User Registration Flow
New user sign-up with email verification.
sequenceDiagram
participant User
participant App
participant Cognito
participant SES as Email (SES)
participant API
participant DDB as DynamoDB
User->>App: Enter email, password, name
App->>Cognito: SignUp
Cognito->>SES: Send verification code
SES-->>User: Email with code
Cognito-->>App: User created (unconfirmed)
User->>App: Enter verification code
App->>Cognito: ConfirmSignUp
Cognito-->>App: User confirmed
App->>Cognito: InitiateAuth
Cognito-->>App: Tokens (ID, Access, Refresh)
App->>API: POST /users (with ID token)
API->>API: Validate token
API->>DDB: Create user profile
DDB-->>API: Profile created
API-->>App: User profile
App-->>User: Welcome! Start onboarding
Login Flow
Returning user authentication.
sequenceDiagram
participant User
participant App
participant Cognito
participant API
User->>App: Enter email, password
App->>Cognito: InitiateAuth (USER_SRP_AUTH)
alt Valid Credentials
Cognito-->>App: Tokens (ID, Access, Refresh)
App->>App: Store tokens securely
App->>API: GET /users/me
API->>API: Validate ID token
API-->>App: User profile
App-->>User: Dashboard
else MFA Required
Cognito-->>App: Challenge: SMS_MFA
App-->>User: Enter MFA code
User->>App: MFA code
App->>Cognito: RespondToAuthChallenge
Cognito-->>App: Tokens
else Invalid Credentials
Cognito-->>App: NotAuthorizedException
App-->>User: Invalid email or password
end
Token Refresh Flow
Automatic token refresh for seamless user experience.
sequenceDiagram
participant App
participant TokenService as Token Service
participant Cognito
participant API
App->>TokenService: Make API request
TokenService->>TokenService: Check access token expiry
alt Token Valid
TokenService->>API: Request with access token
API-->>App: Response
else Token Expired
TokenService->>Cognito: InitiateAuth (REFRESH_TOKEN)
alt Refresh Successful
Cognito-->>TokenService: New tokens
TokenService->>TokenService: Store new tokens
TokenService->>API: Request with new access token
API-->>App: Response
else Refresh Token Expired
Cognito-->>TokenService: NotAuthorizedException
TokenService-->>App: Redirect to login
end
end
Authorization Model
Role-based access control within families.
flowchart TB
subgraph Roles["User Roles"]
Admin["Family Admin\n- Full control\n- Invite members\n- Remove members\n- Manage settings"]
Member["Family Member\n- View content\n- Create content\n- Vouch for others"]
Viewer["Viewer (Future)\n- View only\n- No create\n- No vouch"]
end
subgraph Permissions["Permissions"]
P1["view:content"]
P2["create:content"]
P3["delete:content"]
P4["invite:member"]
P5["remove:member"]
P6["vouch:member"]
P7["manage:family"]
end
Admin --> P1 & P2 & P3 & P4 & P5 & P6 & P7
Member --> P1 & P2 & P6
Viewer --> P1
API Authorization
How API requests are authorized.
sequenceDiagram
participant App
participant APIG as API Gateway
participant Authorizer as Cognito Authorizer
participant Lambda
participant DDB as DynamoDB
App->>APIG: GET /families/{id}/content
Note right of App: Authorization: Bearer
APIG->>Authorizer: Validate token
Authorizer->>Authorizer: Verify JWT signature
Authorizer->>Authorizer: Check expiration
Authorizer->>Authorizer: Extract claims
alt Valid Token
Authorizer-->>APIG: Allow + claims
APIG->>Lambda: Forward request + claims
Lambda->>Lambda: Extract userId from claims
Lambda->>DDB: Check family membership
alt User is member
DDB-->>Lambda: Membership record
Lambda->>DDB: Fetch content
DDB-->>Lambda: Content
Lambda-->>APIG: 200 OK + content
APIG-->>App: Content
else Not a member
DDB-->>Lambda: No membership
Lambda-->>APIG: 403 Forbidden
APIG-->>App: Access denied
end
else Invalid Token
Authorizer-->>APIG: Deny
APIG-->>App: 401 Unauthorized
end
Token Types
| Token | Lifetime | Purpose | Contains |
|---|---|---|---|
| ID Token | 1 hour | API authentication | User identity, email, custom attributes |
| Access Token | 1 hour | Cognito API calls | Scopes, groups |
| Refresh Token | 30 days | Get new ID/Access tokens | Session identifier |
Security Measures
| Measure | Implementation | Purpose |
|---|---|---|
| Password Policy | 12+ chars, mixed case, numbers, symbols | Strong passwords |
| MFA | SMS or TOTP (optional in dev, recommended in prod) | Second factor |
| Token Storage | Secure storage (Keychain/Keystore) | Protect tokens at rest |
| HTTPS Only | TLS 1.2+ required | Encrypt in transit |
| Rate Limiting | API Gateway throttling | Prevent brute force |