Kenya's Leading Real Estate Marketplace

User Authentication

Kenya Estates employs a robust and secure user authentication system to protect user accounts and data. This section details the various authentication processes available on the platform.

1. Account Registration (Sign Up)

New users can create an account to access personalized features, save preferences, and list properties (if applicable).

Process:

  1. Users navigate to the Sign Up page.
  2. They are required to provide:
    • Full Name
    • A valid Email Address (which serves as the unique identifier/username)
    • A strong Password (meeting complexity requirements displayed on the form)
    • Optionally, a Phone Number
  3. Users must agree to the platform's Terms of Service and Privacy Policy.
  4. Upon submission, the system validates the input. If successful, a new user account is created.
  5. Email Verification: An email containing a verification link is typically sent to the provided email address. Users must click this link to activate their account and enable full access. This step is crucial for verifying email ownership and reducing spam accounts.

Relevant files: app/signup/page.tsx, components/auth/signup-form.tsx, app/actions/auth-actions.ts

2. User Login

Registered users can access their accounts through the login page.

Process:

  1. Users navigate to the Login page.
  2. They enter their registered Email Address and Password.
  3. The system authenticates the credentials against the stored user data.
  4. Upon successful authentication, a session is established, and the user is typically redirected to their dashboard or the homepage.
  5. Failed Login Attempts: The system may implement measures like rate limiting or CAPTCHA after multiple failed attempts to prevent brute-force attacks.

Relevant files: app/login/page.tsx, components/auth/login-form.tsx, app/actions/auth-actions.ts

3. Password Recovery

Users who have forgotten their password can securely reset it.

Forgot Password Process:

  1. On the Login page, users can click the "Forgot Password?" link, which directs them to the Forgot Password page.
  2. The user enters their registered email address.
  3. If the email address exists in the system, a password reset link is sent to that email. This link is typically time-sensitive and single-use for security.

Reset Password Process:

  1. The user clicks the reset link in their email, which directs them to the Reset Password page, often with a unique token in the URL.
  2. The user is prompted to enter a new password and confirm it.
  3. The new password must meet the platform's strength requirements.
  4. Upon successful submission, the password is updated in the database.

Relevant files: app/forgot-password/page.tsx, components/auth/forgot-password-form.tsx, app/reset-password/page.tsx, components/auth/reset-password-form.tsx, app/actions/auth-actions.ts, lib/email.ts (for sending reset emails).

4. Session Management

Secure session management is critical for maintaining user authentication state. The platform likely uses HTTP-only cookies or similar secure mechanisms to manage sessions, protecting against common vulnerabilities like Cross-Site Scripting (XSS). Sessions may have an expiration time, requiring users to log in again after a period of inactivity or a set duration.

Relevant files: middleware.ts (often handles session validation), lib/auth.ts (might contain session logic).

5. Security Considerations

  • Password Hashing: Passwords are not stored in plaintext. They are hashed using strong, modern cryptographic algorithms (e.g., bcrypt, Argon2) with salts. Supabase, if used for authentication, handles this securely.
  • Input Validation: All user inputs (email, password) are validated on both client-side and server-side to prevent injection attacks and ensure data integrity.
  • Secure Communication: All authentication-related communication occurs over HTTPS to encrypt data in transit.
  • Role-Based Access Control (RBAC): While not strictly authentication, it's related. Once authenticated, users may have different roles (e.g., regular user, agent, admin) that determine their access permissions. This is often managed server-side. (See app/actions/admin-actions.ts for hints of admin roles).

This comprehensive authentication system ensures that user accounts are secure and accessible, forming the foundation of trust for the Kenya Estates platform.