Email & Password Login

medium complexity MVP extracted Authentication & Access Control Confidence: 100%

Components

Shared

User Stories

Yes

Analyzed

Description

Email and password authentication provides the foundational identity verification mechanism for all Meander users at MVP launch. The feature covers secure sign-in, password reset via email link, and session management with short-lived access tokens and rotating refresh tokens. It is the baseline login method while BankID and Vipps certification is pending, ensuring every organization has a working auth path from day one. All form interactions must satisfy WCAG 2.2 AA and integrate cleanly with the Authentication Module's stable sign-in/sign-out/refresh contract.

Sources & reasoning

§1.3 explicitly assigns email/password to MVP launch and the Fase 1 MVP deliverable list in §5 confirms it. Phase 1 maps to MVP by ordinal position. This is the only auth method scoped to the first phase; all others are deferred.

No source references — this artifact was included based on reasoning alone (see above).

Analysis

Business Value

Email and password login is the hard prerequisite for every other feature: without working authentication no user can access the mobile app or admin portal, blocking all four pilots scheduled for spring. All four organizations - NHF, Blindeforbundet, HLF, and Barnekreftforeningen - require this capability before testing can begin. Early delivery also establishes the token infrastructure (JWT issuance, refresh rotation, per-tenant signing key isolation) that BankID, Vipps, and biometric login extend in later phases, meaning investment here pays forward. The clean extension-point architecture ensures BankID and Vipps can be added without reworking session management.

Implementation Notes

Implemented inside the Authentication Module using bcrypt password hashing with an appropriate cost factor, short-lived JWT access tokens, and rotating refresh tokens. The admin portal stores tokens in HTTP-only cookies; the Flutter mobile app uses flutter_secure_storage (iOS Keychain / Android Keystore). The reset flow issues a time-limited signed token delivered by email and invalidates it after use. Flutter form widgets carry semantic labels and ARIA equivalents for screen reader compatibility. Per-tenant signing key isolation is provisioned from the first deployment to avoid retrofitting multi-tenancy into session infrastructure. The module exposes a stable contract so consumers do not couple to internals.