How do I Implement User Login/Logout?

TrueVault provides everything you need to handle user authentication and access control. Using our login endpoint you can quickly stamp out authentication in your application with no server-side work. Better yet, you can be confident that the authentication process is secure and compliant, because that’s what we do.

Logging In

When a user logs into your application, they enter their username & password into your form and you make an API Call to TrueVault passing these fields and your Account ID. It’s important to note that you make the API request from your client-side code, not form your server. This guarantees that your server never comes into contact with passwords, so you can forget about any security or compliance complications of managing those data on your side.

If you’re building a web application, you can use the JavaScript SDK to make this call, it would look something like this:

<html>
  <head>
    <script src="https://unpkg.com/truevault@0.2.0/build/index.js"> </script>
  </head>
  <body>
    <form id="auth-form" class="form-horizontal">
      <input type="text" id="username" name="username" placeholder="Username">
      <input type="password" id="password" name="password" placeholder="Password">
    </form>
 
  </body>
  ...
  <script>
    const authFormEl = document.getElementById("auth-form");
    authFormEl.addEventListener("submit", async e => {
        e.preventDefault();
        
        const tvClient = await TrueVaultClient.login( TV_ACCOUNT_ID, this.username.value, this.password.value);
        console.log('Access token:', tvClient.apiKeyOrAccessToken);
    });
  </script>
  ...
</html>

You can see a complete code sample for authentication using our JS SDK in the Quick Start Guide.

MultiFactor Authentication

On our Advanced Security plan, you can offer your users MultiFactor Authentication to protect their logins from social engineering attacks. MultiFactor Authentication is a good practice for all users, but it is especially important for any high-privilege users in your systems, like administrators, since a compromise to their account generally has a bigger impact. Check out our detailed guide on adding User MFA to your application, or contact sales@truevault.com to enable User MFA in your account.

After Login

The login response contains a User Access Token that you can use for Authentication on subsequent requests. Read more about User Access Tokens in our Auth Primer and see how to add it to requests in our Auth Documentation.

The User Access Token behaves like a traditional web session. You can store locally (using cookies or other means) and use it for up to 24 hours. If you want to revoke a token, you can log out.

Logout

When a user logs out, call the log out endpoint in TrueVault. This will invalidate the user’s User Access Token, so they will have to login again to get a new User Access Token.

Shared Authentication

Many customers follow the de-identification pattern, whereby TrueVault stores identifying information and they store de-identified data in their own server environment. In this two-server model, it is useful to share authentication state. We recommend using TrueVault as the authentication store of record. It saves you time and decreases your security exposure by offloading this sensitive task to the experts. Additionally, it ensures the TrueVault Audit Log is compliant by tying every request to an individual user.

Once you’ve authenticated with TrueVault, you need some way to prove to your server that the user is who they claim to be (since you don’t store username/password, we do). You can use the TrueVault User Access Token in conjunction with the verify endpoint to accomplish this. On every authenticated request you send to your server from your client, pass the TrueVault User Access Token. Then, at the beginning of your server request handler, make a call to TrueVault’s verify endpoint with that User Access Token. The response will include the User’s ID, which you can now treat as authenticated. The verify endpoint ensures the User Access Token is valid and returns the user associated with it, this cannot be spoofed (do be sure to perform ssl hostname verification when contacting TrueVault or any 3rd party). Subsequent actions in your request handler can trust that the user with that ID is authenticated.