Authentication — dot-cOS
dot-cOS delegates all authentication to Supabase Auth via the Central Portal.
Flow
sequenceDiagram
participant U as User
participant SB as Supabase Auth
participant GW as API Gateway
participant WS as Workflow Service
U->>SB: Login (email + password)
SB-->>U: JWT with app_metadata\n(activeTenantId, activeRole, tenants[])
U->>GW: API request (Bearer JWT)
GW->>SB: supabase.auth.getUser(token)
SB-->>GW: Validated user + app_metadata
GW->>GW: Extract activeTenantId from app_metadata
GW->>GW: Set req.tenantId + x-tenant-id header
GW->>WS: Proxy with x-tenant-id
WS->>WS: resolveTenant reads x-tenant-id
WS->>WS: Validate tenant in Central Registry
WS-->>GW: Response
GW-->>U: 200 OKTenant Status Checks
The Workflow Service validates tenant status against the Central Registry on every request:
| Status | Response |
|---|---|
active |
Request proceeds |
suspended |
403 Forbidden |
pending_payment |
402 Payment Required |
| Not found in Central Registry | 401 Unauthorized |
SSO Deep Links
The Admin Portal generates SSO deep links into cos-admin.dotevolve.net:
https://cos-admin.dotevolve.net/#/auth/sso?token=<jwt>&tenantId=<id>
The /auth/sso route validates the JWT, sets the Supabase session, and redirects to the dashboard.
App-Specific Roles
dot-cOS has its own role model (Company Secretary, CFO, etc.) stored in the Prisma Role table. These are separate from the platform roles (tenant-admin, user) in the Central Registry.
graph LR
CR[Central Registry\nuser_tenant_roles\ntenant-admin / user] -->|platform access| GW[API Gateway]
PR[Prisma Role table\nCompany Secretary / CFO] -->|app-level permissions| WS[Workflow Service]