknSlySJ0JQIFg5BpmnZhZV6VZ0Mshu7opFFgPLSc 1. First Part (Header): eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 When decoded (base64), it reveals: { "typ" : "JWT" , "alg" : "HS256" } JSON Copy typ : Type of token (JSON Web Token) alg : Algorithm used (HMAC SHA256) 2. Second Part (Payload): eyJ1c2VybmFtZSI6Im9wZW5zb3VyY2VqZWdhbkBnbWFpbC5jb20iLCJyb2xlcyI6WyJ1c2VyIl0sImV4cCI6MTczMzU3MzA2MX0 When decoded, it reveals: { "username" : "opensourcejegan@gmail.com" , "roles" : [ "user" ] , "exp" : 1733573061 } JSON Copy username : User's email roles : User's roles (in this case, "user") exp : Expiration timestamp (Unix timestamp) 3. Third Part (Signature): nxBknSlySJ...

  https://docs.google.com/document/d/1tVIsBVRwF9cESAvhBLbqwJftuJtXcx8t-fO4KmB1QaQ/edit?usp=sharing API Routes /api/signup : Handles user signup. Validates email and password, checks if the email is allowed, hashes the password, stores user data in the database, and sends a welcome email. /api/enroll : Handles TOTP enrollment. Generates a TOTP secret, stores it, and returns a QR code for 2FA setup. /api/login : Handles user login. Validates credentials, checks account lock status, generates tokens, and sets them as cookies. /api/validate : Validates the access token and returns user information if valid. /api/token/refresh : Refreshes the access token using a valid refresh token. /api/update_role : Updates the role of a user. /api/logout : Logs out the user by revoking tokens and clearing cookies. /api/request_reset : Initiates a password reset by generating a reset token and sending it via email. /api/reset_password/ : Resets the user's password using a valid reset token.

 sequenceDiagram     participant User     participant Browser     participant AuthServer     participant Database     % Login Flow     User->>Browser: Enter Credentials     Browser->>AuthServer: POST /api/login     AuthServer->>Database: Validate Credentials     alt Credentials Valid         Database-->>AuthServer: User Found         AuthServer->>AuthServer: Generate Access Token         AuthServer->>AuthServer: Generate Refresh Token         AuthServer->>Database: Store Refresh Token         AuthServer-->>Browser: Return Tokens         Browser->>Browser: Store Tokens in HTTP-only Cookies         Browser-->>User: Login Successful     else Credentials Invalid         D...