Skip to content

Authentication

Adding login puml file here

Login

Embade another markdown

These stories will be used to build the development backlog and prioritize features for each sprint. -->

Authentication Requirements

Traveller

User Story 1.1: Sign Up with Email/Password

  • As a Traveller, I want to sign up using my email and password so that I can create an account on NepWalk.
  • Acceptance Criteria:
    • A sign-up form is available with fields: Full Name, Email, Password, Confirm Password.
    • Real-time validation provides feedback for incorrect/missing fields (e.g., “Invalid email format,” “Passwords do not match”).
    • Password must be 8+ characters, including one uppercase, one lowercase, one number, and one special character (e.g., !, @, #).
    • Common passwords (e.g., “password123”) or email as password are rejected with an error: “Password too common.”
    • After submission, a verification email is sent with a unique link (expires in 24 hours).
    • Clicking the link verifies the account and redirects to the dashboard.
    • A success message displays: “Verification email sent. Please check your inbox.”
    • Users can resend the verification email if expired or lost via a “Resend” link on the sign-up page.
    • If the email is already registered, display: “Email already in use. Try logging in or resetting password.”

User Story 1.2: Sign Up/Login with Google

  • As a Traveller, I want to use my Google account to sign up or log in so that I can save time by using my trusted Google account without creating a new profile.
  • Acceptance Criteria:
    • A “Continue with Google” button is available on the login/signup page.
    • Clicking the button redirects to the Google OAuth flow, requesting email and basic profile data (e.g., name).
    • After successful authentication, a Traveler account is created (if new) or logged in (if existing) and redirected to the dashboard.
    • If the Google email matches an existing account, link the accounts automatically; if unverified, prompt: “Please verify your email.”
    • Errors during Google login display: “Google login failed. Try again or use email/password.”
    • Log Google login attempts with timestamp and IP address.

User Story 1.3: Login with Email/Password

  • As a Traveller, I want to log in using my email and password so I can access my dashboard.

  • Acceptance Criteria:

    • A login form is available with fields: Email, Password.
    • Correct credentials log the user in and redirect to the Traveler dashboard (for browsing packages, creating itineraries).
    • Incorrect credentials display: “Incorrect email or password.”
    • Unverified accounts are blocked with: “Please verify your email. Resend verification link?”
    • After 5 failed login attempts within 5 minutes:
      • Introduce a progressive delay (e.g., 10s, 30s, 1m).
      • Display a warning message: "Too many failed attempts. Please try again later or reset your password."
      • Optionally prompt CAPTCHA after 3+ failures.
      • If suspicious behavior is detected, notify the user via email and/or temporarily suspend login until verified.
    • A “Keep me logged in” checkbox extends the session to 14 days (secure cookie-based).
    • Log all login attempts with timestamp and IP address.

User Story 1.4: Forgot Password

  • As a Traveller, I want to reset my password in case I forget it.
  • Acceptance Criteria:
    • A “Forgot Password” link is available on the login page.
    • Submitting a registered email sends a password reset email with a unique link (expires in 1 hour).
    • The reset form requires a new password (meeting complexity requirements) and a confirmation field.
    • Display validation errors: “Password must include uppercase, lowercase, number, and special character.”
    • After successful reset, send a confirmation email: “Your password has been updated.”
    • For unregistered emails, display: “If an account exists, a reset link has been sent.”
    • Limit reset requests to 3 per email/hour to prevent abuse.
    • Log reset attempts for auditing.

User Story 1.5: Access Traveler Dashboard

  • As a Traveller, I want to access my dashboard to explore and book travel experiences.
  • Acceptance Criteria:
    • After login, redirect to a Traveler dashboard displaying different role based options.
    • Only authenticated Travelers can access the dashboard; unauthenticated users are redirected to the login page.
    • Suspended Travelers see: “Your account is suspended. Contact support.”

Travel Lead

Sample Example is commented below

User Story 2.1: Create a Group and Become Default Travel Lead (v2)

  • As a Traveller, I want to create a group and invite others so I can automatically become a Travel Lead and manage group activities.

  • Acceptance Criteria:

    • Any verified Traveller can create a new group from their dashboard.
    • The Traveller who creates the group is automatically assigned as a Travel Lead for that group.
    • Travel Leads can invite other verified Travellers to join their group using email invitations or unique group links.
    • Travel Leads can assign co-leads by granting leadership status to one or more existing group members.
    • A group can have multiple Travel Leads, each with equal permissions to manage the group.
    • Travel Leads can transfer leadership to another member if needed (must confirm the action).
    • All leadership changes (adding/removing co-leads or transferring leadership) must be confirmed via a modal or confirmation step.
    • Group members are notified via in-app notification and email when:
      • They are invited to a group.
      • They are promoted to co-lead.
      • Leadership is transferred to them.
    • If a Travel Lead removes themselves from leadership, at least one other Travel Lead must exist; otherwise, the system prevents removal until a successor is assigned.
    • The group creator’s profile should show a “Lead” badge in the group view.

