Ribillion Authentication Service Documentation

Overview

The Ribillion Authentication Service provides secure, centralized authentication for all Ribillion family services under the ribillion.co.uk domain. This service is accessible at auth.ribillion.co.uk.

Built on Firebase Authentication with a custom session management layer, this service ensures secure user authentication across all Ribillion applications.

Family Services

The following services are part of the Ribillion family and use this authentication service:

  • Ribillion Booking - Hotel and accommodation booking system
  • Ribillion Auth - Centralized authentication service (this service)
  • Additional services can be added as needed

Authentication Flow

  1. User visits auth.ribillion.co.uk
  2. User signs in or creates an account
  3. Authentication token is stored in a secure HTTP-only cookie
  4. Token is valid across all *.ribillion.co.uk subdomains
  5. Other services can verify the session via API

API Endpoints

POST /api/auth/login

Authenticate a user with email and password.

Request Body:

{
  "email": "user@example.com",
  "password": "password123"
}

Response:

{
  "success": true,
  "user": {
    "uid": "user-id",
    "email": "user@example.com",
    "displayName": "John Doe",
    "emailVerified": true
  }
}

POST /api/auth/signup

Create a new user account.

Request Body:

{
  "email": "user@example.com",
  "password": "password123",
  "displayName": "John Doe"
}

GET /api/auth/me

Get current authenticated user information.

Response:

{
  "user": {
    "uid": "user-id",
    "email": "user@example.com",
    "displayName": "John Doe",
    "emailVerified": true
  }
}

POST /api/auth/logout

Sign out the current user and clear session.

Integration Guide

To integrate authentication into your Ribillion service:

  1. Ensure your service is on a *.ribillion.co.uk subdomain
  2. Check for the authentication cookie: ribillion_auth_token
  3. Verify the token by calling GET https://auth.ribillion.co.uk/api/auth/me
  4. Include the cookie in your request headers
  5. Handle authentication errors and redirect to auth.ribillion.co.uk/login if needed

Security Features

  • HTTP-only cookies prevent XSS attacks
  • Secure flag ensures cookies only sent over HTTPS
  • SameSite=Lax prevents CSRF attacks
  • JWT tokens with expiration
  • Firebase Authentication backend
  • Password requirements enforced

Configuration

Environment variables required:

  • FIREBASE_PROJECT_ID - Firebase project ID
  • FIREBASE_SERVICE_ACCOUNT_PATH - Path to service account JSON
  • NEXT_PUBLIC_FIREBASE_API_KEY - Firebase Web API key
  • JWT_SECRET - Secret for JWT token signing
  • AUTH_DOMAIN - Authentication domain (auth.ribillion.co.uk)
  • BASE_DOMAIN - Base domain (ribillion.co.uk)

Support

For issues or questions about the authentication service, please contact the Ribillion development team.