Skip to content

Auth Provider

The auth provider implements react-admin's AuthProvider interface using session-based authentication with CSRF protection.

Login Flow

1. GET /api/v1/auth/session      → Establish CSRF cookie
2. POST /api/v1/auth/login       → Authenticate with email + password + CSRF token
   ← Set-Cookie: sessionid=...
3. GET /api/v1/users/me           → Fetch identity + permissions (cached)

The login page collects email and password, then the auth provider:

  1. Hits the session endpoint to ensure a CSRF cookie is set
  2. Sends the login request with the CSRF token as X-CSRFToken header
  3. On success, calls fetchMe() to cache the user identity and permissions

AuthProvider Methods

login({ email, password })

Authenticates the user and caches their identity.

logout()

Sends DELETE /api/v1/auth/session with the CSRF token, then clears the cached identity.

checkAuth()

Calls GET /api/v1/users/me to verify the session is still valid. Throws if unauthenticated, triggering a redirect to the login page.

checkError(error)

If a response returns 401 or 403, clears the identity cache and throws to trigger re-authentication.

getIdentity()

Returns { id, fullName } from the cached /users/me response. Fetches if not cached.

getPermissions()

Returns the permissions array from the /users/me response in react-admin RBAC format.

Identity Response

The /api/v1/users/me endpoint returns:

interface AuthMe {
  id: string;
  email: string;
  first_name: string;
  last_name: string;
  full_name: string;
  is_superadmin: boolean;
  is_active: boolean;
  tenant_id: number | null;
  tenant_role: string | null;
  permissions: Permission[];
}

The permissions array drives UI visibility for menu items, action buttons, and form fields. See Permissions for details.

Password Reset

Two custom pages handle password reset outside react-admin's auth flow:

Forgot Password (/auth/forgot-password):

  1. Establishes CSRF via GET /api/v1/auth/session
  2. Sends POST /api/v1/auth/password/request with email
  3. Always shows success message (prevents email enumeration)
  4. Rate-limited: 429 responses shown as error

Reset Password (/auth/reset-password/:key):

  1. Validates the reset key via GET /api/v1/auth/password/reset with X-Password-Reset-Key header
  2. If valid, shows new password + confirm form
  3. Submits via POST /api/v1/auth/password/reset with key and new password

See Also