Authentication¶
The Authentication module manages user identity verification and session lifecycle for Swisper. It provides cookie-based session management for web users (with sliding 30-minute timeout and optional 14-day "remember me"), JWT tokens for mobile apps, CSRF protection, login rate limiting, and mandatory TOTP-based Two-Factor Authentication for admin users. The system uses progressive session phases to gate admin access until 2FA verification is complete.
Key Components¶
| Component | Purpose |
|---|---|
| Cookie-Based Sessions | HttpOnly session cookies (30 min sliding window) with CSRF double-submit protection, replacing client-side JWT storage |
| Refresh Token System | "Remember me" refresh cookies (14 days, 90-day max) with single-use rotation and replay detection |
| 2FA Service | TOTP secret generation, code verification, backup code management using pyotp (RFC 6238) |
| Progressive Session Phases | Sessions start restricted (requires_2fa_setup/requires_2fa_login) and transition to active after verification |
| Login Rate Limiting | Per-email and per-IP brute-force protection (CASA 11.1.4 compliance) |
Documentation Sections¶
- Overview — What this module does and who it serves
- Architecture — System design, security model, and design decisions
- Operations — Failure modes, runbooks, and 2FA reset procedures