01.login

User Login

Overview Description

The user login feature allows registered users to authenticate into the system using their email and password. The system validates user credentials, checks user status and group membership, then creates a session and returns authentication cookies. The system also tracks first-time login status to provide appropriate user experience.

API: User Login API

Activity Diagram

flowchart TD
    A[Client sends login request] --> B[Validate request data]
    B --> C{Data valid?}
    C -->|No| D[Return validation error]
    C -->|Yes| E[Verify user credentials]
    E --> F{Credentials valid?}
    F -->|No| G[Return authentication error]
    F -->|Yes| H[Find user by email]
    H --> I{User exists?}
    I -->|No| J[Return user not found error]
    I -->|Yes| K[Check user status]
    K --> L{User active?}
    L -->|No| M[Return inactive user error]
    L -->|Yes| N[Check group membership]
    N --> O{User in group?}
    O -->|No| P[Return no group error]
    O -->|Yes| Q[Update is_first_login]
    Q --> R[Create authentication cookies]
    R --> S[Return success response]
    
    style A fill:#e1f5fe
    style S fill:#c8e6c9
    style D fill:#ffcdd2
    style G fill:#ffcdd2
    style J fill:#ffcdd2
    style M fill:#ffcdd2
    style P fill:#ffcdd2

Sequence Diagram

Successful Login

sequenceDiagram
    participant Client
    participant LoginController
    participant AuthService
    participant Database
    
    Note over Client,Database: Successful Login Flow
    
    rect rgb(200, 255, 200)
    Note right of Client: Happy Case Flow
    
    Client->>LoginController: POST /api/v1/general/auth/login
    Note over Client,LoginController: {email, password}
    
    rect rgb(200, 230, 255)
    Note right of LoginController: Input Validation
    LoginController->>LoginController: Validate request
    end
    
    rect rgb(200, 255, 255)
    Note right of LoginController: Business Logic
    LoginController->>AuthService: login(email, password)
    
    AuthService->>Database: Find user by email
    Database-->>AuthService: User data + is_first_login
    
    AuthService->>Database: Check user status & groups
    Database-->>AuthService: Group membership info
    
    AuthService->>Database: Update is_first_login = false
    Database-->>AuthService: Update successful
    end
    
    rect rgb(230, 200, 255)
    Note right of AuthService: Create Session
    AuthService->>AuthService: createAuthCookieByUser()
    AuthService-->>LoginController: User data + cookies
    end
    
    LoginController->>Client: 200 OK + Set-Cookie headers
    end
    
    rect rgb(255, 200, 200)
    Note right of Client: Error Handling
    rect rgb(255, 230, 230)
    alt Validation Error
        LoginController->>Client: 422 Validation Error
    else Invalid Credentials
        AuthService-->>LoginController: Authentication failed
        LoginController->>Client: 401 Unauthorized
    else User Not Found
        Database-->>AuthService: User not found
        AuthService-->>LoginController: User not found
        LoginController->>Client: 404 User Not Found
    else User Inactive
        Database-->>AuthService: User inactive
        AuthService-->>LoginController: User status error
        LoginController->>Client: 403 Forbidden
    else No Group Membership
        Database-->>AuthService: No group membership
        AuthService-->>LoginController: Group error
        LoginController->>Client: 403 Forbidden
    end
    end
    end

Failed Login

sequenceDiagram
    participant Client
    participant LoginController
    participant AuthService
    participant Database
    
    Note over Client,Database: Failed Login Flow
    
    rect rgb(255, 200, 200)
    Note right of Client: Error Flow
    
    Client->>LoginController: POST /api/v1/general/auth/login
    Note over Client,LoginController: Invalid credentials
    
    LoginController->>LoginController: Validate request
    LoginController->>AuthService: login(email, password)
    
    AuthService->>Database: Find user by email
    Database-->>AuthService: User not found or invalid password
    
    AuthService-->>LoginController: Authentication failed
    LoginController->>Client: 401 Unauthorized
    end

Detailed Headers

Request Headers

Header Required Description Example
Content-Type Yes Request content type application/json

Detailed Cookies

Authentication Cookies

1. Auth API Token Cookie

Set-Cookie: Trend-Viewer_auth_api_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...; 
HttpOnly; 
Secure; 
SameSite=Lax;

Properties:

  • Name: Trend-Viewer_auth_api_token (where {app_name} is the application name from config)
  • Value: Encoded JWT token
  • HttpOnly: true (not accessible via JavaScript)
  • Secure: true (only sent over HTTPS)
  • SameSite: Lax (CSRF protection)

2. Logged In Status Cookie

Set-Cookie: Trend-Viewer_is_logged_in=true; 
HttpOnly; 
Secure; 
SameSite=Lax;

Properties:

  • Name: Trend-Viewer_is_logged_in
  • Value: true
  • HttpOnly: true
  • Secure: `true**
  • SameSite: Lax

Detailed Steps

Step 1: Request Validation

Input:

  • Email address from request body (required)
  • Password from request body (required)

Validation Rules:

'email' => 'required|email|max:255',
'password' => 'required|string|min:8'

Checks:

  • Valid email format
  • Password not empty and minimum length

Step 2: User Credentials Verification

Process:

  • Extract email and password from request body
  • Hash password and compare with stored hash
  • Verify user exists and credentials match
  • Check account status and permissions

Error Handling:

  • Invalid credentials: 401 Unauthorized
  • User not found: 404 Not Found

Step 3: User Lookup

User Data Retrieved:

  • Basic Info: ID, name, email, status
  • Account Info: is_first_login, created_at, updated_at
  • Group Info: Group memberships, group roles
  • Payment Info: payment_provider_customer_id

Step 4: Group Membership Check

Requirements:

  • User must belong to at least one active group
  • Check groupMember() relationship exists
  • Error: If no group → 401 Unauthorized with message "ログイン情報が正しくありません。"

Step 5: Group Status Check

Admin Group Check:

  • If user is admin, check group.status
  • Error: If admin group inactive → 401 Unauthorized with message "この事業者が無効になっています。管理者に連絡してください。"

Group Member Check:

  • Check groupMember.group.status
  • Error: If member group inactive → 401 Unauthorized with message "この事業者が無効になっています。管理者に連絡してください。"

Step 6: Session and Cookies Creation

Session Data Stored:

  • User Info: User ID, email, name
  • Authentication: JWT token, refresh token
  • Security: Session ID, CSRF token

Cookies Created:

  • auth_token: JWT token
  • logged_in: Login status
  • user_session: Session identifier

Step 7: Response Return

Success Response:

  • Status: 200 OK
  • Body: UserResource with complete user information
  • Headers: Set-Cookie for authentication cookies
  • Message: "ログインサクセス"

Error Response:

  • Status: 401 Unauthorized for most errors
  • Body: {"status": false, "message": "error message"}

is_first_login Flag

  • Purpose: Identify first-time user login
  • Logic:
    • true: First login, show welcome modal
    • false: Previously logged in
  • Update: Automatically changes from true to false after first successful login

Group Status Validation

  • Member Group Check: Check group.status for all general users
  • Error Handling: Both cases return 401 Unauthorized with Japanese message
  • Business Logic: User cannot login if group is disabled

Session Management

  • Duration: 24 hours (configurable)
  • Refresh: Auto-refresh when user is active
  • Multiple Sessions: Support login on multiple devices
  • Force Logout: Admin can force logout user

Security Features

  • CSRF Protection: SameSite cookie attribute
  • XSS Prevention: HttpOnly cookies
  • Man-in-the-Middle: Secure flag for HTTPS
  • Session Hijacking: IP and User-Agent validation