Skip to main content

Authentication Flow

This sequence diagram shows the authentication flow for the TunnelFlight platform, including Google OAuth integration and session management.

OAuth Authentication Flow

Key Steps Explained

  1. User Initiates Login: User clicks login button on the WWW application
  2. OAuth Redirect: Application redirects to Google's OAuth service
  3. Google Authentication: User enters credentials on Google's secure login page
  4. Token Exchange: Google provides OAuth token back to the application
  5. Token Validation: API service verifies the token with Google
  6. User Management: System checks if user exists or creates new account
  7. Session Creation: Redis stores the session with expiry time
  8. JWT Generation: API creates JWT token for subsequent requests
  9. Authenticated State: User receives JWT and can access protected resources

Token Refresh Flow

Logout Flow

Security Considerations

  • Token Expiry: Access tokens expire after 15 minutes, refresh tokens after 7 days
  • HTTPS Only: All authentication traffic must use HTTPS
  • Session Storage: Sessions stored in Redis with automatic expiry
  • Rate Limiting: Login attempts are rate-limited to prevent brute force
  • CSRF Protection: State parameter used in OAuth flow to prevent CSRF attacks