Email & Password
:::info Coming Soon This feature is under active development. The design below reflects our planned implementation. :::
Email and password authentication is the traditional method where users register with an email address and a password. Aero2 handles registration, email verification, password hashing, and reset flows.
Features
- User registration with email and password
- Email verification via 6-digit code
- Password strength requirements (minimum 8 characters, must include at least one letter and one number)
- Password reset flow with email verification
- Progressive account lockout after failed attempts
Sign-Up Flow
User submits email and password
The user provides their email address and chooses a password that meets the strength requirements.
Verification code sent
Aero2 sends a 6-digit verification code to the user's email address.
User enters verification code
The user enters the code to confirm ownership of the email address.
Account activated
The account is marked as verified and the user is signed in with an active session.
Sign-In Flow
User enters credentials
The user provides their email address and password.
MFA check (if enabled)
If the user has multi-factor authentication enabled, they are prompted for their second factor.
Session created
On successful authentication, a session is created and the user is signed in.
Password Reset Flow
User requests reset
The user provides their email address and requests a password reset.
Reset code sent
Aero2 sends a 6-digit reset code to the user's email address.
User enters code and new password
The user enters the reset code along with their new password.
All sessions revoked
The password is updated and all existing sessions for the user are revoked for security.
Account Lockout
To protect against brute-force attacks, Aero2 implements progressive account lockout:
| Failed Attempts | Lockout Duration |
|---|---|
| 5 | 5 minutes |
| 10 | 15 minutes |
| 20 | 1 hour |
| 50+ | 24 hours |
The lockout counter resets after a successful sign-in.
Planned API Endpoints
| Method | Endpoint | Description |
|---|---|---|
POST | /api/auth/signup | Register a new user |
POST | /api/auth/login | Sign in with email/password |
POST | /api/auth/verify-email | Verify email with 6-digit code |
POST | /api/auth/forgot-password | Request a password reset code |
POST | /api/auth/reset-password | Reset password with code |