Skip to main content

Authentication

Auth Flow

Same flow as Parents app — phone + OTP + PIN + biometrics.

┌─────────┐   Phone + OTP    ┌──────────────────┐   Success   ┌──────────────┐
│  App    │────────────────►│  POST /teacher/   │────────────►│  Store JWT   │
│         │                  │  user-auth/otp-verify │          │  + PIN hash │
└─────────┘                  └──────────────────┘             └──────────────┘

Steps

1. Request OTP

await dioClient.post('/teacher/user-auth/login', data: {'phone': '+919876543210'});

2. Verify OTP

final response = await dioClient.post(
  '/teacher/user-auth/otp-verify',
  data: {'phone': '+919876543210', 'otp': '123456'},
);

// Response:
{
  "accessToken": "...",
  "refreshToken": "...",
  "user": { "id": "...", "role": "TEACHER", "schoolId": "..." }
}

3. Set PIN (first login)

await dioClient.post(
  '/teacher/user-auth/set-pin',
  data: {'pin': '1234'},
  options: Options(headers: {'Authorization': 'Bearer $accessToken'}),
);

4. Quick Re-Entry

// PIN
await dioClient.post(
  '/teacher/user-auth/verify-pin',
  data: {'phone': '+919876543210', 'pin': '1234'},
);

// Biometrics (if enrolled)
final authenticated = await LocalAuthentication().authenticate(
  localizedReason: 'Authenticate to access SyncAD',
);

Permissions Fetch

After login, the app fetches the teacher's module permissions:

// GET /teacher/user-auth/user-permissions
final response = await dioClient.get(
  '/teacher/user-auth/user-permissions',
  options: Options(headers: {'Authorization': 'Bearer $accessToken'}),
);

// Response:
{
  "data": {
    "permissions": [
      { "moduleName": "attendance", "canRead": true, "canWrite": true, "canDelete": false },
      { "moduleName": "exam", "canRead": true, "canWrite": true, "canDelete": false },
      { "moduleName": "result", "canRead": true, "canWrite": true, "canDelete": false }
    ]
  }
}

This permission set is cached and used throughout the session to enable/disable UI actions.

Evaluation Mode Interaction

When the server returns 403 EVALUATION_MODE_READONLY, the EvaluationInterceptor triggers a permission re-sync:

EventBus.instance.emit('EVALUATION_MODE_TRIGGERED');
// AuthProvider calls /teacher/user-auth/user-permissions again
// Permissions are updated; write actions are disabled in all affected modules

See Evaluation Mode for full details.