1.2 KiB
1.2 KiB
Authentication UX Flow (Website)
This document defines how the website handles authentication from a UX perspective.
Shared contract:
Authoritative website contract:
1) Website role (strict)
The website:
- redirects unauthenticated users to login
- hides or disables UI based on best-effort session knowledge
The website does not enforce security.
2) Canonical website flow
Request
↓
Website routing
↓
API requests with credentials
↓
API enforces authentication and authorization
↓
Website renders result or redirects
3) Non-negotiable rules
- The website MUST NOT claim authorization.
- The website MUST NOT trust client state for enforcement.
- Every write still relies on the API to accept or reject.
Related:
- Website blockers:
docs/architecture/website/BLOCKERS.md - Client state rules:
docs/architecture/website/CLIENT_STATE.md