Authentication
BeePass uses Supabase Auth with SSR (Server-Side Rendering) cookies. Authentication is handled automatically by the browser via HttpOnly cookies.
Registration
Create an account via the web interface or the Supabase Auth API:
- Email: valid email address (verified via link)
- Password: minimum 8 characters, 1 digit, 1 special character
- Available roles:
eleveur(breeder),testeur(tester),groupe_selection,research_center
The groupe_selection and research_center roles require administrator validation after registration.
Login
Logging in via Supabase Auth (signInWithPassword) automatically sets the SSR session cookies. No manual Authorization header is needed for API calls from the browser.
MFA (Multi-Factor Authentication)
When logging in from a new device, a 6-digit code is sent by email (via Brevo). The device is identified by fingerprint (Canvas + User-Agent).
- Recognized devices do not trigger MFA
- The code expires after 10 minutes
- Maximum 10 verification attempts per minute
Sessions
| Method | Route | Description |
|---|---|---|
GET | /api/auth/sessions | List active sessions |
DELETE | /api/auth/sessions | Revoke a session (body: { session_id }) |
Revocation deletes the refresh token. The current JWT remains valid until expiration (~1 hour).
Admin Auth
Admin authentication is independent from the breeder session. Both coexist simultaneously.
| Method | Route | Description |
|---|---|---|
POST | /api/admin/auth/login | Admin login (sets HMAC cookie) |
GET | /api/admin/auth/session | Read admin session |
POST | /api/admin/auth/logout | Admin logout (clears cookie) |
The beepass-admin-token cookie is an HMAC-signed JWT (HS256), HttpOnly, Secure, SameSite=Strict, with an 8-hour expiration.
You can be logged in simultaneously as a breeder (Supabase cookie) and an administrator (HMAC cookie). Both sessions are independent.
Audit
| Method | Route | Description |
|---|---|---|
POST | /api/auth/audit | Log an audit event |
GET | /api/auth/audit | Audit event history |
Audit events track logins, logouts, session revocations, and sensitive actions.
Account Deletion
| Method | Route | Description |
|---|---|---|
DELETE | /api/auth/delete-account | Delete account (MFA verification required) |
See also: Overview | Queens | Evaluations