{"_id":"5b0054fc46b22f00032c9b71","project":"54fb204867c8370d00b5c269","version":{"_id":"571d54d418b3c10e003e55b9","project":"54fb204867c8370d00b5c269","hasDoc":true,"hasReference":true,"__v":3,"createdAt":"2016-04-24T23:20:52.805Z","releaseDate":"2016-04-24T23:20:52.805Z","categories":["571d54d418b3c10e003e55ba","571d54d418b3c10e003e55bb","571d54d418b3c10e003e55bc","586982e31c8ac62300359a78","5869833f6dab552500c677cb"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"2.0.0","version":"2.0"},"category":{"_id":"571d54d418b3c10e003e55bb","version":"571d54d418b3c10e003e55b9","__v":0,"project":"54fb204867c8370d00b5c269","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-03-08T00:17:00.405Z","from_sync":false,"order":1,"slug":"development","title":"Development"},"user":"54fb2a5f3dc1790d00b54206","githubsync":"","__v":0,"metadata":{"title":"","description":"","image":[]},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2018-05-19T16:46:52.407Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":999,"body":"Bloggers are authenticated via third-party accounts (GitHub, WordPress, and Stack Exchange). This removes the burden of storing passwords in our database. Below are the two authentication flows when creating and logging into a user.\n\n1. The user chooses a third-party authentication provider to login with, via GET `/auth/:provider` to the client.\n2. This redirects them to the provider's OAuth page.\n3. The user enters their credentials and the provider sends them back to CSB via GET `/auth/:provider/callback` with a token.\n4. The client sends this token to the API via POST /token.\n5. The API verifies the token with the provider by calling their identification endpoint, getting their unique ID.\n\nAt this point the logic forks, depending on whether the user is already registered with CS Blogs or not.\n\n#### A) User is registered\n\n6. The user ID is found in the database. A new CSB-specific token is minted and returned to the client along with `isRegistered: true`.\n7. The client can now use this token to perform account activities.\n\n#### B) User is new\n\n6. The user ID is not found in the database. A new CSB-specific token is minted and returned to the client along with `isRegistered: false`.\n7. The client can complete the registration process (name, bio, blog feed etc.) and the data is sent to the API via POST `/user` with their token.\n8. A successful response indicates the user has been created, and the client can now use their token to perform account activities.","excerpt":"","slug":"user-authentication","type":"basic","title":"User Authentication"}

User Authentication


Bloggers are authenticated via third-party accounts (GitHub, WordPress, and Stack Exchange). This removes the burden of storing passwords in our database. Below are the two authentication flows when creating and logging into a user. 1. The user chooses a third-party authentication provider to login with, via GET `/auth/:provider` to the client. 2. This redirects them to the provider's OAuth page. 3. The user enters their credentials and the provider sends them back to CSB via GET `/auth/:provider/callback` with a token. 4. The client sends this token to the API via POST /token. 5. The API verifies the token with the provider by calling their identification endpoint, getting their unique ID. At this point the logic forks, depending on whether the user is already registered with CS Blogs or not. #### A) User is registered 6. The user ID is found in the database. A new CSB-specific token is minted and returned to the client along with `isRegistered: true`. 7. The client can now use this token to perform account activities. #### B) User is new 6. The user ID is not found in the database. A new CSB-specific token is minted and returned to the client along with `isRegistered: false`. 7. The client can complete the registration process (name, bio, blog feed etc.) and the data is sent to the API via POST `/user` with their token. 8. A successful response indicates the user has been created, and the client can now use their token to perform account activities.