Skip to main content

Authentication

Routes:

  • /login — Login
  • /register — Registration
  • /forgot-password — Request password reset
  • /reset-password — Set new password (from email link)

Files:

  • ayts-fe/app/login/page.tsx
  • ayts-fe/app/register/page.tsx
  • ayts-fe/app/forgot-password/page.tsx
  • ayts-fe/app/reset-password/page.tsx

Auth required: No (redirects to home if already logged in)

Login (/login)

Form Fields

  • Email
  • Password
  • "Remember me" checkbox
  • "Forgot password?" link

Flow

POST /api/auth/login
{ email, password }
→ { success, token, refreshToken, user }
→ Store token in localStorage / cookie
→ Redirect to previous page or /

Error States

  • Invalid credentials: "Email or password is incorrect"
  • Account deactivated: "Your account has been deactivated"
  • Network error: Toast notification

Register (/register)

Form Fields

  • First name
  • Last name
  • Email
  • Phone (optional)
  • Password (min 8 characters)
  • Confirm password
  • Accept Terms of Service checkbox

Flow

POST /api/auth/register
{ email, password, firstName, lastName, phone }
→ Account created (email pre-confirmed, no verification email)
→ Auto-login with returned token
→ Redirect to /

Validation (Zod)

{
  email: z.string().email(),
  password: z.string().min(8),
  firstName: z.string().min(1).max(100),
  lastName: z.string().min(1).max(100),
  phone: z.string().optional(),
}

Forgot Password (/forgot-password)

Flow

POST /api/auth/forgot-password
{ email }
→ Supabase sends reset email to user
→ User clicks link in email → /reset-password?token=...

Reset Password (/reset-password)

Flow

POST /api/auth/reset-password
{ password, access_token }
→ Password updated
→ Redirect to /login

The access_token is extracted from the URL hash after clicking the email link.

Token Management

TokenStorageLifetime
JWT access tokenlocalStorage1 hour
Refresh tokenlocalStorage7 days

Refresh: POST /api/auth/refresh → new access token.

Rate Limiting

Auth endpoints are rate-limited:

  • Login: 10 requests / 15 minutes per IP
  • Register: 5 requests / hour per IP
  • Forgot password: 3 requests / hour per IP

Known Issues / Status

ItemStatus
Login✅ Working
Register (pre-confirmed)✅ Working
Forgot password email✅ Working
Reset password✅ Working
Refresh token✅ Working
Rate limiting✅ Working
Ban check (403 if banned)✅ Working