d-bis/dbis_core
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
468bc05b7868282d3a046ec7f6db9d20656561dc
dbis_core/frontend/LOGIN_AND_ENDPOINTS.md
defiQUG 468bc05b78 feat: add member portal and auth hardening
2026-04-18 12:05:17 -07:00

10 KiB
Raw Blame History

DBIS Portal Login Credentials & Endpoints

Last Updated: 2026-04-15

Login Credentials

Current Authentication Status

The portals now use the backend /api/auth/* endpoints. The old mock-auth behavior is no longer active.

There are now two supported login patterns:

  • core.d-bis.org and admin.d-bis.org use employee-backed portal auth.
  • secure.d-bis.org uses member-backed portal auth.

Login Instructions

  1. Go to the portal surface you need:
    • https://core.d-bis.org/login
    • https://admin.d-bis.org/login
    • https://secure.d-bis.org/login
  2. Enter the username for that surface.
  3. Enter the matching secret or credential.
  4. Click Sign In.
  5. For core and admin, enter the 6-digit authenticator code when prompted if MFA is enabled on the employee account.

Credential Rules

Employee-backed surfaces: core and admin

The username must match an active employee_credentials record by employee ID or email.

The password must match the employee's stored portalPasswordHash credential.

If MFA is enabled, the login flow requires a valid TOTP code after the password step.

Member surface: secure

The username must match an active portal_member_accounts record by member ID or email.

The password must match the member account's stored portalPasswordHash credential.

The member account must also be approved and linked to either:

  • a live participant record with GLEIF-backed LEI validation, or
  • a stored institution snapshot containing a registry-validated LEI, institution name, and country.

Frontend Routes (Client-Side)

Public Routes

Route Description Component
/login Login page LoginPage
/404 404 error page PageError
/403 403 forbidden page PageError
/500 500 server error page PageError

Protected Routes (Require Authentication)

DBIS Admin Console Routes

Route Description Component
/ Redirects to /dbis/overview -
/dbis/overview Global Overview Dashboard DBISOverviewPage
/dbis/participants Participants & Jurisdictions DBISParticipantsPage
/dbis/gru GRU Command Center DBISGRUPage
/dbis/gas-qps GAS & QPS Control Panel DBISGASQPSPage
/dbis/cbdc-fx CBDC & FX Management DBISCBDCFXPage
/dbis/metaverse-edge Metaverse & Edge Management DBISMetaverseEdgePage
/dbis/risk-compliance Risk & Compliance Dashboard DBISRiskCompliancePage

SCB Admin Console Routes

Route Description Component
/scb/overview SCB Overview Dashboard SCBOverviewPage
/scb/fi-management FI Management & Nostro/Vostro SCBFIManagementPage
/scb/corridors Corridor & FX Policy SCBCorridorPolicyPage

Backend API Endpoints

Base URL

Development: http://localhost:3000
Production: Configured via VITE_API_BASE_URL environment variable
Default: http://192.168.11.150:3000 (based on deployment config)

Authentication Endpoints

Method Endpoint Description Status
POST /api/auth/login Portal login Live
POST /api/auth/logout Portal logout Live
GET /api/auth/me Resolve current portal user from token Live
POST /api/auth/password/change Authenticated password rotation Live
POST /api/auth/password/reset/request Record password reset request Live
POST /api/auth/password/reset/complete Complete reset with one-time token Live
GET /api/auth/mfa/status Employee MFA status Live
POST /api/auth/mfa/setup Generate employee MFA enrollment secret Live
POST /api/auth/mfa/enable Enable employee MFA Live
POST /api/auth/mfa/disable Disable employee MFA Live
POST /api/auth/admin/accounts/employee Issue or update employee portal account Live
GET /api/auth/admin/accounts/member List member portal accounts Live
POST /api/auth/admin/accounts/member Issue member portal account Live
POST /api/auth/admin/accounts/member/:memberId/approve Approve member portal account Live
POST /api/auth/admin/password-reset/issue Issue one-time reset token Live
POST /api/auth/admin/accounts/deactivate Deactivate employee or member account Live
POST /api/auth/refresh Refresh token Not implemented

DBIS Admin API Endpoints

Dashboard & Overview

Method Endpoint Description
GET /api/admin/dbis/dashboard/overview Global overview dashboard data
GET /api/admin/dbis/participants List all participants
GET /api/admin/dbis/participants/:scbId Get participant details
GET /api/admin/dbis/participants/:scbId/jurisdiction Get jurisdiction settings
GET /api/admin/dbis/corridors Get all corridors

