Authentication Overview
Titan uses a hybrid authentication approach: HTTP for login and SignalR for real-time token operations.
Authentication Flow
Token Types
| Token | Purpose | Lifetime | Storage |
|---|---|---|---|
| Access Token | Authenticates API requests | 15 minutes | Memory (in-game) |
| Refresh Token | Obtains new access tokens | 7 days | Secure storage |
Token Rotation
On each refresh, the old refresh token is consumed and a new one is issued. This provides:
- Breach detection: Reused tokens indicate theft
- Forced logout: Revoke all tokens on security events
Authentication Providers
Titan supports pluggable authentication providers:
| Provider | Use Case | Implementation |
|---|---|---|
| EOS | Production | EosConnectService validates Epic Online Services tokens |
| Mock | Development | MockAuthService accepts mock:{userId} tokens |
Provider Selection
Specify the provider in the login request:
{
"token": "EOS_ID_TOKEN_FROM_EPIC",
"provider": "EOS"
}
Or for development:
{
"token": "mock:550e8400-e29b-41d4-a716-446655440000",
"provider": "Mock"
}
HTTP Endpoints
All authentication uses HTTP (not SignalR) following industry standards:
| Endpoint | Method | Description |
|---|---|---|
/api/auth/login | POST | Exchange provider token for Titan tokens |
/api/auth/refresh | POST | Refresh access token using refresh token |
/api/auth/logout | POST | Revoke refresh token |
/api/auth/providers | GET | List available authentication providers |
SignalR Token Usage
After login, connect to SignalR hubs with the access token:
const connection = new signalR.HubConnectionBuilder()
.withUrl("/accountHub", {
accessTokenFactory: () => accessToken
})
.build();
The token is passed as a query parameter and validated by JWT middleware.
Token Refresh
When the access token expires, use the AuthHub for WebSocket-based refresh:
This allows token refresh over existing connections without reconnecting.
Security Features
Rate Limiting
Authentication endpoints use the Auth policy with strict limits:
- 10 requests per minute
- 100 requests per hour
- 5-minute timeout on violation
Password Requirements (Admin)
Admin dashboard users have additional requirements:
- Minimum 8 characters
- Uppercase and lowercase letters
- At least one digit
- Account lockout after 5 failed attempts
Next Steps
- JWT Configuration - Token settings and claims
- EOS Integration - Epic Online Services setup