Authentication & Security

AutoCom provides a comprehensive authentication system built on Laravel Passport with multi-tenant user management, two-factor authentication, and security monitoring.

Login Flow

Users authenticate by providing email, password, and tenant context:

POST /api/v1/auth/login
X-Tenant: your-tenant-id
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "secure_password"
}

Response:

{
  "user": {
    "id": 1,
    "name": "John Doe",
    "email": "user@example.com"
  },
  "role": "admin",
  "permissions": ["orders.view", "orders.create"],
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
  "token_type": "Bearer",
  "expires_at": "2025-01-27T10:00:00.000000Z"
}

If 2FA is enabled, a 2fa_required response is returned instead — see Two-Factor Authentication.

Using Tokens

Include the access token in the Authorization header:

GET /api/v1/orders
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi...
X-Tenant: your-tenant-id

Logout

POST /api/v1/auth/logout
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi...

Multi-Tenant Authentication

Users can belong to multiple tenants. After login, list available organizations:

GET /api/v1/auth/tenants
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi...

{
  "tenants": [
    { "id": "tenant-1", "name": "Acme Corp", "role": "admin" },
    { "id": "tenant-2", "name": "Tech Solutions", "role": "viewer" }
  ]
}

Security Features

Feature	Description
Token-based auth	Laravel Passport with 15-day expiry (configurable)
Password security	Bcrypt hashing, 8-char minimum, current password verification on change
Two-Factor Auth	TOTP-based 2FA with backup codes — details
Login History	Track all login attempts with device detection — details
Rate Limiting	5 login attempts/minute, 3 password resets/hour, 15-min lockout on failures
Token revocation	Revoke on password change, session listing and individual revocation

Security Best Practices

1. Enable 2FA for all admin users
2. Review activity logs periodically for suspicious activity
3. Monitor login history and set up alerts for unusual patterns
4. Export audit logs regularly for compliance records

In This Section

• Password Reset — Secure email-based password recovery
• Email Verification — Verify new and updated email addresses
• Profile & Sessions — Account settings and session management
• Two-Factor Authentication — TOTP setup, backup codes, and login flow
• Login History — Track and monitor login attempts