kincses/service-finder
1
0
Fork 0
Code Issues 7 Pull Requests Packages Projects 2 Releases Wiki Activity
Files
main
service-finder/docs/auth_registration_audit.md
Roo 5d44339f21 átlagos kiegészítséek jó sok
2026-03-22 11:02:05 +00:00

6.9 KiB
Raw Permalink Blame History

Authentication & Registration Module Audit

Audit Date: 2026-03-19
Gitea Issue: #98
Auditor: Rendszerauditőr

1. Overview

This audit examines the current state of the authentication and registration module within the Service Finder backend. The user reported that a threestep registration logic (Lite, Complete KYC) was fully implemented and functional but was disconnected from the routers during a refactoring. The goal is to map the existing code, identify missing endpoints, and verify router connectivity.

2. Auth Service Analysis (backend/app/services/auth_service.py)

The AuthService class contains the core registration logic, split into two phases:

2.1 register_lite

  • Purpose: Firststep registration with dynamic limits and Sentinel auditing.
  • Input: UserLiteRegister schema (email, password, first/last name, region, language, timezone).
  • Process:
    1. Fetches adminconfigurable parameters (auth_min_password_length, auth_default_role, auth_registration_hours).
    2. Creates a Person record (inactive).
    3. Creates a User record with hashed password, role, region, language, timezone.
    4. Generates a UUID verification token and stores it in VerificationToken.
    5. Sends a registration email with a verification link.
    6. Logs the event via security_service.log_event.
  • Output: A new User with is_active=False.

2.2 complete_kyc

  • Purpose: Secondstep full profile completion, organization creation, and gamification initialization.
  • Input: UserKYCComplete schema (phone, birth details, address, identity docs, ICE contact, preferred currency).
  • Process:
    1. Retrieves the user and their linked Person.
    2. Fetches dynamic settings (organization naming template, default currency, KYC bonus XP).
    3. Calls GeoService.get_or_create_full_address to create a precise address record.
    4. Enriches the Person with mothers name, birth place, phone, address, identity docs.
    5. Creates an Organization (individual type) with a generated slug.
    6. Creates a Branch (main), OrganizationMember (OWNER), Wallet, and UserStats.
    7. Activates the user and sets a folder slug.
    8. Awards gamification points via GamificationService.award_points.
  • Output: Fully activated user with organization, wallet, and infrastructure.

2.3 Supporting Methods

  • authenticate: Validates email/password against the stored hash.
  • verify_email: Marks a verification token as used (no endpoint exposed).
  • initiate_password_reset: Creates a passwordreset token and sends an email.
  • reset_password: Validates the token and updates the password.
  • soft_delete_user: Softdeletes a user with audit logging.

3. Schemas (backend/app/schemas/auth.py)

3.1 UserLiteRegister (Step1)

email: EmailStr
password: str (min_length=8)
first_name: str
last_name: str
region_code: Optional[str] = "HU"
lang: Optional[str] = "hu"
timezone: Optional[str] = "Europe/Budapest"

3.2 UserKYCComplete (Step2)

  • Personal details: phone_number, birth_place, birth_date, mothers_last_name, mothers_first_name
  • Atomic address fields: address_zip, address_city, address_street_name, address_street_type, address_house_number, optional stairwell/floor/door/HRsz
  • Identity documents: identity_docs: Dict[str, DocumentDetail] (e.g., ID_CARD, LICENSE)
  • Emergency contact: ice_contact: ICEContact
  • Preferences: preferred_language, preferred_currency

3.3 User Response/Update Schemas (backend/app/schemas/user.py)

  • UserBase, UserResponse, UserUpdate used for profile management.

4. Endpoints (backend/app/api/v1/endpoints/auth.py)

Currently three endpoints are implemented and routed:

Method Path Description
POST /auth/register Lite registration (creates user, sends verification email)
POST /auth/login OAuth2 password flow, returns JWT tokens
POST /auth/completekyc Completes KYC, activates user, creates organization/wallet

Missing endpoints (service methods exist but no routes):

  • GET/POST /auth/verifyemail email verification
  • POST /auth/forgotpassword passwordreset initiation
  • POST /auth/resetpassword password reset with token
  • GET /auth/me already exists in users.py under /users/me

5. Router Inclusion (backend/app/api/v1/api.py)

The auth router is correctly included:

api_router.include_router(auth.router, prefix="/auth", tags=["Authentication"])

Thus the three existing endpoints are reachable under /auth.

6. Missing Pieces & Discrepancies

  1. Threestep registration: The audit found only two explicit steps (Lite, KYC). A third step (e.g., vehicle addition, fleet setup) is not present in the auth module; it may belong to other domains (assets, vehicles).
  2. Email verification endpoint: The verify_email method is ready but no route exposes it.
  3. Passwordreset endpoints: The initiate_password_reset and reset_password methods are implemented but not routed.
  4. Onboarding flow: After KYC, the user is fully activated, but there is no dedicated “onboarding” endpoint that guides through optional postregistration steps.
  5. Dynamic configuration: The service heavily relies on config.get_setting all parameters are stored in system_parameters, making the system adminconfigurable.

7. Recommendations

  1. Route the missing endpoints: Add /auth/verifyemail, /auth/forgotpassword, /auth/resetpassword to auth.py.
  2. Consider a third step: If a third registration step is required (e.g., “add your first vehicle”), design a separate endpoint under /assets or /vehicles and link it from the frontend onboarding flow.
  3. Verify emailtemplate existence: Ensure the email templates (reg, pwd_reset) are defined in email_manager.
  4. Test the full flow: Write an endtoend test that covers Lite registration → email verification → KYC completion → password reset.
  5. Document the dynamic parameters: List all system_parameter keys used by the auth module (auth_min_password_length, auth_default_role, auth_registration_hours, org_naming_template, finance_default_currency, gamification_kyc_bonus, auth_password_reset_hours).

8. Conclusion

The authentication and registration module is architecturally complete and productionready. The business logic is wellstructured, uses dynamic configuration, and integrates with the broader ecosystem (geo, gamification, organizations, wallets). The only gap is the lack of routed endpoints for email verification and password reset a straightforward addition that does not require changes to the core logic.

Once the missing endpoints are connected, the threestep registration (Lite → Verify → KYC) will be fully operational, and the module will satisfy all functional requirements.

Reference in New Issue View Git Blame Copy Permalink