Authentication Flow

Overview

The Refresh App Web uses FusionAuth as the identity provider (IdP) for all authentication. FusionAuth handles identity verification (login, passwords, MFA, OAuth token issuance), while the application database handles authorization (who can do what, in which tenant/group).

Key Principle: FusionAuth proves "this is Taylor" → Your DB answers "what can Taylor do in Acme Corp?"

Authentication Architecture

┌─────────────────────────────────────────────────────────────────┐
│                         Client Browser                          │
└────────────┬────────────────────────────────────────────────────┘
             │
             │ 1. Initiate Login
             ▼
┌─────────────────────────────────────────────────────────────────┐
│                    SvelteKit App (Edge)                         │
│  ┌───────────────────────────────────────────────────────────┐  │
│  │              Auth Middleware                              │  │
│  │  • Redirect to FusionAuth                                 │  │
│  │  • Handle callback                                        │  │
│  │  • Resolve identity → user                                │  │
│  └─────────┬─────────────────────────────────────────────────┘  │
└────────────┼────────────────────────────────────────────────────┘
             │
             │ 2. OAuth Flow
             ▼
┌─────────────────────────────────────────────────────────────────┐
│                         FusionAuth                              │
│  • User authentication (email/password, OAuth, SSO)             │
│  • Self-registration                                            │
│  • MFA enforcement                                              │
│  • JWT token issuance                                           │
└────────────┬────────────────────────────────────────────────────┘
             │
             │ 3. JWT returned
             ▼
┌─────────────────────────────────────────────────────────────────┐
│                    SvelteKit App (Edge)                         │
│  ┌───────────────────────────────────────────────────────────┐  │
│  │               Identity Resolution                         │  │
│  │  • Validate JWT via JWKS                                  │  │
│  │  • Lookup user_identities by fusionauth_id                │  │
│  │  • Link identity if needed                                │  │
│  │  • Store access token in httpOnly cookie                  │  │
│  │  • Store minimal user info in auth_user cookie            │  │
│  └─────────┬─────────────────────────────────────────────────┘  │
└────────────┼────────────────────────────────────────────────────┘
             │
             │ 4. Database operations with RLS
             ▼
┌─────────────────────────────────────────────────────────────────┐
│                      Neon Postgres                              │
│  • Validates FusionAuth JWT directly via JWKS                   │
│  • auth_user() resolves fusionauth_id → internal user_id        │
│  • has_permission() checks permissions via auth_permission_cache│
│  • Row-Level Security enforcement                               │
└─────────────────────────────────────────────────────────────────┘

FusionAuth Configuration

FusionAuth Tenant

A single FusionAuth tenant holds all platform users. This is separate from your application's tenant concept (companies/organizations).

Applications

FusionAuth has two applications to separate user authentication from API access:

ReFresh Platform (User Authentication)

For the SvelteKit frontend and user authentication. This is where users log in.

Login Methods

Current: SSO only (Google, Microsoft)

Future: Magic link (emailed code), potentially other methods

All login paths end the same way: FusionAuth returns a fusionauth_id and email, which the application uses to resolve or create the internal user identity.

ReFresh API - Core (API Authorization)

For API access control, role-based permissions, and future external OAuth apps.

Roles (RBAC for API access):

OAuth Scopes for External Apps:

Scopes map 1:1 with roles. When a third-party app requests scopes, those become the roles in the token:

Effective permissions = intersection of user's roles and app's scopes. The app can only do what both the user is allowed to do AND the scope permits.

Note: Not all roles are available as OAuth scopes for external apps. Some roles (like sync.*, backfills.*, schedules.*) are internal-only and not exposed to external OAuth clients.

Entity Types (M2M Authentication)

Internal Service Entity Type

For service-to-service authentication between internal systems. Internal services have admin role and can access any tenant.

External API Client Entity Type

For external M2M integrations created by customers. External M2M apps are bound to a specific tenant via the api_clients table.

External M2M Tenant Binding:

When a customer creates an API integration, the system creates a FusionAuth Entity and stores the tenant binding:

Entities

Why api-core Needs an Entity

The api-core service (lambdas + ECS in ../api-core) sometimes needs to call its own authenticated API endpoints:

Example: Sync service calling authenticated API:

Entity Grants

Entity grants define which entities can access which target entities/applications:

OAuth Flows

Flow 1: User Login (Browser)

Standard Authorization Code flow for web application users.

FusionAuth JWT contains:

Application does:

1. Validate JWT signature via FusionAuth JWKS endpoint

2. Look up user_identities by fusionauth_id or email

3. Link identity if not yet linked (set fusionauth_id)

4. Resolve internal user_id

5. For tenant routes: validate tenant_users membership

Flow 2: Service-to-Service (Client Credentials)

No user involved. Service authenticates as itself using FusionAuth Entities.

