Identity¶

User management and authentication service. Handles user CRUD, OAuth account linking, token lifecycle, transactional emails, and the notification system.

Architecture¶

The Identity service follows the standard repository pattern:

routes → service → repository → database

• Routes — FastAPI endpoints for user management, internal auth operations, and notifications
• Service — Business logic for password hashing, token rotation, email dispatch, and notification creation
• Repository — SQLAlchemy 2.0 async queries against the users, refresh_tokens, oauth_accounts, and notifications tables
• Consumer — Background asyncio.Task that subscribes to domain events and creates per-user notifications

Endpoints¶

Internal Endpoints (called by Gateway only)¶

These endpoints are not exposed through the gateway proxy. The gateway calls them directly during authentication flows.

Public Endpoints (proxied through Gateway)¶

See Notifications for full API reference and event mapping.

Auth Flows¶

Email/Password Login¶

sequenceDiagram
    participant Client
    participant Gateway
    participant Identity

    Client->>Gateway: POST /api/v1/auth/login {email, password}
    Gateway->>Identity: POST /internal/auth/login {email, password}
    Identity->>Identity: Verify bcrypt hash
    Identity->>Gateway: {user, refresh_token}
    Gateway->>Gateway: Sign JWT (15-min, HS256)
    Gateway->>Client: {access_token, refresh_token, user}

OAuth Login (GitHub/Google)¶

sequenceDiagram
    participant Client
    participant Gateway
    participant Provider as GitHub/Google
    participant Identity

    Client->>Gateway: GET /api/v1/auth/oauth/github
    Gateway->>Client: 302 → GitHub authorize URL (with state)

    Client->>Provider: User authorizes
    Provider->>Gateway: GET /callback?code=xxx&state=yyy

    Gateway->>Provider: Exchange code for access token
    Gateway->>Provider: Fetch user profile

    Gateway->>Identity: POST /internal/auth/oauth/find
    alt User exists
        Identity->>Gateway: {user}
    else New user
        Gateway->>Identity: POST /internal/auth/register
        Gateway->>Identity: POST /internal/auth/oauth/link
        Identity->>Gateway: {user}
    end

    Gateway->>Gateway: Sign JWT (15-min)
    Gateway->>Client: Set cookies + redirect to dashboard

Token Refresh¶

sequenceDiagram
    participant Client
    participant Gateway
    participant Identity

    Client->>Gateway: POST /api/v1/auth/refresh {refresh_token}
    Gateway->>Identity: POST /internal/auth/refresh {refresh_token}
    Identity->>Identity: Validate token, check family
    Identity->>Identity: Rotate: revoke old, issue new
    Identity->>Gateway: {user, new_refresh_token}
    Gateway->>Gateway: Sign new JWT (15-min)
    Gateway->>Client: {access_token, refresh_token}

Password Reset¶

sequenceDiagram
    participant Client
    participant Gateway
    participant Identity

    Client->>Gateway: POST /api/v1/auth/forgot-password {email}
    Gateway->>Identity: POST /internal/auth/forgot-password
    Identity->>Identity: Generate reset token, send email
    Identity->>Gateway: 200 OK

    Client->>Gateway: POST /api/v1/auth/reset-password {token, new_password}
    Gateway->>Identity: POST /internal/auth/reset-password
    Identity->>Identity: Validate token, hash new password
    Identity->>Gateway: 200 OK

Configuration¶

Database Tables¶

Security¶

• Password hashing — bcrypt with cost factor 12
• Refresh tokens — Opaque, 30-day expiry, DB-backed with family tracking
• Token theft detection — If a revoked token from a family is reused, the entire family is invalidated
• Email verification — Required before full account access (configurable)