Account & Authentication

This section describes the user account system and authentication flows, including supported login methods, token management, two-factor authentication, and security features.

4.1 Login and Signup

The platform supports three authentication methods:

Email and Password

• Users can sign up and log in using email and password credentials.
• Email verification is required to activate the account.
• After login, users may be prompted to set a username if not already set.

Google OAuth

• Implemented via the /auth/google endpoint.
• After OAuth login, the user proceeds to set a username if it's their first time.

Steam OAuth

• Integrated using the /auth/steam endpoint.
• Username setup is also required after the first OAuth login.

All authentication logic is handled inside the AuthModal component.

4.2 JWT Authentication and Tokens

Authentication is managed using JSON Web Tokens (JWT), with three token types:

Access Token

• Short-lived and used for authenticated requests.
• Stored securely in memory or cookie (implementation to be confirmed).

Refresh Token

• Used to obtain new access tokens without forcing re-login.
• Token refresh logic is implemented in ApiClientBrowser.ts.

Socket Token

• Used for real-time authenticated sessions via socket.io-client.

The token refresh mechanism is part of the custom API client (src/api/apiClient/), and is invoked automatically when access tokens expire.

4.3 Two-Factor Authentication (2FA)

Two-Factor Authentication is supported via Google Authenticator.

Features include:

Setup Flow

• Users scan a QR code generated by the frontend (via qrcode.react).
• Backup recovery codes are provided and must be stored securely.
• Setup is confirmed through a verification code entry.

Login Flow

• After username/password or OAuth login, if 2FA is enabled, users are prompted for the 2FA code.
• The verify2FA mutation is used for backend validation.

Backup Codes

• Stored by the user and used in case of lost access to their 2FA device.

2FA is optional and can be enabled/disabled via the account settings interface.

4.4 Session Activity Log

The user account interface includes a session history log. This displays:

• Recent login times
• IP addresses
• Device/browser information
• Logout buttons for active sessions

This functionality is visible in the account settings under the security tab and allows users to monitor and revoke session activity.

4.5 Self-Exclusion Options

To support responsible gambling policies, the platform allows users to self-exclude by setting:

• Temporary time-based restrictions (e.g. 24h, 7d, 30d)
• Permanent self-ban (until re-enabled manually by support)

These options are located within the account settings page. Self-exclusion status is enforced on both frontend and backend: blocked users are logged out and prevented from accessing gaming sections.

4.6 KYC Verification

The platform integrates with Sumsub for Know Your Customer (KYC) compliance.

• Verification is triggered manually by the user from the account dashboard.
• A Sumsub iframe or redirect flow is initiated.
• Upon successful verification, the user’s status is updated.
• The account interface displays verification status and guidance.

KYC status may be required for withdrawals or other restricted features, depending on admin configuration.

4.7 Account Data and History

The user account page includes a detailed overview of account-related actions:

Transaction History

• Deposits
• Withdrawals
• Tips
• Bonus claims
• Promocode claims
• Bet history

Each category is typically displayed in a separate tab or collapsible UI element, and includes filtering and date range selection.