Authentication
This guide covers setting up user authentication, managing organizations, and configuring security settings in Zoneweaver frontend.
Table of contents
- JWT Authentication
- User Registration
- User Management
- Security Configuration
- Organization Management
- API Authentication
- Troubleshooting
- Security Best Practices
JWT Authentication
Zoneweaver uses JSON Web Tokens (JWT) for authentication. All API requests must include a valid JWT token in the Authorization header.
Token Format
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Token Lifecycle
- Expiration: Tokens expire after 24 hours by default (configurable)
- Refresh: Users must log in again after token expiration
- Storage: Frontend stores tokens in secure HTTP-only cookies
User Registration
New Organization Registration
If allow_new_organizations is enabled in config:
- Navigate to the registration page
- Fill out organization and admin user details:
- Organization name
- Admin username
- Admin email
- Password (minimum 8 characters)
- Submit registration to create both organization and admin user
Invitation-Based Registration
For existing organizations:
- Admin creates invitation via Settings → Users → Invite User
- Invitation code is sent via email (if configured) or shared manually
- New user visits registration page with invitation code
- User fills out personal details and creates account
User Management
Role Hierarchy
Super Admin
- Access to all organizations
- Can create/modify/delete any organization
- Global system administration
Admin
- Organization-specific administration
- Can invite users to their organization
- Manage organization settings and users
User
- Standard access within organization
- Can manage personal profile and preferences
- Access to organization’s servers and zones
Creating Users
Via Email Invitation
# Configure SMTP in config.yaml
mail:
smtp_connect:
host: smtp.example.com
port: 587
secure: false
smtp_auth:
user: "noreply@company.com"
password: "smtp-password"
smtp_settings:
from: "Zoneweaver <noreply@company.com>"
- Go to Settings → Users
- Click “Invite User”
- Enter email address and select role
- System sends invitation email automatically
Manual Invitation
- Generate invitation code in Settings → Users
- Share invitation code with new user
- User registers using the code
Security Configuration
JWT Settings
security:
jwt_secret: "your-secure-random-secret-here" # Change this!
bcrypt_rounds: 10 # Password hashing strength
sessionTimeout: 24 # Hours
allow_new_organizations: false # Disable after initial setup
Password Requirements
Current password policy:
- Minimum 8 characters
- No complexity requirements (configurable in future versions)
- Passwords are hashed using bcrypt with configurable rounds
Session Management
- Sessions expire after configured timeout period
- Users are automatically logged out on token expiration
- No automatic refresh - users must re-authenticate
Organization Management
Creating Organizations
Super Admin Only:
- Navigate to Settings → Organizations
- Click “Add Organization”
- Enter organization name and description
- Assign initial admin user
Organization Settings
Each organization can configure:
- Name and Description: Basic organization information
- User Management: Control user access and roles
- Server Assignments: Which Zoneweaver API servers this organization can access
Multi-Tenant Isolation
- Users can only access their assigned organization’s resources
- Organizations cannot see each other’s data
- Server assignments are organization-specific
API Authentication
Login Endpoint
curl -X POST https://your-server:3443/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"identifier": "admin@example.com",
"password": "your-password"
}'
Response:
{
"success": true,
"message": "Login successful",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"user": {
"id": 1,
"username": "admin",
"email": "admin@example.com",
"role": "admin",
"organizationName": "My Organization"
}
}
Using API Tokens
curl -X GET https://your-server:3443/api/user/profile \
-H "Authorization: Bearer YOUR_JWT_TOKEN_HERE"
Troubleshooting
Login Issues
Invalid Credentials
- Verify username/email and password
- Check if account exists and is active
Token Expired
- Login again to get fresh token
- Check sessionTimeout setting
Server Error
- Check JWT secret is configured
- Verify database connectivity
- Check server logs for details
Registration Problems
Organization Creation Disabled
- Set
allow_new_organizations: truein config - Restart Zoneweaver service
Email Invitation Failed
- Check SMTP configuration
- Verify email credentials
- Test SMTP connection
Invalid Invitation Code
- Check code hasn’t expired
- Verify code was copied correctly
- Generate new invitation if needed
Security Best Practices
Production Deployment
- Strong JWT Secret: Use a secure random string (32+ characters)
- HTTPS Only: Never run authentication over HTTP in production
- Regular Password Updates: Encourage users to update passwords
- Monitor Access: Review user access logs regularly
- Disable New Organizations: Set
allow_new_organizations: falseafter setup
Network Security
- Use firewall to restrict port 3443 access
- Consider VPN access for administrative functions
- Enable fail2ban for brute force protection
- Regular security updates and monitoring
Next: Backend Integration - Connect to Zoneweaver API Servers