Authentication System

---

• Authentication Overview
• Admin Panel Login
• App Panel Login
• Company Registration and Email Verification
• User Types and Roles
• Tenant Access
• Current Security Features

Authentication Overview

The application uses two different sign-in experiences:

• Admin Panel: standard email and password login
• App Panel: email plus one-time password (OTP)

Access is also split by user type:

• admin users can access /admin
• company users can access /app

Admin Panel Login

The admin panel uses Filament's default login page.

Who uses it

• shop super admins created during Shopify installation

How it works

• sign in with email and password
• no OTP step is implemented here
• password changes are handled from the Change Password page in the admin panel

App Panel Login

The app panel uses a custom OTP login flow.

Step 1: Enter email

The user enters their email address on /app/login.

The app checks that:

• the user exists in the current shop context
• the email belongs to the current subdomain's shop

Step 2: OTP email

If the user exists, the app:

• generates a 6-digit OTP
• hashes and stores it
• sets a 10-minute expiry
• emails the OTP to the user

Step 3: Verify OTP

The user enters the OTP. If it matches and has not expired:

• the user is signed in
• the OTP fields are cleared
• unverified users are redirected to the email verification prompt

OTP resend and rate limiting

The login page supports OTP resend. Rate limiting is implemented on the OTP request flow to reduce abuse.

Company Registration and Email Verification

The app panel also includes a custom registration page at /app/register.

Registration collects

• company name
• first location name
• shipping address
• billing address
• main contact details
• payment terms

What happens after registration

1. A company user is created in an inactive state.
2. A pending company registration record is stored.
3. A verification email is sent.
4. After the email is verified, the app creates the Shopify company and local company data in the background.
5. The verified user is promoted to CompanyAdmin and activated.

This means the company is finalized after email verification, not immediately on form submission.

User Types and Roles

User types

• admin
• company

Company roles currently defined

• Requester
• Orderer
• OrdererAdmin
• BudgetAdmin
• CompanyAdmin

These roles are used in resource policies and order actions throughout the app panel.

Tenant Access

The app panel is tenant-based by company.

What that means

• a company user can belong to one or more companies
• Filament uses the company slug in app panel URLs
• users can only access companies they are assigned to

Order visibility is also limited further by role and location assignment in the implemented policies.

Current Security Features

The current build includes:

• shop isolation by subdomain
• separate admin and company panel access checks
• OTP-based sign-in for company users
• email verification for company-user onboarding
• session regeneration after successful app-panel login
• location- and tenant-scoped data access in resources

Not currently documented as implemented

The current codebase does not provide evidence of:

• SSO
• LDAP or directory sync
• configurable two-factor methods beyond OTP email login
• self-service password reset flow for the app panel