Skip to main content

Authentication System

Overview

The www application uses a comprehensive authentication system built with Passport.js, supporting both local authentication and OAuth providers.

Authentication Architecture

Core Components

  1. Passport.js Configuration (src/config/passport.js)
  2. JWT Token Management (src/config/jwt.js)
  3. Authentication Middleware (src/middleware/auth/)
  4. Auth Controllers (src/controllers/auth/)
  5. Auth Routes (src/routes/auth/)

Authentication Strategies

Google OAuth 2.0

  • Primary authentication method
  • Configured via passport-google-oauth20
  • Provides seamless user experience
  • Handles profile data synchronization

JWT Token Management

  • Stateless authentication tokens
  • Secure token signing and verification
  • Token refresh capabilities
  • Session management with Redis

Authentication Flow

1. User Login Process

User clicks "Login" → Google OAuth → Authorization → Token Generation → Session Creation

2. Google OAuth Flow

  1. User redirects to Google authorization server
  2. User grants permissions
  3. Google returns authorization code
  4. Application exchanges code for access token
  5. User profile retrieved from Google
  6. JWT token generated and stored
  7. User redirected to dashboard

3. Token Validation

// Middleware validates JWT on protected routes
const token = req.headers.authorization || req.cookies.token;
const decoded = jwt.verify(token, process.env.JWT_SECRET);
req.user = decoded;

Authentication Middleware

User Authentication (src/middleware/auth/userAuthenticate.js)

  • Validates JWT tokens on protected routes
  • Extracts user information from tokens
  • Handles token expiration and refresh
  • Redirects unauthenticated users to login
  • Sets up navigation context based on user authentication
  • Provides user-specific navigation options
  • Handles role-based menu items

Protected Routes

Account Area Protection

All routes under /account/* require authentication:

  • Dashboard access
  • Profile management
  • Logbook functionality
  • Training modules
  • Administrative features

Middleware Chain

app.use('/account', [
  userAuthenticate,     // Check authentication
  setNav,              // Set navigation context
  profile,             // Load profile data
  // ... route handlers
]);

User Session Management

Session Storage

  • Redis-based session storage
  • Distributed session management
  • Session expiration handling
  • Cross-device session synchronization

Session Data Structure

{
  userId: 'user_id',
  email: 'user@example.com',
  profile: { /* user profile data */ },
  roles: ['flyer', 'instructor'],
  lastActivity: timestamp,
  expiresAt: timestamp
}

Registration and Verification

User Registration

  1. Initial Registration: Basic user information collection
  2. Email Verification: Verification email sent to user
  3. Profile Completion: Additional profile details
  4. Account Activation: Full account access granted

Verification Process

  • Email verification with secure tokens
  • SMS verification for phone numbers (Twilio integration)
  • Identity verification for certain user types
  • Document verification for instructors/coaches

Security Features

Token Security

  • JWT tokens signed with secure secret
  • Short-lived access tokens
  • Refresh token rotation
  • Secure HTTP-only cookies

Password Security

  • Bcrypt hashing for local passwords
  • Password complexity requirements
  • Password reset functionality
  • Account lockout after failed attempts

Cross-Site Request Forgery (CSRF)

  • CSRF tokens on all forms
  • Same-site cookie policies
  • Origin validation

Session Security

  • Secure session configuration
  • Session timeout policies
  • Concurrent session limits
  • Session invalidation on logout

Authentication States

Authenticated User

  • Full access to account features
  • Personalized dashboard
  • Profile management capabilities
  • Training and logbook access

Unauthenticated User

  • Public content access only
  • Login/registration prompts
  • Limited functionality
  • Redirect to login for protected resources

Verification Pending

  • Limited account access
  • Verification prompts
  • Email/SMS verification required
  • Profile completion required

Error Handling

Authentication Errors

  • Invalid credentials handling
  • Token expiration management
  • OAuth callback errors
  • Network failure recovery

User Feedback

  • Clear error messages
  • Authentication status indicators
  • Progress feedback during verification
  • Helpful recovery suggestions

Integration Points

API Authentication

  • JWT tokens for API requests
  • Bearer token authorization
  • API key management for external services
  • Rate limiting per authenticated user

External Services

  • Google OAuth: Primary authentication provider
  • Redis: Session and token storage
  • Twilio: SMS verification services
  • Email Service: Verification and notifications

Development and Testing

Local Development

  • Mock OAuth for testing
  • Development token configuration
  • Local Redis instance
  • Debug authentication middleware

Testing Strategies

  • Unit tests for authentication logic
  • Integration tests for OAuth flow
  • End-to-end authentication testing
  • Security vulnerability testing