Authentication Pages
The Authentication Pages provide the login, registration, multi-factor authentication, and password reset interfaces for the Control Plane UI. These pages integrate with the IAM Service for credential validation, token management, and session lifecycle.
Pages
| Page | Route | Purpose |
|---|---|---|
| Login | /auth/login | Email/password authentication |
| Register | /auth/register | New user registration (invite-only) |
| MFA | /auth/mfa | Multi-factor authentication challenge |
| Password Reset | /auth/reset-password | Request and confirm password reset |
| SSO Callback | /auth/sso/callback | OAuth2/OIDC SSO redirect handler |
Login Flow
The login page supports multiple authentication methods:
interface LoginRequest {
email: string;
password: string;
remember_me?: boolean;
}
interface LoginResponse {
access_token: string;
refresh_token: string;
user: {
id: string;
email: string;
name: string;
roles: string[];
tenant_id: string;
};
mfa_required: boolean;
}Authentication Methods
| Method | Configuration | Description |
|---|---|---|
| Email/Password | Default | Standard credential authentication |
| SSO (OIDC) | Per-tenant | Enterprise SSO via OpenID Connect |
| SSO (SAML) | Per-tenant | Enterprise SSO via SAML 2.0 |
| API Key | Service accounts | Non-interactive service authentication |
MFA Support
When MFA is enabled for a user, the login flow redirects to the MFA challenge page:
| MFA Method | Description |
|---|---|
| TOTP | Time-based one-time password (Google Authenticator, Authy) |
| SMS | One-time code sent via SMS |
| One-time code sent via email | |
| Recovery codes | Pre-generated backup codes |
Token Management
Tokens are managed through the shared API client:
// Token storage in HTTP-only cookies (not localStorage)
const setTokens = (access: string, refresh: string) => {
document.cookie = `access_token=${access}; Secure; SameSite=Strict; Path=/`;
document.cookie = `refresh_token=${refresh}; Secure; SameSite=Strict; Path=/`;
};
// Automatic token refresh
apiClient.interceptors.response.use(
(response) => response,
async (error) => {
if (error.response?.status === 401) {
const newTokens = await refreshToken();
return apiClient.request(error.config);
}
throw error;
}
);Registration
Registration is invite-only in multi-tenant mode. An administrator sends an invitation which generates a time-limited registration link:
interface RegistrationRequest {
email: string;
password: string;
name: string;
invitation_code: string;
}Password Reset
The password reset flow uses a two-step process:
- Request: User submits email address, receives reset link
- Confirm: User clicks link, sets new password with the reset token
Security Considerations
| Feature | Implementation |
|---|---|
| CSRF protection | SameSite cookies + CSRF token header |
| Brute force protection | Rate limiting on login attempts (5 per minute) |
| Password policy | Minimum 12 characters, complexity requirements |
| Session timeout | Configurable idle timeout (default 30 minutes) |
| Secure storage | Tokens in HTTP-only cookies, never localStorage |