# User Sentc provides secure registration and login capabilities out of the box, but we do not store any additional data about the user. If you require additional information, such as an email address or full name, you can register the user from your own backend. Users are required for encryption/decryption and group joining. Each user has a public and private key, as well as a sign and verify key. These keys are not available through the API, as they are encrypted using the provided password, which the API does not have access to. A user account can have multiple devices with different logins, but any device can access the user's keys. Using Multi-factor auth with an authentication app is also possible. ## Register The first registration is also considered the first device registration. Please refer to the "Register a Device" section for more information. The username/identifier can be anything, such as a name, email address, or random number. The username is only required to log in to the correct device. ````rust use sentc::keys::StdUser; async fn register() { let user_id = StdUser::register("the-username", "the-password").await.unwrap(); } ```` The username and password can also be generated to ensure a unique and secure login for each device. The following function will create a random device name and password. However, these values are not stored, so please ensure that they are securely stored on the user's device. ````rust use sentc::user::generate_register_data; fn main() { let (username, password) = generate_register_data().unwrap(); } ```` The registration process will throw an error if the chosen username is already taken. To check if a username is still available, you can use the following function, which will return true if the username is still available: ````rust use sentc::user::net::check_user_name_available; async fn example() { let available = check_user_name_available("base_url", "app_token", "user_identifier").await.unwrap(); } ```` ### Own backend If you are using your own backend to store additional user information, you can use the prepare function to prepare the registration data. Then, send the output to our API with a POST request to the following endpoint: `https://api.sentc.com/api/v1/register` ````rust use sentc::keys::StdUser; fn example() { let input = StdUser::prepare_register("identifier", "password").unwrap(); } ```` ## Login To log in, you just need to provide the identifier (i.e., username, email, or random number) and the password that was used during registration. The user will then be logged in to the device associated with the given identifier. The password is not sent to the API, so we cannot access or retrieve the user's password. This is accomplished by using a password derivation function in the client instead of on the server. If the identifier or the password is incorrect, this function will throw an error. The Login function returns an either the user type or data for the mfa validation process. If you disabled the Mfa in the app options then you can force login to get just the user object back. ### Login forced With this method the sdk will just return the user object or throw an exception or error if the user enabled mfa because this must be handled in order to get the user data. ````rust use sentc::keys::StdUser; async fn example() { let user = StdUser::login_forced("base_url".to_string(), "app_token", "username", "password").await.unwrap(); } ```` ### Login with mfa handling For rust an enum is returned with either the User data or mfa data. ````rust use sentc::keys::{StdUser, StdUserLoginReturn}; async fn login() { let login_res = StdUser::login("base_url".to_string(), "app_token", "username", "password").await.unwrap(); //check if the enum is PreLoginOut::Otp, if so call mfa_login with the token from the user auth device match login_res { StdUserLoginReturn::Direct(user) => { //the user } StdUserLoginReturn::Otp(data) => { //handle otp } } } ```` ### Login auth token If the user enabled mfa, you must handle it so that the user can continue the login process. In the above examples we already used the function that works with the auth app of the user. ````rust use sentc::keys::{StdUser, StdPrepareLoginOtpOutput, StdUserLoginReturn}; async fn login() { let login_res = StdUser::login("base_url".to_string(), "app_token", "username", "password").await.unwrap(); let user = match login_res { StdUserLoginReturn::Direct(user) => { user } StdUserLoginReturn::Otp(data) => { //get the token first mfa_login("".to_string(), data).await } }; } //token from the auth app async fn mfa_login(token: String, login_data: StdPrepareLoginOtpOutput) -> StdUser { StdUser::mfa_login("base_url".to_string(), "app_token", token, "username", login_data).await.unwrap() } ```` ### Login with recovery key If the user is not able to create the token (e.g. the device is broken or stolen), then the user can also log in with a recovery key. These keys are obtained after mfa was enabled. If the user uses one key then the key gets deleted and can't be used again. ````rust use sentc::keys::{StdUser, StdPrepareLoginOtpOutput, StdUserLoginReturn}; async fn login() { let login_res = StdUser::login("base_url".to_string(), "app_token", "username", "password").await.unwrap(); let user = match login_res { StdUserLoginReturn::Direct(user) => { user } StdUserLoginReturn::Otp(data) => { //get the token first mfa_recovery_login("".to_string(), data).await } }; } //token from the auth app async fn mfa_recovery_login(recovery_key: String, login_data: StdPrepareLoginOtpOutput) -> StdUser { StdUser::mfa_recovery_login("base_url".to_string(), "app_token", recovery_key, "username", login_data).await.unwrap() } ```` ### User object After successfully logging in, you will receive a user object, which is required to perform all user actions, such as creating a group. You can export the user struct either when owning the struct or from its ref and import it with the parse fn from String: ````rust use sentc::keys::StdUser; fn example(user: StdUser) { let export = user.to_string().unwrap(); //don't forget the type let imported_user: StdUser = export.parse().unwrap(); } fn example_ref(user: &StdUser) { let export = user.to_string_ref().unwrap(); let imported_user: