search
HomeGithubDiscordBlog

03 - Login and Broker Login Flow

hashtag
Overview

OpenAlgo implements a two-phase authentication system:

  1. User Authentication - Username/password login to OpenAlgo

  2. Broker Authentication - OAuth2/TOTP/API-based login to trading broker

This design ensures users first authenticate with OpenAlgo before connecting to their broker account.

hashtag
Authentication Flow Diagram

hashtag
Phase 1: User Authentication

hashtag
Initial Setup Check

On first access, the system checks if any users exist:

Flow:

  • No users → Redirect to /setup for first-time configuration

  • Users exist → Show login page

hashtag
Login Endpoint

Endpoint: POST /auth/login

Rate Limits:

  • 5 per minute

  • 25 per hour

hashtag
Password Validation

Passwords must meet these requirements:

hashtag
Password Hashing

User passwords are hashed using Argon2 with pepper:

hashtag
Phase 2: Broker Authentication

hashtag
Broker Types and Auth Methods

OpenAlgo supports 29 brokers with different authentication methods:

Auth Type
Brokers
Flow

OAuth2

Zerodha, Fyers, Flattrade, Dhan, ICICI, Pocketful

Redirect → Callback with code

TOTP

Angel, 5Paisa, Kotak, Shoonya, Firstock, AliceBlue, Motilal

Form + TOTP code

OTP

Definedge

Email/SMS OTP verification

API Key

Dhan (direct), Groww, IndMoney

Direct token auth

XTS

5PaisaXTS, JainamXTS, IIFL, Wisdom

Server-to-server token

hashtag
OAuth2 Flow (e.g., Zerodha)

hashtag
TOTP Flow (e.g., Angel)

hashtag
Broker Callback Handler

The universal callback handler processes all broker authentication:

hashtag
Authentication Success Handler

After successful broker authentication:

hashtag
Session Management

hashtag
Session Data Structure

hashtag
Session Expiry

Sessions expire daily at 3:30 AM IST to align with market schedules:

hashtag
Session Cookie Security

hashtag
Token Storage

hashtag
Auth Token Encryption

Broker auth tokens are encrypted before database storage:

hashtag
Database Schema (Auth)

hashtag
Password Reset Flow

hashtag
Reset Methods

  1. TOTP-based - Using authenticator app

  2. Email-based - Reset link sent to registered email

hashtag
Reset Endpoint

hashtag
Frontend Session Sync

hashtag
React AuthSync Component

The React frontend synchronizes with Flask session state:

hashtag
Session Status Endpoint

hashtag
Logout Flow

hashtag
Security Considerations

hashtag
Rate Limiting

Endpoint
Limit

/auth/login

5/min, 25/hour

/{broker}/callback

5/min, 25/hour

/auth/reset-password

15/hour

hashtag
User Enumeration Prevention

Password reset always returns success regardless of email existence:

hashtag
CSRF Protection

All POST endpoints (except webhooks) require CSRF tokens:

hashtag
Key Files Reference

File
Purpose

blueprints/auth.py

User authentication endpoints

blueprints/brlogin.py

Broker callback handlers

utils/auth_utils.py

Auth helpers, password validation

database/auth_db.py

Auth token storage with encryption

database/user_db.py

User model with Argon2 hashing

utils/session.py

Session expiry calculation

frontend/src/stores/authStore.ts

Client-side auth state

frontend/src/components/auth/AuthSync.tsx

Session synchronization

Previous02 - Backend ArchitectureNext04 - Cache Architecture

Last updated