Skip to main content

How do users login?

To perform a standard login, users need to enter their email address and password into the login form, located on the login page.

Where are the form values submitted?

The login form values are submitted to the serverless function located at /api/auth/login. This function performs the following tasks:

  • Sends a GraphQL request to the configured Kraken endpoint.
  • Validates the expected response from the Kraken endpoint.
  • Stores the received accessToken and refreshToken in the browser's cookie storage.
  • Handles any errors returned in the response.

How are the tokens stored?

The accessToken and refreshToken are both stored within the browser's cookie storage.

How are the tokens used?

The access token is sent in all subsequent requests to the Kraken endpoint. It is transmitted in the headers of the request under the Authorization property.

When a user visits a route that requires the access token, the middleware checks if the access token is stored in a cookie. If it is not, the ObtainKrakenToken mutation is triggered to retrieve a new access token.

The refresh token will only be used to retrieve a new access token following the expiry of the existing access token.

What happens when a token expires?

accessToken expiry

When the access token expires, a new value is obtained from the Kraken endpoint. This is done by sending a GraphQL request with the refresh token as the input value.

refreshToken expiry

When a refreshToken expires, the user is required to login again to obtain new tokens.

What happens when a user logs out?

Both accessToken and refreshToken are removed from the browsers cookie storage.