Email & Password Login

Description

Email and password login provides the foundational authentication mechanism for the Meander platform, serving as the primary fallback for users who cannot or prefer not to use BankID or Vipps. The feature covers the full authentication flow including credential validation, JWT token issuance, secure token storage on device, and session management across both the mobile app and admin portal. It is the baseline login method available from day one of the MVP, ensuring no user is locked out due to third-party authentication unavailability.

User Flow

Click to expand

Analysis

Business Value

Email and password login is a non-negotiable foundation for the platform. Without it, no user can access Meander, making every other feature unreachable. As the fallback authentication method, it guarantees access for users who lack BankID or Vipps, including international users or edge cases during third-party outages. For the admin portal, it is the primary login method for org admins and global admins who manage the system. Reliable, secure authentication directly protects sensitive personal data and is a prerequisite for GDPR compliance and organizational trust.

Implementation Notes

The mobile app uses Flutter's secure storage (Keychain on iOS, Keystore on Android) to persist JWT tokens between sessions. The backend issues short-lived access tokens and longer-lived refresh tokens via the Next.js REST API. Password hashing uses bcrypt with appropriate cost factor. The admin portal stores tokens in HTTP-only cookies to prevent XSS token theft. Rate limiting and lockout policies are applied server-side to prevent brute-force attacks. BLoC manages auth state in Flutter, with a dedicated AuthRepository abstracting the HTTP client calls.