Authentication
Resibibo uses JWT (JSON Web Tokens) via SimpleJWT for API authentication.
Token Configuration
| Setting | Value |
|---|---|
| Access token lifetime | 15 minutes |
| Refresh token lifetime | 30 days |
| Token rotation | Enabled (new refresh token on each refresh) |
| Blacklisting | Enabled (old refresh tokens are blacklisted) |
Auth Endpoints
All auth endpoints are under /api/v1/auth/:
| Method | Endpoint | Auth Required | Description |
|---|---|---|---|
| POST | /register/ | No | Create a new account |
| POST | /login/ | No | Get JWT token pair |
| POST | /token/refresh/ | No | Refresh access token |
| GET | /me/ | Yes | Get current user profile |
| PATCH | /me/ | Yes | Update user profile |
Flow
Registration
POST /api/v1/auth/register/
{
"email": "user@example.com",
"username": "user",
"password": "securepassword"
}
Returns the created user object. Client then calls /login/ to get tokens.
Login
POST /api/v1/auth/login/
{
"email": "user@example.com",
"password": "securepassword"
}
Returns:
{
"access": "eyJ...",
"refresh": "eyJ..."
}
Using Tokens
Include the access token in the Authorization header:
Authorization: Bearer eyJ...
Token Refresh
When the access token expires, use the refresh token to get a new pair:
POST /api/v1/auth/token/refresh/
{
"refresh": "eyJ..."
}
Returns a new access token (and rotated refresh token).
Mobile Client Implementation
The mobile client stores tokens in MMKV secure storage and uses an Axios interceptor to:
- Attach the access token to every request
- Detect 401 responses
- Automatically refresh the token using a mutex (prevents concurrent refresh calls)
- Retry the original request with the new token
- Redirect to login if refresh fails
Password Hashing
Django's default PBKDF2 algorithm is used for password hashing.