Crowdex
Users

User

Overview

The User entity is the core representation of users in the system. It contains attributes required for managing user accounts, securing login processes, and maintaining user authentication and authorization states. This entity handles aspects such as password storage, email verification, multi-factor authentication (MFA), KYC status, and security measures like CAPTCHA and account blocking.

Attributes Description

  1. username (string, required, unique)

    • The unique identifier for the user, typically used during login. It must be at least 3 characters long.
    • This attribute is required and cannot be reconfigured once created.
    • Example: johndoe

  2. provider (string)

    • The authentication provider the user is registered with (e.g., local, google, facebook).
    • Default: local (meaning the user registered directly through the platform rather than via third-party services).
    • Example: local

  3. password (password, private)

    • The user’s password is securely hashed and stored. The minimum length is 6 characters.
    • This field is marked as private and non-searchable, meaning it is hidden from queries.
    • Example: hashed_password

  4. resetPasswordToken (string, private)

    • A token used for resetting the user’s password. Generated when the user requests a password reset.
    • It is kept private and is not searchable.
    • Example: abc123resetToken

  5. confirmationToken (string, private)

    • A token generated when the user registers, used to confirm their email address.
    • Like the resetPasswordToken, this is private and non-searchable.
    • Example: emailConfirmToken456

  6. confirmed (boolean, default: false)

    • A flag indicating whether the user has confirmed their email address. When the user confirms, this is set to true.
    • Default: false
    • Example: true (if the email is confirmed)

  7. blocked (boolean, default: false)

    • Indicates whether the user’s account is blocked (manually by an admin or due to security reasons).
    • When set to true, the user cannot log in.
    • Default: false
    • Example: false (if the user is not blocked)

  8. role (relation, manyToOne, plugin::users-permissions.role)

    • Defines the user’s role in the system, which determines their permissions and access rights.
    • It is a relation to the Role entity in the users-permissions plugin.
    • Example: admin, user

  9. email (email, optional)

    • The user’s email address, which must follow a valid email format.
    • This field is optional and can be left blank if the user uses a phone number as their identifier.
    • Example: johndoe@example.com

  10. phone (string, optional)

  • The user’s phone number, used as an alternative identifier for login or communication.
  • This field is optional but is often used for OTP delivery via SMS.
  • Example: +1234567890
  1. referralCode (string)
  • A unique code that the user can share with others to refer them to the platform. This is used for tracking referral programs.
  • Example: REF12345
  1. acceptedTerms (boolean)
  • A flag indicating whether the user has accepted the platform’s terms and conditions.
  • Default: false
  • Example: true (if the user has accepted the terms)
  1. acceptedTermsAt (datetime)
  • The date and time when the user accepted the terms and conditions.
  • Example: 2023-09-15T12:34:56Z
  1. deletionRequested (boolean)
  • Indicates whether the user has requested to delete their account.
  • Example: false
  1. externalId (string)
  • An external identifier for the user, used for integration with third-party services such as KYC providers.
  • Example: KYC123456789
  1. kycStatus (enumeration, default: PENDING)
  • Defines the current KYC (Know Your Customer) verification status of the user. Possible values are:
    • PENDING: KYC verification is in progress.
    • APPROVED: KYC verification has been successfully completed.
    • DECLINED: KYC verification has been denied.
  • Default: PENDING
  • Example: APPROVED
  1. address (component)
  • A component that stores the user’s address information, such as street, city, and country. This is a non-repeatable field.
  • Example: { street: "Main St", city: "New York", country: "USA" }
  1. isMfaEnabled (boolean, default: true)
  • Indicates whether multi-factor authentication (MFA) is enabled for the user.
  • Default: true
  • Example: true
  1. firstName (string)
  • The user’s first name.
  • Example: John
  1. lastName (string)
  • The user’s last name.
  • Example: Doe
  1. kycExternalId (string)
  • The external identifier for the user’s KYC process, assigned by the KYC provider.
  • Example: KYC_EXT_12345
  1. birthDate (date)
  • The user’s date of birth.
  • Example: 1990-01-01
  1. failedOtpAttempts (integer, default: 0)
  • Tracks the number of failed OTP attempts made by the user. Once the number of failed attempts exceeds the allowed threshold, further security measures are triggered.
  • Default: 0
  • Example: 3
  1. captchaRequired (boolean, default: false)
  • A flag indicating whether the user must pass a CAPTCHA challenge during login due to multiple failed attempts.
  • Default: false
  • Example: true
  1. lastBlockedAt (datetime)
  • The date and time when the user was last blocked due to security concerns, such as multiple failed login attempts.
  • Example: 2024-09-01T10:30:00Z
  1. otpRequestCount (integer, default: 0)
  • Tracks the number of OTP requests made by the user. If the count exceeds a set limit, the user may be temporarily blocked or required to solve CAPTCHA.
  • Default: 0
  • Example: 2
  1. lastOtpSentAt (datetime)
  • The date and time when the last OTP was sent to the user.
  • Example: 2024-09-01T10:32:00Z

Security Flow

Login Process

  1. User Login Attempt:

    • The user submits their username or email and password.
    • If the username/email and password are valid, the login proceeds.
    • If the password is incorrect, the failed attempt count increases.

  2. Password Validation:

    • The system checks the provided password against the stored hash.
    • If incorrect, after a certain number of failed attempts, the user may be required to complete a CAPTCHA challenge.

  3. Email Confirmation:

    • If the user’s email is not confirmed (i.e., confirmed is false), they cannot proceed with login until they confirm their email.

OTP Process

  1. OTP Request:

    • When MFA is enabled (isMfaEnabled), the system sends a one-time password (OTP) to the user’s email or phone.
    • The user must enter the OTP to complete the login process.

  2. OTP Validation:

    • The user provides the OTP. If incorrect, the system tracks failed OTP attempts in the failedOtpAttempts field.
    • If the number of failed OTP attempts exceeds 5, the account is temporarily blocked, and further login attempts are restricted.

CAPTCHA Requirement

  • Triggered by Failed Attempts:
    • After multiple failed login or OTP attempts (e.g., 2 incorrect OTP entries), the user must complete a CAPTCHA challenge to continue.
    • CAPTCHA validation is required if the captchaRequired field is set to true.

Account Blocking

  • Temporary Blocking:

    • If the number of failed attempts exceeds a threshold, the user is temporarily blocked. The lastBlockedAt field stores when the block occurred.
    • The account remains blocked for 15 minutes, after which it is automatically unblocked.

  • Permanent Blocking:

    • The account can also be manually blocked by setting the blocked field to true, preventing all login attempts until manually unblocked.

OTP Expiration

  • Expiration and Retry:
    • OTP codes expire after 15 minutes. If the OTP is not used within this window, the user must request a new OTP.
    • After 3 OTP requests, the account may require additional validation, such as CAPTCHA or temporary blocking.

Summary of User Security Flow

  1. Login Attempt → 2. Password Validation → 3. OTP Verification → 4. Check for Blocked Status/Failed Attempts → 5. CAPTCHA (if required) → 6. Account Blocking → 7. Unblocking or Expiration Handling
User Wallet