StdUser = export.parse().unwrap(); } ```` ## The User Data he data contains all information about the user account and the device that sentc needs. For the device: - Asymmetric key pairs only for the device. - Device ID. For user account: - Asymmetric key pairs for the account (which are also used to join a group). - The actual JWT for this session. - The refresh token for this session. - User ID To get the data, just access the data in the user struct. ````rust use sentc::keys::StdUser; fn example_ref(user: &StdUser) { let refresh_token = user.get_refresh_token(); let user_id = user.get_user_id(); let device_id = user.get_device_id(); } ```` ## Authentication and JWT After logging in, the user receives a JSON Web Token (JWT) to authenticate with the sentc API. This JWT is only valid for 5 minutes. But don't worry, the SDK will automatically refresh the JWT when the user tries to make a request with an invalid JWT. To refresh the JWT, a refresh token is needed. This token is obtained during the login process. There are three strategies to refresh a JWT. However, this is only necessary if you must use HTTP-only cookies for the browser. If you are using other implementations, stick with the default. If a function returned this error: SentcError::JwtExpired then you have to refresh the jwt to make the request. ````rust use sentc::keys::StdUser; async fn refresh_jwt(user: &mut StdUser) { let fresh_jwt = user.refresh_jwt().await.unwrap(); } ```` ## Multi-Factor authentication Sentc uses Time-based one-time password (Totp) for Multi-factor auth. These tokens can easily be generated by any totp generator app like google authenticator, authy or free otp. A secret is generated alone side with six recovery keys (just in case if the user lost access to the auth device). The user should print out or store the recovery keys to still get access to the account. The auth app needs the secret and information about the used algorithm. The simplest way is to get an otpauth url and transform it into a qr code, so the auth app can scan it. The mfa is bind to all devices in the user account not just the actual one. The user must be logged in, in order to activate mfa and has to enter the password again. `issuer` and `audience` are needed for the auth app. Issuer can be your app name and audience the username email or something else. ````rust use sentc::keys::StdUser; //get the user object after login async fn example(user: &mut StdUser) { let (url, recover_codes) = user.register_otp("issuer", "audience", "password", None, None).await.unwrap(); } ```` ### Reset mfa If the user only got one recovery key left or the device with the auth app ist stolen or lost then resetting the mfa is the best practice The old recovery keys and the old secret will be deleted and replaced by new one. The return values are the same as in the register process. The user also needs to enter a totp from an auth app or a recovery key in order to reset it. This will make sure that only a person with access can change it. The last parameter is for the function to know if a recovery key (Some(true)) or a normal top (None) is used. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser) { let (url, recover_codes) = user.reset_otp("issuer", "audience", "password", Some("token from auth app".to_string()), None).await.unwrap(); } ```` ### Disable mfa To disable the mfa use this function: A totp or recovery key is also needed. ````rust use sentc::keys::StdUser; async fn example(user: &mut StdUser) { user.disable_otp("password", Some("token from auth app".to_string()), None).await.unwrap(); } ```` ### Get totp recovery keys To get the recovery keys so the user can later store them: A totp or recovery key is also needed. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser) { let keys = user.get_otp_recover_keys("password", Some("token from auth app".to_string()), None).await.unwrap(); } ```` Alternative you can disable the mfa from your backend, e.g. if the user looses the recovery keys and the device access. ## Register Device To register a new device, the user must be logged in on another device. The process has three parts: preparing the data on the new device, sending the data to the logged-in device, and adding the new device. To produce the input on the new device, follow these steps. The identifier and password could be generated the same way as during user registration. ````rust use sentc::keys::StdUser; async fn example() { let server_res = StdUser::register_device_start("base_url".to_string(), "app_token", "device_identifier", "device_password").await.unwrap(); } ```` This function will also throw an error if the **username still exists for your app** Send the Input to the Logged-In Device (possibly through a QR code, which the logged-in device can scan), and call this function with the input. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser, server_res: String) { user.register_device(server_res).await.unwrap(); } ```` This will ensure that only the user's devices have access to the user's data. After this, the user can log in on the new device. ## Get devices The device list can be fetched through pagination. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser) { let list = user.get_devices(None).await.unwrap(); //To get more devices use: let list = user.get_devices(Some(&list.last().unwrap())).await.unwrap(); } ```` ## Change password The user must enter the old and new passwords. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser) { user.change_password("old_password", "new_password", None, None).await.unwrap(); } ```` This function will also throw an error if **the old password was not correct** If the user enabled mfa then you also need to enter the token or a recovery key. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser) { user.change_password("old_password", "new_password", Some("auth_token_if_any".to_string()), None).await.unwrap(); //with recovery key user.change_password("old_password", "new_password", Some("recovery_key".to_string()), Some(true)).await.unwrap(); } ```` ## Reset password To reset a password, the user must be logged in on the device. A normal reset without being logged in is not possible without losing access to all data because the user must have access to the device keys. If the user doesn't have access, they can no longer decrypt the information because the sentc API doesn't have access to the keys either. When resetting the password, the secret keys of the device will be encrypted again with the new password. