Skip to main content

CRM Authentication

This section covers the authentication operations available in the GraphQL CRM API. The API provides authentication for administrative users with different role-based permissions.

Overview​

The CRM Authentication API is designed for secure access to administrative functions. It includes endpoints for admin login, session management, and multi-factor authentication.

Authentication Flow​

The CRM authentication involves a multi-step verification process:

  1. Initiate Authentication:

    • Admin provides their email address via the requestLookup mutation
    • The system validates the email and sends a verification code to the admin's email
    • The email must belong to a registered CRM user with appropriate permissions

  2. Email Verification:

    • Admin enters the verification code received via email using the verifyLookup mutation
    • The system validates the code and checks if 2FA is required
    • Upon successful verification, the system sets a verification token as a cookie
    • If 2FA is not required, the admin is logged in directly

  3. Two-Factor Authentication (if enabled):

    • If 2FA is required, admin enters the code from their authenticator app using the verify2fa mutation
    • The system validates the 2FA code and completes the authentication
    • Upon successful verification, the admin is logged in

  4. Session Establishment:

    • The system generates accessToken and refreshToken
    • Tokens are set as HTTP cookies with appropriate security flags
    • These cookies are automatically included in subsequent requests
    • The refreshToken is used to obtain a new accessToken when it expires

  5. Session Termination:

    • Admin can terminate their session using the signOut mutation
    • This invalidates the current session and clears authentication cookies

Security Considerations​

  • CRM authentication has stricter security than standard user authentication
  • Failed login attempts are tracked and may result in temporary account locking
  • 2FA (Two-Factor Authentication) is available for additional security
  • All authentication activities are logged for security auditing
  • Session timeout is shorter for CRM users compared to standard users