Authentication

The browser client authenticates users through AWS Cognito via aws-amplify v5. Sign-in uses the Cognito hosted UI (OAuth authorization code flow with federated identity providers).

Configuration

Amplify is configured on mount in Skeleton.js:

Redirect URLs come from COGNITO_REDIRECT_LOGIN and COGNITO_REDIRECT_LOGOUT. See Configuration.

Sign-in flow

  1. User clicks login → Auth.federatedSignIn() (in LogInOutButton.js).
  2. Browser redirects to Cognito hosted UI.
  3. On success, Cognito redirects back with an authorization code; Amplify exchanges it for tokens.
  4. Skeleton reads usr.signInUserSession.idToken.jwtToken and passes it to child routes as the token prop.

Session bootstrap

Skeleton calls Auth.currentAuthenticatedUser() on load:

Sign-out

UserSettingsModal.js sets sessionStorage.intentionalLogout = "1" before Auth.signOut() so the expiry handler does not immediately re-login.

User profile (globalMe)

After login, LogInOutButton.js calls:

callAuthApi("me", { size: "small" })

The response populates Zustand globalMe (challenges, bots, settings, etc.). A full me fetch happens in Me.js on the dashboard.

New user onboarding

If the backend returns an incomplete profile, NewProfile.js prompts the user to set a display name and preferences.

Token usage

Profile updates

Email and password changes go through Amplify APIs in UserSettingsModal, not the node-backend authQuery layer.

Cognito setup (ops)

Pool configuration, callback URLs, and identity providers are documented in Backend deployment. Dev and prod use separate pools; tokens are not interchangeable across stages.

Related