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser) { user.reset_password("new_password").await.unwrap(); } ```` ## Reset user password with data loss To reset the user password from your backend call this endpoint. - `https://api.sentc.com/api/v1/user/forced/reset_user` with a put request - the data is the same string that the user got from the `prepareRegister` function. - All user devices will be deleted and the user can't decrypt any of the old data or any of the data inside groups but the user stays in all groups. - The user has to be re invited to all groups ## Update user or device identifier This will change the user identifier. The function will throw an error if the identifier is not available. Only the identifier of the actual device will be changed. ````rust use sentc::keys::StdUser; async fn example(user: &mut StdUser) { user.update_user("new_user_name".to_string()).await.unwrap(); } ```` This function will also throw an error if **the identifier still exists for your app** ## Delete device To delete a device, a device password from any device and the device ID are needed. The ID can be obtained from the user data or by fetching the device list. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser, device_id: &str) { user.delete_device("password", device_id, None, None).await.unwrap(); } ```` This function will also throw an error if **the password was not correct** If the user enabled mfa then you also need to enter the token or a recovery key. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser, device_id: &str) { user.delete_device("password", device_id, Some("auth_token_if_any".to_string()), None).await.unwrap(); //with recovery key user.delete_device("password", device_id, Some("recovery_key".to_string()), Some(true)).await.unwrap(); } ```` Get the device id from the user data: ````rust use sentc::keys::StdUser; fn example(user: &StdUser) { let device_id = user.get_device_id(); } ```` ## Delete account To delete the entire account, use any device password. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser) { user.delete("password", None, None).await.unwrap(); } ```` This function will also throw an error if **the password was not correct** If the user enabled mfa then you also need to enter the token or a recovery key. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser) { user.delete("password", Some("auth_token_if_any".to_string()), None).await.unwrap(); //with recovery key user.delete("password", Some("recovery_key".to_string()), Some(true)).await.unwrap(); } ```` ## Public user information Only the newest public key is used. You can just fetch the newest public key or a verify key by id. Public key: ````rust use sentc::keys::StdUser; async fn example(user: &StdUser, user_id: &str) { let public_key = user.get_user_public_key_data(user_id).await.unwrap(); } ```` Verify Key: This key can only be fetched by id because to verify data you need a specific verify key. ````rust use sentc::keys::StdUser; use sentc::crypto_common::user::UserVerifyKeyData; async fn example(user: &StdUser, user_id: &str, verify_key_id: &str) { let verify_key: UserVerifyKeyData = user.get_user_verify_key_data(user_id, verify_key_id).await.unwrap(); } ```` ## Create safety number A safety number (or public fingerprint) can be used to check if another user is the real user. Both users can create a safety number with each other and can then check if the number is the same. This check should be done live in person or via video chat. ````rust use sentc::keys::StdUser; use sentc::crypto_common::user::UserVerifyKeyData; fn example(user: &StdUser, other_user_id: &str, other_user_key: &UserVerifyKeyData) { let number = user.create_safety_number_sync(Some(other_user_id), Some(other_user_key)).unwrap(); } ```` The other side: ````rust use sentc::keys::StdUser; use sentc::crypto_common::user::UserVerifyKeyData; fn example(user: &StdUser, first_user_id: &str, first_user_key: &UserVerifyKeyData) { let number2 = user.create_safety_number_sync(Some(first_user_id), Some(first_user_key)).unwrap(); } ```` ## Verify a users public key To make sure that the public key which is used to encrypt the group keys really belongs to the user, this key can be verified. A safety number can be helpful to check if the verify key is the right one. ````rust use sentc::keys::StdUser; async fn example(user: &StdUser, user_id: &str) { //fetch a public key of a user let public_key = user.get_user_public_key_data(user_id).await.unwrap(); let verify = StdUser::verify_user_public_key("base_url".to_string(), "app_token", user_id, &public_key).await.unwrap(); } ```` To check the right verify key of this public key the user can get it: ````rust use sentc::keys::StdUser; use sentc::crypto_common::user::{UserVerifyKeyData, UserPublicKeyData}; async fn example(user: &StdUser, user_id: &str) { //fetch a public key of a user let public_key: UserPublicKeyData = user.get_user_public_key_data(user_id).await.unwrap(); //is an Option let verify_key_id = public_key.public_key_sig_key_id.unwrap(); let verify_key: UserVerifyKeyData = user.get_user_verify_key_data(user_id, verify_key_id).await.unwrap(); //create a safety number with this key let number = user.create_safety_number_sync(Some(user_id), Some(&verify_key)).unwrap(); let verify = StdUser::verify_user_public_key("base_url".to_string(), "app_token", user_id, &public_key).await.unwrap(); } ```` ## Key rotation Just like in groups, users can also do a key rotation. New keys are generated and used and the old will only use the decrypt all data. The rotation can be started from any device and needs to finish on the other devices so that they got the new keys too. To start it: ````rust async fn start_rotation(user: &mut StdUser) { user.key_rotation().await.unwrap(); } ```` After the rotation use this function to get the new keys for the other devices: ````rust async fn finish_rotation(user: &mut StdUser) { user.finish_key_rotation().await.unwrap(); } ````