M2M Access token contains:

api-core does:

1. Validate JWT signature

2. Check permissions claim for its own entity ID

3. Authorize based on read/write/admin

Flow 3: Third-Party App (User Consent)

External applications access the API on behalf of users with explicit consent.

Third-party access token contains:

Your API does:

1. Validate JWT

2. Get user's actual permissions from your DB

3. Get scope-allowed permissions from token

4. Effective access = intersection (user must have it AND token must allow it)

Flow 4: Token Refresh

Both user tokens and third-party tokens support refresh.

JWT Architecture

FusionAuth JWT → Neon Directly

The FusionAuth JWT is passed directly to Neon for RLS validation. No separate Neon JWT is generated.

FusionAuth JWT Claims:

RLS Helper Functions

Neon uses SQL functions to translate FusionAuth JWT claims into internal identities and permissions:

auth_user(p_fusionauth_id text) - Resolves FusionAuth sub to internal user_id:

has_permission(p_session jsonb, p_permissions text[], p_tenant_id uuid) - Returns permission check with bypass info:

The function queries auth_permission_cache which is populated from auth_assignment → auth_role → auth_role_permission → auth_permission.

The bypass_rls flag is true for users with Platform or Internal roles (like Super Admin, Developer), allowing them to access data across all tenants for support purposes.

Why Direct JWT Validation?

Previous approach (removed): App generated a custom Neon JWT with internal user_id and tenant_id claims.

Current approach: FusionAuth JWT passed directly to Neon.

Benefits:

1. Future-proof - Database schemas will move to api-core; RLS logic stays database-side

2. Simpler - No custom JWT generation in the app

3. Consistent - Same token used for API and database

4. Maintainable - Identity resolution logic lives in database functions

Identity Resolution

When a FusionAuth JWT arrives, the application must resolve it to an internal user. FusionAuth creates the user on their side during sign-up (via SSO), then the application links to an internal identity.

User Creation Flow

Pre-Provisioning (Refresh Internal Only)

Refresh employees are pre-provisioned in FusionAuth by an admin:

1. Admin creates FusionAuth user with work email

2. Admin assigns user to appropriate FusionAuth groups (Engineering, Support, etc.)

3. When employee logs in via SSO, they already have refresh.* roles in their JWT

Customer employees are never pre-provisioned in FusionAuth. HRIS sync creates user_identities records with fusionauth_id = NULL, and the link is made on first login.

Resolution Logic

Case-Insensitive Email Matching

Critical: Email matching must be case-insensitive throughout the system.

Implementation:

• Store emails in lowercase (normalized on insert)

• Compare using LOWER() or case-insensitive collation

• Apply to: identity resolution, account linking, notification routing

See User Management for complete identity lifecycle details.

Tenant Context

URL Path-Based Tenant Selection

Tenant context comes from the URL path parameter, not headers:

Personal vs Tenant Routes

Token Management

Cookie-Based Token Storage

Tokens are stored in httpOnly cookies for security. The application middleware handles token refresh automatically.

auth_user Cookie Contents:

Token Refresh Strategy

1. Middleware checks auth_access_token expiry on each request

2. If expired/near-expiry, uses auth_refresh_token to get new tokens

3. New tokens stored in cookies automatically

4. If refresh fails, user redirected to FusionAuth login

Why Cookies vs Bearer Tokens?

Cookies are preferred for server-rendered SvelteKit apps where most requests originate from the server.

Security Considerations

JWT Validation

1. Validate signature using FusionAuth JWKS endpoint

2. Check exp claim for expiration

3. Verify aud claim matches your application ID

4. Verify iss claim matches FusionAuth URL

JWKS Endpoint

FusionAuth exposes public keys at /.well-known/jwks.json. Cache this with appropriate TTL (1 hour recommended).

Self-Registration Security

FusionAuth self-registration is enabled, but:

• New users get no tenant access by default

• Tenant access only comes from HRIS sync or admin invitation

• Personal accounts have limited capabilities

Troubleshooting

Common Issues

Problem: User cannot log in

• Check FusionAuth application credentials

• Verify redirect URIs match exactly

• Check FusionAuth tenant is active

Problem: Identity not linking

• Verify email comparison uses case-insensitive matching (LOWER())

• Confirm emails are stored normalized (lowercase)

• Check for duplicate FusionAuth users

• Review HRIS sync logs

Problem: Tenant access denied

• Verify tenant_users record exists with status = 'active'

• Check user is using correct identity for that tenant

• Verify URL path contains correct :tenantId parameter

Problem: M2M authentication failing

• Verify Entity credentials

• Check Entity Grants are configured

• Verify target entity ID in scope

Related Documentation

• User Management - Identity lifecycle

• Authorization - Roles and permissions

• Multi-Tenancy - Tenant isolation

• Security - Security model

• Developer Authentication Guide - Implementation details

Last updated: December 2025