Architecture

Overview

The SEEDS application implements a secure authentication flow based on the OIDC Authorization Code Flow. It is composed of a Frontend (React) and a lightweight Backend (Node.js) running within a single container.

Technology Stack

  • Frontend: * Framework: React 18 (Vite) * Mapping: Mapbox GL JS / Turf.js * Routing: React Router DOM * Styling: Sass * Language: TypeScript

  • Backend: * Runtime: Node.js * Framework: Express (minimal)

  • Infrastructure: * Container: Docker (Single container deployment) * Server: Nginx (Reverse proxy + Static serving)

Authentication Flow

The system adheres to DESP security constraints, ensuring that the OIDC client secret is never exposed to the frontend.

  1. Login Request: The user initiates login from the frontend.

  2. Redirection: The app redirects the user to the generic authentication portal (DestinE IAM).

  3. Authorization Code: Upon successful login, IAM redirects back to the app with an authorization code.

  4. Token Exchange (Backend): * The frontend passes the code to the backend /api/auth/callback endpoint. * The backend exchanges the code plus CLIENT_ID and CLIENT_SECRET for access/refresh tokens directly with IAM.

  5. Session Creation: * The backend validates the tokens and creates a secure, HTTP-only session cookie (sid). * Tokens are stored server-side (in memory).

  6. Authenticated State: The frontend checks /api/auth/me to verify the session status.

Backend API

The Node.js backend endpoints for authentication management