Authentication & SSO
Secure access to Autonify through multiple authentication methods including email/password and Single Sign-On (SSO) with enterprise providers.
Overview
Autonify uses Supabase Authentication to provide secure, scalable authentication with support for:
- Traditional email/password authentication
- Single Sign-On (SSO) with Microsoft/Azure AD
- Session-based authentication with automatic token refresh
- First-time setup flow for initial platform configuration
Sign In Methods
Email & Password
Traditional authentication using email address and password:
- Navigate to
/login - Enter your Email (placeholder: "m@example.com")
- Enter your Password
- Click Login button (shows "Logging in..." when processing)
- Additional elements:
- Forgot your password? link (currently non-functional, goes to
#) - Sign up link to go to registration
- "Or continue with" divider separating email login from SSO
- Forgot your password? link (currently non-functional, goes to
Password Requirements:
- Minimum 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character
Microsoft SSO
Sign in using your Microsoft/Azure AD account:
- Navigate to
/login - Click Sign in with Microsoft button
- Authenticate with your Microsoft account
- Automatically redirected back to Autonify
Benefits of Microsoft SSO:
- No separate password to manage
- Inherits your organization's security policies
- Automatic provisioning for new users
- Seamless integration with Microsoft 365
Creating an Account
Self-Registration
New users can create accounts through self-registration:
- Navigate to
/registeror click Sign up from login page - Enter your full name
- Enter email address
- Create a strong password
- Click Sign up button
- Check email for confirmation (if email verification is enabled)
SSO Registration
Users can also register using SSO:
- Navigate to
/register - Click Sign in with Microsoft
- Authenticate with Microsoft
- Account automatically created with profile information
Note: SSO registration automatically populates your name from your identity provider profile.
First-Time Setup
When the first user signs in to a new Autonify instance:
Welcome Flow
- Automatic Detection: System detects no existing users
- Welcome Page: Redirected to
/welcome - Initial Configuration:
- Creates default team
- Sets up initial permissions
- Configures first user as Owner
- Completion: Redirected to main application
This ensures the platform is properly initialized with at least one admin user who can manage the system.
User Permissions System
Application-Level Permissions
Three permission levels control platform-wide access:
| Permission | Description | Capabilities |
|---|---|---|
| Owner | Full platform control | All features, user management, system settings |
| Admin | Administrative access | Access all teams, manage users, configure platform |
| User | Standard access | Access assigned teams only |
Team-Level Permissions
Within teams, users have specific roles:
| Role | Description | Capabilities |
|---|---|---|
| Admin | Team administrator | Full team control, member management, settings |
| Member | Standard member | Access all team resources, create content |
| User | Limited access | View-only for most resources |
Permission Assignment
- First User: Automatically becomes Owner
- SSO Users: Automatically assigned User permission
- Manual Users: Permissions set by administrators
- Awaiting Approval: New users without permissions see awaiting approval page
Protected Routes
Authentication Requirements
Routes are protected by middleware that enforces:
-
Public Routes (no authentication required):
/login/register/auth/callback/auth/auth-code-error
-
Authenticated Routes (require sign-in):
- All other application routes
- Automatic redirect to
/loginif not authenticated
-
Permission-Based Access:
- Team routes require team membership or admin permissions
- Settings pages require appropriate role level
- Agent configurations require Member or Admin role
Route Protection Examples
| Route Pattern | Required Permission |
|---|---|
/team | Any authenticated user |
/team/[name] | Team member or app Admin/Owner |
/team/[name]/settings | Team Admin or app Admin/Owner |
/team/[name]/members | Team Admin or app Admin/Owner |
/team/[name]/datasource/[ds]/agents | Team Member/Admin or app Admin/Owner |
Session Management
Session Lifecycle
- Duration: Sessions remain active with activity
- Refresh: Tokens automatically refresh before expiration
- Timeout: Inactive sessions expire after period of inactivity
- Storage: Secure HTTP-only cookies
Sign Out
Users can sign out through:
- User profile menu in top-right corner
- Click on profile icon
- Select Sign Out option
- Session terminated and redirected to login
Password Management
Changing Password
Authenticated users can change their password:
- Click user profile icon
- Select Change Password
- Enter current password (for verification)
- Enter new password (must meet requirements)
- Confirm new password
- Click Update Password
Password Reset
For forgotten passwords:
- Click Forgot your password? on login page
- Feature currently links to support for manual reset
- Admin users can assist with password resets
Note: Self-service password reset via email is planned for future release.
User Profile
Profile Information
Users can view and update their profile:
- Name: Display name (editable)
- Email: Login email (read-only)
- Avatar: Profile picture via avatar_url
Updating Profile
- Click profile icon in navigation
- Select Profile option
- Edit name or upload avatar
- Changes save automatically
OAuth Callback Flow
Successful Authentication
- User authenticates with identity provider
- Provider redirects to
/auth/callbackwith authorization code - Code exchanged for session tokens
- User record created/updated in database
- Redirected to intended destination or dashboard
Error Handling
Authentication errors redirect to /auth/auth-code-error with:
- Clear error message
- Option to retry authentication
- Link back to login page
Security Features
Token Security
- JWT tokens with short expiration
- Refresh tokens for extended sessions
- Secure HTTP-only cookie storage
- PKCE flow for OAuth
Rate Limiting
- Login attempts are rate-limited
- Protects against brute force attacks
- Temporary lockouts after failed attempts
Audit Trail
- Authentication events logged
- Session creation/termination tracked
- Failed login attempts recorded
Troubleshooting
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| "Authentication required" | Session expired | Sign in again |
| "Invalid login credentials" | Wrong email/password | Check credentials, reset password |
| Microsoft SSO fails | Azure AD configuration | Contact administrator |
| Stuck on "Awaiting Approval" | No permissions assigned | Contact administrator for access |
| Can't access team | Not a team member | Request team access from admin |
SSO Configuration
For Microsoft/Azure AD SSO to work:
- Application registered in Azure AD
- Redirect URIs configured correctly
- Client ID and secrets configured in Supabase
- Users exist in Azure AD directory
Best Practices
For Users
- Use strong, unique passwords
- Enable SSO when available
- Sign out from shared devices
- Keep profile information updated
For Administrators
- Enforce SSO for organization users
- Regularly review user permissions
- Monitor authentication logs
- Configure session timeout appropriately
- Document team access policies
API Authentication
For programmatic access:
- Bearer token authentication required
- Tokens obtained via Supabase auth
- Include in Authorization header:
Bearer [token] - Tokens expire and must be refreshed
Example:
GET /api/data-sources
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...