Introduction
In this documentation, you will find the theoretical part of the authentication module of the schmuckliCloud service. This module provides you a full authentication solution for your customers. Simply create a user interface for a login and register form and start calling the provided functions in the SDKs.
Login concept
In the following diagram, you see the visualized concept of the login form. It is actually a really simple structure. The login form with for example two input fields for email and password is provided by your client app. Now if the users hits the "Login" button, it will start a request to the backend, where it will valdiate the credentials. If the credentials are not valid or malformed, the client app will receive a error code with an additional message. It is your choice, if you want to provide custom messages to your users, or to just show the message from the backend (only an English version is available).
If the credentials are valid, it will now generate a session token, which references in the backend to the user account. The session token should be per device and of course per user unique and should only be saved on the clients device. This also allows it, to keep in track, where the user has active session and could close them as they want. You will receive the session token with the successful response, that the credentials were valid, in the data object.
Best practices
In order to use the SDK/API properly, please do follow the best practices.
- Store the session token only on the users device. For example in the browser cookies, Local Storage API, etc..
- Do not store any credentials (even not the email address) everywhere in your application or custom backend.
- Use for the password input a password-like field if available.
Register concept
Next to the whole login process, the users also have to be able to create their own accounts. For that create a form where the user can enter an email address as well as a password. Usually it is recommended to force the user to repeat the same password again in an additional field. When the user taps on the button "Register", a outgoing requests enters the service where it will now validate the inputs. It will check if the email is not used before in the project and if the password meets the requirements. If something was going wrong, the user should be informed. You get an error message from the backend system, which you could display. If everything was fine, it will create the account with all the important data and replies with an success message. It also has now sent a welcome email to the user, where he can verify his email address. You can define the mail content, as well as the link for the activation in the schmuckliCloud console. Please make sure that you have defined them, before you are setting your client app productive. Other the user cannot verify the email and also cannot login into their account.
On the activation site, just call the activation function call and provide the token from the query parameters.
Best practices
- Do not store any credentials data to another server or save them on the local device. The user should sign in later after he has confirmed the email address.
- Define the email templates in the schmuckliCloud console.