User Authentication and Authorization Flow
+---------------------------------+
| Start |
+---------------------------------+
|
v
+---------------------------------+
| User Logs In |
+---------------------------------+
|
v
+---------------------------------+
| Input Validation |
+---------------------------------+
/ \
/ \
Valid Input Invalid Input
| |
v v
+------------------+ +-----------------+
| Fetch User Data | | Show Error Msg |
+------------------+ +-----------------+
|
v
+-------------------------+
| Check User Exists |
+-------------------------+
/ \
/ \
User Exists User Not Found
| |
v v
+----------------+ +-----------------+
| Check Password | | Show Error Msg |
+----------------+ +-----------------+
|
v
+---------------------+
| Password Matches |
+---------------------+
|
v
+------------------+
| Encrypt Session |
| Data |
+------------------+
|
v
+-----------------+
| Create Session |
+-----------------+
|
v
+--------------------+
| Set Session Cookie |
+--------------------+
|
v
+-------------------------+
| Return Session Data |
| and URL |
+-------------------------+
|
v
+---------------------------------+
| Session Check |
+---------------------------------+
/ | \
/ | \
/ | \
v | v
+---------------------------+ +---------------------------+
| Invalid Session | | Valid Session |
| Show Error Message | | Check User Approval |
+---------------------------+ +---------------------------+
| / \
| / \
v / \
+---------------------------+ v v
| Show Error Message | +----------------+ +---------------------------+
| | | User Approved | | User Not Approved |
| | | Display Content| | Show Access Denied Msg |
+---------------------------+ +----------------+ +---------------------------+
Detailed Middleware and Route Handling
Middleware Flow
- Start: The process begins when a request is made to a protected route.
- Route Matching: The middleware checks if the request matches any of the protected routes (e.g.,
/finance,/registry). - Clerk Middleware for Finance Routes: If the route is matched, the Clerk middleware handles authentication.
- Authenticate User: Clerk middleware authenticates the user.
- Proceed to Next Middleware: If authenticated, proceed to the next middleware.
- Custom Authentication for Other Routes: If the route is not matched by Clerk, custom authentication logic is applied.
- Get Session Data: Fetch session data from the request.
- Check if Logged In: Verify if the user is logged in.
- Public Route: If the route is public, allow access.
- Authentication Route: If the route is for authentication (e.g., login, register), redirect logged-in users to the default login redirect.
- API Authentication: Allow API authentication routes to pass without further checks.
- Protected Route: For protected routes, check if the user is logged in.
- Update Session: Update session data for logged-in users.
+---------------------------------+
| Start |
+---------------------------------+
|
v
+---------------------------------+
| Route Matching |
+---------------------------------+
|
v
+-------------------------------------------+
| Clerk Middleware for Finance Routes |
+-------------------------------------------+
/ \
/ \
Authenticated User Not Authenticated
| |
v v
+--------------------+ +--------------------+
| Proceed to Next | | Show Error Msg |
| Middleware | +--------------------+
+--------------------+
|
v
+---------------------------------+
| Custom Authentication for Other |
| Routes |
+---------------------------------+
|
v
+-------------------------+
| Get Session Data |
+-------------------------+
|
v
+-------------------------+
| Check if Logged In |
+-------------------------+
/ \
/ \
Logged In Not Logged In
| |
v v
+-----------------+ +---------------------------+
| Proceed to Next | | Redirect to Login Page |
| Step | +---------------------------+
+-----------------+
|
v
+---------------------------+
| Check if Public Route |
+---------------------------+
/ \
/ \
Public Route Protected Route
| |
v v
+-----------------+ +-------------------------+
| Allow Access | | Check if Logged In |
+-----------------+ +-------------------------+
/ \
/ \
Logged In Not Logged In
| |
v v
+-------------------+ +------------------+
| Update Session | | Redirect to Login|
+-------------------+ +------------------+
|
v
+-------------------------+
| Proceed to Requested |
| Route |
+-------------------------+
Authentication Logic Details
- Input Validation: Uses
LoginSchemato validate the user's input fields (email and password). Ensures that the input meets the required format and constraints. - Fetch User Data: Queries the database to retrieve the user data associated with the provided email. Uses
getUserByEmailfunction to fetch the user data. - Check Password: Compares the provided password with the stored hashed password. Uses
bcrypt.compareto securely compare the passwords. - Encrypt Session Data: Encrypts the user data and session expiry date to create a session token. Uses the
encryptfunction to perform encryption. - Set Session Cookie: Sets the session token in an HTTP-only cookie to ensure secure storage. Uses
cookies().setto set the cookie with thehttpOnlyflag.
Authorization Logic Details
- Session Check: Verifies the validity of the user's session.
- Check User Approval: Checks if the user's ID is in the list of approved IDs for the requested path.
- User Approved: Grants access to the requested content if the user is approved.
- User Not Approved: Denies access and shows an access denied message if the user is not approved.
Overall Flow Description
- Start: The process begins when a request is made.
- User Logs In: The user attempts to log in.
- Input Validation: Validate the input fields.
- Fetch User Data: Retrieve user data from the database.
- Check User Exists: Verify if the user exists.
- Check Password: Compare the provided password with the stored hashed password.
- Encrypt Session Data: Encrypt user data and session expiry date.
- Create Session: Generate a session token.
- Set Session Cookie: Save the session token in an HTTP-only cookie.
- Return Session Data and URL: Return the session data and redirect URL.
- Session Check: Verify the user's session validity.
- Check User Approval: Check if the user is approved for the requested path.
Middleware Flow
- Start: Process begins when a request is made to a protected route.
- Route Matching: Middleware checks if the request matches any protected routes.
- Clerk Middleware: Handles authentication for finance-related routes.
- Custom Authentication: Handles authentication for other routes.
- Get Session Data: Fetch session data.
- Check if Logged In: Verify if the user is logged in.
- Public Route: Allow access to public routes.
- Authentication Route: Redirect logged-in users from authentication routes.
- API Authentication: Allow API authentication routes.
- Protected Route: Check if the user is logged in for protected routes.
- Update Session: Update session data for logged-in users.
- Proceed to Requested Route: Allow access to the requested route.
"Great companies are built on great products"