Authentication
Email & Password
Credential-based authentication flow
Email & Password Authentication
Clarix uses email + password as the primary authentication method. All credentials are managed by Better Auth with Argon2id password hashing.
Sign Up Flow
User enters name + email + password
↓
Better Auth validates (unique email, password policy)
↓
Password hashed with Argon2id
↓
User record created in PostgreSQL
↓
Auto-assigned to default organization
↓
Default role: `read_only`
↓
Session created → redirect to /dashboardSign In Flow
User enters email + password
↓
Better Auth looks up user by email
↓
Verify password hash (Argon2id)
↓
Check: user.banned? user.status?
↓
Create session (server-side, stored in DB)
↓
Set session cookie → redirect to /dashboardPassword Policy
| Rule | Requirement |
|---|---|
| Minimum length | 8 characters |
| Complexity | No specific requirements (planned: uppercase + number + special) |
| History | Not enforced (planned) |
| Expiry | None (planned: 90-day rotation for regulated users) |
Failed Login Protection
| Setting | Value |
|---|---|
| Max attempts | 5 |
| Lockout duration | 30 minutes |
| Lockout scope | Per email address |
| Logging | All attempts logged with IP, user agent, timestamp |
Password Reset
Currently not implemented. Planned flow:
User clicks "Forgot Password"
↓
Enter email → reset token generated
↓
Email sent with reset link (token expires in 1 hour)
↓
User clicks link → enters new password
↓
Password updated, all sessions invalidated