  • Notes:

    • The term “Travel Lead” refers to group-level leadership, not platform-wide privileges.
    • Only verified users (email verified) can create groups or be promoted to leads.

User Story 2.1: Sign Up/Login with Google

  • As a Travel Lead, I want to use my Google account to sign up or log in so I don’t have to manage another password.
  • Acceptance Criteria:
    • A “Continue with Google” button is available on the login/signup page.
    • Redirects to Google OAuth flow, retrieving email and basic profile data (e.g., name).
    • After authentication, create a Traveller account (with option to request Travel Lead status) or log in and redirect to the appropriate dashboard (Travel Lead if approved, Traveller if not).
    • If the Google email matches an existing account, link accounts; if unverified, prompt: “Please verify your email.”
    • Google login errors display: “Google login failed. Try again or use email/password.”
    • Log Google login attempts with timestamp and IP address.

User Story 2.2: Login with Email/Password

  • As a Travel Lead, I want to log in using my email and password so I can access my dashboard.
  • Acceptance Criteria:
    • Use the same login form as Travellers: Email, Password.
    • Correct credentials redirect to the Travel Lead dashboard (including Travel Panel for group management, if approved) or Traveler dashboard (if pending/not approved) with a notice: “Travel Lead request pending approval.”
    • Incorrect credentials display: “Incorrect email or password.”
    • Unverified accounts show: “Please verify your email. Resend verification link?”
    • After 3 failed attempts within 5 minutes, lock the account for 15 minutes with an email: “Account locked. Try again in 15 minutes.”
    • A “Keep me logged in” checkbox extends the session to 14 days.
    • Log all login attempts with timestamp and IP address.

User Story 2.3: Forgot Password

  • As a Travel Lead, I want to reset my password in case I forget it.
  • Acceptance Criteria:
    • A “Forgot Password” link is available on the login page.
    • Submitting a registered email sends a reset email with a unique link (expires in 1 hour).
    • The reset form requires a new password (meeting complexity requirements) and a confirmation field.
    • Display validation errors for non-compliant passwords: “Password must include uppercase, lowercase, number, and special character.”
    • After successful reset, send a confirmation email: “Your password has been updated.”
    • For unregistered emails, display: “If an account exists, a reset link has been sent.”
    • Limit reset requests to 3 per email/hour.
    • If suspended, block reset attempts and display: “Account suspended. Contact support.”

User Story 2.4: Access Travel Lead Dashboard

  • As a Travel Lead, I want to access my dashboard to manage group itineraries and Travelers.
  • Acceptance Criteria:
    • After login and Admin approval, redirect to a Travel Lead dashboard with access to all Traveler features (browse packages, create itineraries, view maps, select hotels) plus a Travel Panel.
    • Travel Panel enables creating/editing group itineraries and managing group members.
    • If not approved, redirect to Traveler dashboard with a notice: “Travel Lead request pending approval.”
    • Suspended Travel Leads see: “Your account is suspended. Contact support.”
    • Role-based permissions ensure Travel Leads can only manage their own group itineraries, with no access to other users’ data.

User Story 2.5: Add/Register Travelers

  • As a Travel Lead, I want to register or invite Travelers under my group so I can manage their travel plans.
  • Acceptance Criteria:
    • In the Travel Panel (accessible only after Admin approval), access a form to invite Travelers by entering their email or selecting from registered users.
    • Invited Travelers receive an email with a unique link (expires in 7 days) to join the group itinerary.
    • Non-registered users are prompted to sign up before joining.
    • Accepted invitations add Travelers to the group with read-only access to the itinerary.
    • Travel Leads can view a group list showing each Traveler’s email, name, and travel status (e.g., confirmed, pending).
    • Option to remove Travelers with a confirmation: “Remove this Traveler?”
    • Notify removed Travelers via email: “You have been removed from the group itinerary.”
    • Prevent duplicate invitations with an error: “Traveler already invited.”
    • Log all invitation actions with timestamp and Travel Lead’s ID.

Admin

User Story 3.1: Admin Login via Django Admin

  • As an Admin, I want to log into the default Django admin interface so I can manage all aspects of the platform.
  • Acceptance Criteria:
    • Admins access admin.nepwalk.com and log in with pre-created email/username and password.
    • Admins can use the default features given by the Django

User Story 3.2: Admin Password Reset

  • As an Admin, I want to reset my password in case I forget it.
  • Acceptance Criteria:
    • A “Forgot Password” link is available on the Django Admin login page.
    • Use default Django Admin password reset form.

User Story 3.3: Admin Account Creation

  • As an Admin, I want my account to be pre-created by the development team so I can securely access the platform.
  • Acceptance Criteria:
    • Admins are created via Django’s management commands or by another superuser in Django Admin.
    • Creation requires a unique email and password (meeting complexity requirements).
    • Display error for duplicate emails: “Email already in use.”
    • Log account creation with timestamp, creator, and IP address.
    • Use default Django Admin feature.

