Email & Password Login

medium complexity extracted Authentication & Access Control Confidence: 100%

Components

Shared

User Stories

Yes

Analyzed

Description

Standard email and password authentication for the Meander platform MVP. Users sign in with their organization-issued email and a secure password, receiving a short-lived JWT access token and a rotating refresh token managed by the Authentication Module. This baseline login is available across the mobile app and admin portal and serves as the foundation before BankID and Vipps are added. It establishes the complete auth flow - issuance, silent refresh, and revocation - before external identity providers are introduced.

Analysis

Business Value

Email and password login is the single largest MVP unlocker: every subsequent workflow - activity registration, admin dashboards, Bufdir reporting - depends on a working authenticated session. Shipping this first eliminates the critical-path blocker with no external service dependencies and zero third-party cost. It also gives the team a fully exercised auth flow (issuance, refresh, revocation, per-tenant key isolation) before layering in BankID and Vipps, substantially reducing the integration risk and security surface area of later phases and avoiding rework of core session logic.

Implementation Notes

Implemented inside the Authentication Module as a REST endpoint pair: POST /auth/login and POST /auth/refresh. Passwords are stored as bcrypt hashes at cost factor 12 or higher. Access tokens are short-lived JWTs (15-minute TTL); refresh tokens are opaque, stored in the sessions and refresh_tokens tables, and rotated on every use with single-use enforcement. The mobile app stores tokens in Flutter's platform secure store; the admin portal uses HTTP-only cookies. Per-tenant signing key isolation is enforced from first deployment to satisfy the portability requirement of the Authentication Module.