Login Endpoint¶
- Route:
/login
- Description: Authenticates a user and returns appropriate responses based on the account state.
Note
The response varies depending on the account status: - MFA Enabled: Returns a mfa
key with the user ID. - Email Not Verified: Returns an email
key with the user's email and a msg
key with a message prompting email verification and a verification email is sent to the user's email address. - Email Verified, MFA Not Enabled: Returns access_token
and refresh_token
keys along with user details in the user
key.
- Method:
POST
Request Body¶
- Content-Type:
application/json
- Body:
{ "login_field": "string", "password": "string" }
- Required Fields:
login_field
(string): The login field (one of those specified inAUTHENTICATION_METHODS
) of the user attempting to log in.password
(string): The password associated with thelogin_field
.
Successful Responses¶
- Status Code:
200 OK
- Content (MFA Enabled):
{ "mfa": "user_id" }
- Content (Email Not Verified):
{ "email": "user@example.com", "msg": "[Messages.status_unverified]*", "code": "email_unverified" }
- Content (Email Verified, MFA Not Enabled):
{ "access_token": "string", "refresh_token": "string", "user": { "id": "integer", "username": "string" } }
Bad Responses¶
- Status Code:
401 Unauthorized
- Content:
{ "detail": "Incorrect authentication credentials.", "code": "authentication_failed", "msg": "[Messages.no_account]*" }
Explanation of Responses¶
-
MFA Enabled: If multi-factor authentication (MFA) is enabled, the response will include the user ID in the
mfa
key. The MFA cookie, containing the user ID, is automatically set in the response headers. -
Email Not Verified: If the user's email is not verified, the response includes the user's email in the
email
key and a message prompting email verification in themsg
key. A verification email containing the code is automatically sent to the user's email address ifAUTO_RESEND_EMAIL
is set toTrue
. -
Email Verified, MFA Not Enabled: If the email is verified and MFA is not enabled, the response includes access and refresh tokens in the respective keys, along with user details in the
user
key as defined by theUSER_CLAIM_SERIALIZER
. Authentication cookies are automatically set in the response headers. -
Cookies: Authentication cookies, such as those for session management and MFA, are automatically set in the response headers and do not appear in the response body. These cookies are used for authorization in web applications.
-
Authorization:
- Web Applications: Authorization is managed through cookies, which are automatically set and read by the browser.
- Mobile Applications: Authorization is handled via the
Authorization
Bearer header, where the access token must be included. The refresh token should be securely stored by the client to refresh the access token when necessary.