User Story 3.4: Manage Users

  • As an Admin, I want to manage all users (Travelers, Travel Leads, Agencies, Hotels) to control access and roles.
  • Acceptance Criteria:
    • In Django Admin, view a user list with fields: email, role, approval status, suspension status, active status.
    • Filter by role, approval status, or suspension status; search by email.
    • Only superuser can delete users.
    • Regular admin should have some restrictions:

User Authorization Requirements

Traveller

  • As a Traveller, I want to access my dashboard to manage my account so I can view and update my profile information.
  • Acceptance Criteria:
    • Redirect to a Traveller dashboard displaying options to view/edit profile (e.g., full name, email).
    • Only authenticated Travelers can access the dashboard; others are redirected to the login page.
    • Suspended Travelers see: “Your account is suspended. Contact support.”
    • Role-based permissions ensure Travelers can only view/edit their own profile, with a 403 error for other users’ data: “Access denied.”
    • Log dashboard access with timestamp and user ID.
    • Prevent profile updates with invalid data (e.g., duplicate email) with an error: “Email already in use.”
    • Log profile updates with timestamp and user ID.

Travel Lead

  • As a Travel Lead, I want to request Travel Lead status so I can manage a group of Travelers upon Admin approval.

  • Acceptance Criteria:

  • From the Traveler dashboard, access an option to request Travel Lead status.
  • Submitting the request sends a notification to Admins via Django Admin, including the user’s email and name.
  • Until approved, retain Traveler permissions with a notice: “Your Travel Lead request is pending approval.”
  • Admins can approve or reject the request in Django Admin with a single action.
  • If approved, grant Travel Lead permissions and access to the Travel Panel for user management.
  • If rejected, notify via email: “Your Travel Lead request was not approved. Contact support for details.”
  • Log request submissions and Admin actions with timestamp and user/Admin IDs.

  • Prevent duplicate requests with an error: “Travel Lead request already pending.”

  • As a Travel Lead, I want to access my dashboard to manage my group of Travelers.

  • Acceptance Criteria:

    • After Admin approval, redirect to a Travel Lead dashboard with Traveler features (view/edit profile) plus a Travel Panel for group management.
    • If not approved, redirect to Traveler dashboard with a notice: “Travel Lead request pending approval.”
    • Suspended Travel Leads see: “Your account is suspended. Contact support.”
    • Role-based permissions ensure Travel Leads can only manage their own group, with a 403 error for unauthorized access: “Access denied.”
    • Log dashboard access with timestamp and user ID.

  • As a Travel Lead, I want to invite Travelers to my group so I can manage their membership.

  • Acceptance Criteria:
    • In the Travel Panel (accessible only after Admin approval), access a form to invite Travelers by entering their email or selecting from registered users.
    • Invited Travelers receive an email with a unique link (expires in 7 days) to join the group.
    • Non-registered users are prompted to sign up before joining.
    • Accepted invitations add Travelers to the group.
    • View a group list showing each Traveler’s email, name, and status (e.g., confirmed, pending).
    • Option to remove Travelers with a confirmation: “Remove this Traveler?”
    • Notify removed Travelers via email: “You have been removed from the group.”
    • Prevent duplicate invitations with an error: “Traveler already invited.”
    • Log all invitation actions (send, accept, remove) with timestamp and Travel Lead’s ID.
    • Restrict to 50 Travelers per group for MVP to ensure performance.

Admin

  • As an Admin, I want to access the Django Admin dashboard to manage all users.

  • Acceptance Criteria:

    • Redirect to the Django Admin dashboard (admin.nepwalk.com) with full access to user management.
    • Suspended or disabled Admin accounts see: “Account disabled. Contact support.”
    • Log dashboard access with timestamp and Admin ID.
    • Use default Django Admin interface without customizations for MVP.

  • As an Admin, I want to manage all users (Travelers, Travel Leads, Agencies, Hotels) to control access and roles.

  • Acceptance Criteria:
    • View a user list in Django Admin with fields: email, role, approval status, suspension status, active status.
    • Filter by role (Traveler, Travel Lead, Agency, Hotel), approval status, or suspension status; search by email.
    • Approve/reject Agency, Hotel, and Travel Lead role requests with a single action.
    • For Travel Lead requests, view the user’s email and name; approve to grant Travel Panel access or reject with a logged reason (no email notification for MVP).
    • Suspend/unsuspend users, displaying “Account suspended. Contact support” to affected users.
    • Delete user accounts with a confirmation: “Are you sure you want to delete this user?”
    • Support bulk actions (e.g., approve/suspend multiple users).
    • Prevent deletion of the last Admin account with an error: “Cannot delete last Admin.”
    • Log all actions (approvals, suspensions, deletions, role changes) with Admin’s ID and timestamp.
    • Prevent approving already-approved users with an error: “User already approved.”