GRU Command Center

Method Endpoint Description
GET /api/admin/dbis/gru/command GRU command dashboard
POST /api/admin/dbis/gru/issuance/proposal Create GRU issuance proposal
POST /api/admin/dbis/gru/lock Lock/unlock GRU class
POST /api/admin/dbis/gru/circuit-breakers Set circuit breakers
POST /api/admin/dbis/gru/bonds/window Manage bond issuance window
POST /api/admin/dbis/gru/bonds/buyback Trigger emergency buyback

GAS & QPS

Method Endpoint Description
GET /api/admin/dbis/gas-qps GAS & QPS dashboard

CBDC & FX

Method Endpoint Description
GET /api/admin/dbis/cbdc-fx CBDC & FX dashboard

Metaverse & Edge

Method Endpoint Description
GET /api/admin/dbis/metaverse-edge Metaverse & Edge dashboard

Risk & Compliance

Method Endpoint Description
GET /api/admin/dbis/risk-compliance Risk & Compliance dashboard

Network Controls

Method Endpoint Description
POST /api/admin/dbis/network/quiesce Quiesce subsystem
POST /api/admin/dbis/network/kill-switch Activate kill switch
POST /api/admin/dbis/network/escalate Escalate incident

Corridor Controls

Method Endpoint Description
POST /api/admin/dbis/corridors/caps Adjust corridor caps
POST /api/admin/dbis/corridors/throttle Throttle corridor
POST /api/admin/dbis/corridors/enable-disable Enable/disable corridor

Liquidity Engine

Method Endpoint Description
GET /api/admin/liquidity/decision-map Get liquidity decision map
PUT /api/admin/liquidity/decision-map Update liquidity decision map
GET /api/admin/liquidity/quotes Get liquidity quotes
GET /api/admin/liquidity/routing-stats Get routing statistics
POST /api/admin/liquidity/simulate-route Simulate routing

SCB Admin API Endpoints

SCB Overview

Method Endpoint Description
GET /api/admin/scb/dashboard/overview SCB overview dashboard

FI Management

Method Endpoint Description
GET /api/admin/scb/fi Get FI management dashboard
POST /api/admin/scb/fi/approve-suspend Approve or suspend FI
POST /api/admin/scb/fi/limits Set FI limits
POST /api/admin/scb/fi/api-profile Assign API profile

Corridor & FX Policy

Method Endpoint Description
GET /api/admin/scb/corridors Get corridor policy dashboard

CBDC & GRU Controls

Method Endpoint Description
POST /api/admin/scb/cbdc/parameters Update CBDC parameters
POST /api/admin/scb/gru/policy Update GRU policy

🔑 Authentication Details

Current Implementation

  • Type: Live backend-backed portal authentication
  • Token Storage: sessionStorage (cleared on tab close)
  • Token Format: SOV-TOKEN <token>
  • Token Header: Authorization: SOV-TOKEN <token>
  • Employee MFA: TOTP for core and admin when enabled on the employee record
  • Lockout Policy: Failed login attempts trigger temporary account lockout
  • Password Lifecycle: Change-password, admin-issued reset token, and reset completion flows are available

Request Headers

All API requests include:

Authorization: SOV-TOKEN <token>
X-SOV-Timestamp: <timestamp>
X-SOV-Nonce: <random-nonce>
Content-Type: application/json

User Roles

Role Permissions Access Level
DBIS_Super_Admin ['all'] Full access to all features
DBIS_Ops Specific permissions DBIS operations access
DBIS_Risk Specific permissions Risk & compliance access
SCB_Admin SCB-specific SCB-level access only

Quick Reference

Login

  • Core: https://core.d-bis.org/login
  • Admin: https://admin.d-bis.org/login
  • Member: https://secure.d-bis.org/login
  • After Login: Redirects to the runtime portal home route

Main Dashboards

  • Core Overview: https://core.d-bis.org/
  • Admin Overview: https://admin.d-bis.org/
  • Member Overview: https://secure.d-bis.org/

API Base URL

  • Default: http://192.168.11.150:3000
  • Configurable: Via VITE_API_BASE_URL environment variable

Important Notes

  1. Real portal auth: The frontend calls the backend auth routes and no longer accepts arbitrary credentials.
  2. Backend required: Portal login depends on the live DBIS API.
  3. Token format: Portal sessions use JWT bearer tokens.
  4. Session storage: Tokens and user state are kept in sessionStorage.
  5. Member surface: secure.d-bis.org uses the member shared-secret login path.

Next Steps

  1. Replace shared-secret employee bootstrap access with individually managed credentials only.
  2. Add token refresh or httpOnly cookie sessions.
  3. Add role-specific operator runbooks for issuing portal accounts.
Reference in New Issue View Git Blame Copy Permalink