Auth Backend Service
Component Detail
Service Layer
high complexity
backend
0
Dependencies
0
Dependents
5
Entities
0
Integrations
Description
Next.js server-side service handling the authentication business logic: verifying bcrypt-hashed passwords, issuing JWT access and refresh tokens, managing password reset tokens, and enforcing rate limiting. Serves both the mobile app (JWT in response body) and admin portal (JWT in HTTP-only cookies).
auth-backend-service
Responsibilities
- Verify email/password credentials using bcrypt comparison
- Issue signed JWT access tokens (short-lived) and refresh tokens (long-lived)
- Generate and validate time-limited password reset tokens sent via email
- Apply rate limiting and brute-force protection per IP and per account
- Set HTTP-only cookies for admin portal sessions; return tokens in response body for mobile
Interfaces
POST /api/v1/auth/login
POST /api/v1/auth/logout
POST /api/v1/auth/refresh
POST /api/v1/auth/forgot-password
POST /api/v1/auth/reset-password
verifyCredentials(email, password) → User
issueTokenPair(userId, role) → TokenPair
invalidateRefreshToken(token) → void
Sub-Components (1)
Rate Limiter Middleware
component
medium
Next.js middleware that enforces per-IP and per-account rate limits on all authentication endpoints to prevent brute-force attacks. Returns 429 Too Many Requests with a Retry-After header when limits are exceeded.
- Track failed login attempts per IP and per user account
- Block requests that exceed the configured threshold
- Return RFC-compliant 429 responses with retry guidance
- +1 more
Related Data Entities (5)
Data entities managed by this component