ColivingLiguria

S.r.l. — Startup Innovativa
Apply NowCandidati
HomeHomeTechnical LibraryArchivio tecnico

2 min read

Authentication And Sessions

The private area uses passwordless authentication. A person starts at Login, enters their real name, email, phone number, and preferred one-time-code channel, then verifies the received code before opening Private area.

Runtime Flow

  1. Browser posts to POST /api/auth/register/start.
  2. Cloudflare Pages forwards /api/auth/* to the Living Register backend through Quartz_CL/functions/api/auth/[[path]].ts.
  3. The backend creates or updates lr_auth_accounts, stores an OTP challenge in lr_auth_challenges, and writes a redacted delivery row in lr_auth_delivery_outbox.
  4. Browser posts the code to POST /api/auth/verify.
  5. The backend verifies the hashed OTP and returns a session token.
  6. Browser stores only the session token in local storage under cl-private-session-token.
  7. Private area calls GET /api/auth/session with Authorization: Bearer <token>.

Security Properties

  • OTP codes are stored as salted PBKDF2 hashes, never in clear text.
  • Session tokens are stored server-side only as SHA-256 token digests.
  • OTP challenges expire after 10 minutes.
  • A challenge allows at most 5 attempts.
  • A new challenge supersedes older pending challenges for the same account.
  • Sessions expire after 30 days and can be revoked through POST /api/auth/logout.
  • The website displays redacted email and phone values after login.

Production Requirements

Production must not expose development OTP codes in API responses.

Required:

  • LROS_AUTH_DEV_MODE=0 on the Living Register auth backend.
  • LROS_AUTH_API_BASE on Cloudflare Pages, pointing to the HTTPS auth backend without a trailing slash.
  • Email or SMS delivery worker/provider consuming lr_auth_delivery_outbox.
  • Edge and backend rate limits by IP, email, phone, account ID, and challenge ID.
  • Provider secrets stored only in Cloudflare/backend environment variables.

Optional:

  • LROS_AUTH_API_TOKEN on Cloudflare Pages when the backend requires a shared internal token. The proxy forwards it as X-CL-Internal-Auth.

What Login Does Not Do

Login does not prove identity-document validity by itself. Identity verification remains a separate LP/LivingRegister process through in-person checks, authority receipts, or the protected temporary upload channel.

Graph View