Screen Flows — Auth & Registration
Screen IDs reference screens-auth.md. Auth screens are served by the Dashboard Next.js app at unauthenticated routes.
Status: Core login/register flows [Live]. Social OAuth login and mobile biometric auth [To Build].
1. Login
Tenant Selection Modal
Appears immediately after credential validation for users who belong to more than one tenant.
| Element | Behaviour |
|---|---|
| Org dropdown | Searchable combobox — filters by name as user types. Handles 100+ tenants. |
| Select button | Sets active tenant context and redirects to /dashboard. |
| Dismiss / Cancel | Returns user to the login screen (session not established). |
Error States
| Condition | UI Response |
|---|---|
| Empty email or password | Inline field error below input |
| Incorrect credentials | Banner error above form |
| Account locked (5 failed attempts) | Banner error with lockout duration |
| Unverified email | Banner with “resend verification link” action |
| Expired reset token | Error on A3 page load — link to A2 |
2. Password Reset
Security notes:
- A2 always shows a success message regardless of whether the email exists (prevents enumeration).
- Reset link expires after 1 hour.
- Rate limited to 3 reset requests per hour per email.
- A3 checks the password against HIBP (Have I Been Pwned) on blur and warns if compromised.
3. Self-Signup (New — /signup)
Self-Signup Step Summary
| Step | Screen | Route | Key fields |
|---|---|---|---|
| 1 | S1 — Contact | /signup | Country, First/Last Name, Email, Mobile, Password |
| 2 | S2 — Company | /signup/company | Company Name, Industry, Website (optional) |
| 3 | S3 — Location | /signup/location | State, GST, PAN, SEZ (all optional) |
| 4 | S4 — Plan | /signup/plan | Plan selection, Billing Address |
Session storage keys: signup_step1, signup_step2, signup_step3, signup_session_token
Redirect guards: Each step checks for the preceding step’s sessionStorage key; redirects to step 1 (or the missing step) if absent.
Post-payment: Redirects to /login?registered=1. No intermediate onboarding wizard step — user logs in and lands on /dashboard where the GettingStartedView handles onboarding context.
4. Legacy Registration (/register)
Registration Step Summary (Legacy)
| Step | Screen | Route | Required fields |
|---|---|---|---|
| 1 | R1 — Contact | /register | Country, First Name, Last Name, Email, Mobile, Password |
| 2 | R2 — Company | /register/company | Legal Company Name, Brand / Display Name |
| 3 | R3 — Location | /register/location | State (Country pre-filled from Step 1) |
| 4 | R4 — Plan | /register/plan | Plan selection, Billing Address |
Auto-save: Each step is persisted server-side on Continue so the user can resume after closing the browser.
5. Mobile Auth
The React Native app uses the same credentials as the web app with an additional biometric unlock layer.
6. Screen Index
| ID | Screen | Route |
|---|---|---|
| A1 | Login | /login |
| A2 | Forgot Password | /forgot-password |
| A3 | Reset Password | /reset-password?token=… |
| S1 | Self-Signup — Contact | /signup |
| S2 | Self-Signup — Company | /signup/company |
| S3 | Self-Signup — Location & Tax | /signup/location |
| S4 | Self-Signup — Plan & Payment | /signup/plan |
| SE | Self-Signup — Expired Session | /signup/expired |
| R1 | Register — Contact (legacy) | /register |
| R2 | Register — Company (legacy) | /register/company |
| R3 | Register — Location (legacy) | /register/location |
| R4 | Register — Plan & Payment (legacy) | /register/plan |