Login

[geolunalg]

Overview

User Story:
As a user, I want to sign in with my credentials so I can access protected features.

Acceptance Criteria:

• Given valid credentials, when I log in, then:
  • backend returns an access token
  • backend sets a refresh token cookie (HttpOnly, Secure, SameSite)
  • response includes user profile basics or client can call /me
• Given invalid credentials, when I log in, then I receive a generic error (no user enumeration).

Resources/Instructions

• This issue is part of the epic: EPIC: Authentication & Session Management (JWT + Refresh) #2065

[rteas]

Backend /auth/verify-sign has been modified to create refresh token and also create access token (JWT) for client containing relevant user info (roles, email, etc).

Will return a 401 for front end to handle when invalid credentials are provided.

[rteas]

Completed