AutoCom Docs

Authentication

AutoCom provides a comprehensive authentication system built on Laravel Passport, supporting multi-tenant user authentication with secure token-based access.

Overview

The authentication system includes:

  • Token-based authentication via Laravel Passport
  • Password reset with secure email-based tokens
  • Email verification for new and updated email addresses
  • Profile management for user account settings
  • Session management for token revocation

Authentication Flow

1. Login

Users authenticate by providing email, password, and tenant context:

POST /api/v1/auth/login
X-Tenant: your-tenant-id
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "secure_password"
}

Response:

{
  "user": {
    "id": 1,
    "name": "John Doe",
    "email": "user@example.com"
  },
  "role": "admin",
  "permissions": ["orders.view", "orders.create", ...],
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
  "token_type": "Bearer",
  "expires_at": "2025-01-27T10:00:00.000000Z"
}

2. Using Tokens

Include the access token in the Authorization header for authenticated requests:

GET /api/v1/orders
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi...
X-Tenant: your-tenant-id

3. Logout

Revoke the current access token:

POST /api/v1/auth/logout
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi...
X-Tenant: your-tenant-id

Multi-Tenant Authentication

Users can belong to multiple tenants (organizations). After login, use /api/v1/auth/tenants to list all organizations the user belongs to:

GET /api/v1/auth/tenants
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi...

Response:

{
  "tenants": [
    {
      "id": "tenant-1",
      "name": "Acme Corp",
      "role": "admin"
    },
    {
      "id": "tenant-2",
      "name": "Tech Solutions",
      "role": "viewer"
    }
  ]
}

Security Features

Password Security

  • Minimum 8 characters required
  • Passwords are hashed using bcrypt
  • Password change requires current password verification

Token Security

  • Tokens expire after 15 days (configurable)
  • Token revocation on password change
  • Session listing and individual revocation supported

Rate Limiting

Authentication endpoints are rate-limited to prevent brute force attacks:

  • Login: 5 attempts per minute
  • Password reset: 3 requests per hour