Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • improved-skeleton
  • xsrf-token
3 results
Blame Permalink
user-management.md 6.90 KiB

User management

Sign up

There are two steps to create an account on data.grandlyon.com.

First of all the user must go to the sign up page accessible from the login page and fill the form. A few information are required such as the firstname, the lastname and the email. A password also has to be entered. It must:

  • have at least 6 characters
  • contain at least one special character
  • contain at least one uppercased character
  • contain at least one lowercased character
  • contain at least one number

Passwords are always encrypted with a public key retrieved from the legacy auth middleware before they are sent accross the network. Only the legacy auth middleware knows the private key that allow the decryption of the password.

Before being able to submit the form, the user has to accept the general terms of use and the processing of its information.

When the form is submitted, the account is not directly created. In fact, a request is made to the legacy auth middleware. The service stores temporarily the user account information in a Redis database and send an email to the user's email address through the email service. The purpose of this email is to confirm the validity of the user's email address. Indeed the email contains a unique link which expires after 24h.

The link is actually a link to the login page of our application that includes a token query param. When the LoginComponent of the Angular app detects a token param in the url, it sends an HTTP request to the Legacy auth middleware including the token. If the token is still valid the user account associated with this token is created in the real user database of the legacy auth service.

For more information about this process read this section of the documentation.

Sign in

Obviously, on the sign in page the user can enter its credentials in order to authenticate himself/herself. For more details refer to this section of the documentation.

A checkbox on the left of the password input allow one to display the content of the input.

Password forgotten

A user that forgets its password can click the Password forgotten button from the sign in page. The application will then display a second form asking the user to enter its email address. When the form is submitted, the password is encrypted with the public key retrieved from the legacy auth middleware. Then just as in the sign up process the app sends a request to the middleware that in its turn sends an email to the user address ,through the mailer, containing a link valid for 24 hours.

The link sends the user on the page dedicated to the reset of the password. This page first verifies that a token is indeed present in the query param of the current url. It also checks with the legacy auth middleware if the token is still valid. In the failing case a message ask the user to restart the password reset process from the beginning. When the token is valid, the user is asked to enter a new password. Finally the application sends the request to the middleware along with the token from the query param. The middleware checks again the validity of the token and then make an HTTP call to the Legacy auth service in order to apply the new password to the email associated to the user account.

Here's a diagram that sums this up.

Sign out

The sign out button is available in the dropdown menu that can be displayed with a click on the user button of the header of the app.

Cookies are used to store the two authentication pieces and more particularily HTTP only cookie to store the JWT. It means the application cannot manipulate this cookie, the only way is to force it's expiration through our backend service. This is why the application makes a call to the authentication service which returns two new cookie with the same keys but with outdated expiration dates. Those cookies will replace the two existing ones in the user's browser, and as they are expired they will be removed and user signed out.

User update

A user can easily update its profil information from the user profil page. He needs to agree to the general term of use and the process of its information before sumitting any changes. To update the profil the application calls the authentication service. In its turn it makes the appropriate request to the legacy auth middleware and then generate a new JWT with the latest user information. Finally the authentication service replies to the application and set two cookies to replace the older ones.

Password update

Account deletion

User accesses