47 lines
1.2 KiB
Markdown
47 lines
1.2 KiB
Markdown
# Authentication UX Flow (Website)
|
|
|
|
This document defines how the website handles authentication from a UX perspective.
|
|
|
|
Shared contract:
|
|
|
|
- [`docs/architecture/shared/AUTH_CONTRACT.md`](docs/architecture/shared/AUTH_CONTRACT.md:1)
|
|
|
|
Authoritative website contract:
|
|
|
|
- [`docs/architecture/website/WEBSITE_CONTRACT.md`](docs/architecture/website/WEBSITE_CONTRACT.md:1)
|
|
|
|
## 1) Website role (strict)
|
|
|
|
The website:
|
|
|
|
- redirects unauthenticated users to login
|
|
- hides or disables UI based on best-effort session knowledge
|
|
|
|
The website does not enforce security.
|
|
|
|
## 2) Canonical website flow
|
|
|
|
```text
|
|
Request
|
|
↓
|
|
Website routing
|
|
↓
|
|
API requests with credentials
|
|
↓
|
|
API enforces authentication and authorization
|
|
↓
|
|
Website renders result or redirects
|
|
```
|
|
|
|
## 3) Non-negotiable rules
|
|
|
|
1. The website MUST NOT claim authorization.
|
|
2. The website MUST NOT trust client state for enforcement.
|
|
3. Every write still relies on the API to accept or reject.
|
|
|
|
Related:
|
|
|
|
- Website blockers: [`docs/architecture/website/BLOCKERS.md`](docs/architecture/website/BLOCKERS.md:1)
|
|
- Client state rules: [`docs/architecture/website/CLIENT_STATE.md`](docs/architecture/website/CLIENT_STATE.md:1)
|
|
|