Authentication Module - Overview
Complete guide to the EduShade Authentication & Authorization system
Authentication Module
The Authentication Module is the core identity and access management system of the EduShade platform. It handles everything from user registration and login to role-based access control (RBAC) and admin user management.
What This Module Covers
| Feature | Description |
|---|---|
| Registration | Create new accounts via email, phone, or social login |
| Login | Sign in with email/username + password or phone OTP |
| OAuth & Social Login | Sign in with Google or Facebook (Apple/GitHub supported by the backend but not yet enabled in the UI) |
| Email Verification | Verify your email address via OTP or link |
| Phone Verification | Verify your phone number via SMS OTP |
| Password Management | Forgot password, reset password, change password |
| Account Management | Edit profile, change email/phone, update avatar |
| Session Management | View active sessions, manage devices, terminate sessions |
| Roles & Permissions (RBAC) | Role-based access control with granular permissions |
| User Management (Admin) | Admin tools for creating, editing, and managing users |
| User Impersonation | Admin can act as another user — two modes: Impersonation (read-only) and Masquerade (full access) |
| Security Features | Brute force protection, rate limiting, account lockout |
| Profile Completion | Required profile fields and completion workflow |
| Account Deletion | Self-service and admin account deletion |
| User Analytics | User growth stats, registration trends, quick overview |
| Auth Page Customization | Tenant-controlled image shown on the login/register/verify pages |
Architecture Overview
The authentication system is built as a standalone microservice (auth-service) that communicates with the frontend (Next.js) and other backend services.
Key Components
- Backend: Go (Gin framework) with Bun ORM on PostgreSQL
- Frontend: Next.js with React, using custom auth hooks and context providers
- Token System: JWT-based authentication with access + refresh token pairs
- Multi-Tenancy: Full tenant isolation — every user, role, and session is scoped to a tenant
User Types
EduShade supports three user types, and a single user can hold multiple types simultaneously:
| Type | Flag | Default | Description |
|---|---|---|---|
| Learner | is_learner | true | Students who enroll in courses and learning paths |
| Instructor | is_instructor | false | Teachers who create and manage course content |
| Admin | is_admin | false | Platform administrators with management access |
User type flags are independent of RBAC roles. Flags determine which area of the platform a user can enter (
/dashboardvs/admin). Roles & Permissions determine what they can do once inside.
User Statuses
| Status | Description |
|---|---|
pending_verification | Account created, awaiting email/phone verification |
active | Fully verified and active account |
inactive | Temporarily deactivated account |
suspended | Account suspended by an administrator |
deleted | Soft-deleted account (data retained per policy) |
How Authentication Works (High-Level Flow)
1. User registers → Account created (status: pending_verification)
2. User verifies email/phone → Account activated (status: active)
3. User logs in → JWT access token + refresh token issued
4. Frontend stores tokens → Used for all authenticated API requests
5. Token expires → Auto-refreshed using refresh token
6. User logs out → Session invalidated, tokens clearedGetting Started
If you're a new user, start with:
- Registration — Create your account
- Email Verification — Verify your email
- Login — Sign in to the platform
- Profile Completion — Complete your profile
If you're an administrator, also read:
- User Management — Manage platform users
- Roles & Permissions — Configure access control
- User Impersonation — Support users by logging in as them
- User Analytics — Monitor user growth and activity