Register
For registration, the user must fill out two forms. The first for his data and the second for the client’s data. In between he has to confirm an email and log in to GT for the first time. The registration process ends with the login form.
sequenceDiagram autonumber participant User participant A as Sign in form participant R as Register form participant K as Clinet form participant Backend User->>A: Select register A-->>R: Redirect User->>R: Register user R-->>Backend: Check input Backend-->>User: Email with confirmation URI User->>Backend: Confirms URI Backend-->>User: Redirect Sign in form User->>A: User logs in A-->Backend: Check authentication Backend-->>User: Redirect Client form User->>K: Enter client K-->>Backend: Check input Backend-->>A: Redirect Sign in formIt looks easier in the video…
Unfortunately only in German:
Eigenschaften
- Nickname: This nickname is unique per GT instance, otherwise you could not be distinguished from the other users. Currently, this is not yet used between users.
- E-Mail: Must be one unique to the GT instance, otherwise GT could not distinguish you from other users.
Logging in
You can log in to GT multiple times, even with the same web browser. However, you are responsible for ensuring that the corresponding views of the user interface display the current status. The GT backend will not propagate the changes of one user session to the other user session.
Authentication and security
“Different installation types” explains why GT uses a JSON Web Token (JWT). This JWT has an expiry time that can be set by the administrator under “Global settings”. There is no automatic renewal of the JWT, i.e. the user must log in to GT again after the expiry time. Therefore, the expiry time of the JWT should not be set too short, we recommend 1440 minutes, which corresponds to 24 hours. This JWT is stored in the session memory of the web browser. This session memory is deleted when you log out of GT or close the browser. To protect the JWT from theft, you should therefore log out of GT or close the web browser.
A JWT loses its validity when the expiration date is exceeded, therefore several JWTs of one user can be valid at the same time. Changing the password does not invalidate the previous JWT, i.e. the JWT should not fall into the “wrong hands”. We believe that invalidating JWTs is not necessary for GT as we do not see any major risk of cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks
Change JWT and password
Authentication
GT currently only requires the e-mail address and a password to log in. The administrator can set certain defaults for the password strength, see “Global settings”.
Brute force attack
After 5 failed login attempts on the same IP address, the GT backend will not make any login attempts for this blocked IP address for a certain period of time.