# Authentication

## Handle authentication callback

> Validates the provided access token and optional refresh token

```json
{"openapi":"3.0.0","info":{"title":"sfp server","version":"51.3.0"},"paths":{"/sfp/api/auth/callback":{"post":{"operationId":"AuthController_handleCallback","summary":"Handle authentication callback","description":"Validates the provided access token and optional refresh token","parameters":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AuthCallbackDto"}}}},"responses":{"200":{"description":"Authentication successful","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AuthCallbackResponse"}}}},"401":{"description":"Unauthorized - No access token provided or invalid token"},"500":{"description":"Internal server error"}},"tags":["Authentication"]}}},"components":{"schemas":{"AuthCallbackDto":{"type":"object","properties":{"access_token":{"type":"string","description":"The access token for authentication"},"refresh_token":{"type":"string","description":"Optional refresh token"}},"required":["access_token"]},"AuthCallbackResponse":{"type":"object","properties":{"success":{"type":"boolean","description":"Indicates if the operation was successful"},"data":{"type":"object","description":"The response data from auth service"}},"required":["success","data"]}}}}
```

## Resolve provider email aliases

> Validates the access token (without membership lookup) and uses the GitHub provider token to fetch all verified emails and store them as aliases for user matching. This endpoint is public to avoid a bootstrap deadlock where a user with a mismatched email cannot authenticate to reach this endpoint.

```json
{"openapi":"3.0.0","info":{"title":"sfp server","version":"51.3.0"},"paths":{"/sfp/api/auth/resolve-emails":{"post":{"operationId":"AuthController_resolveEmails","summary":"Resolve provider email aliases","description":"Validates the access token (without membership lookup) and uses the GitHub provider token to fetch all verified emails and store them as aliases for user matching. This endpoint is public to avoid a bootstrap deadlock where a user with a mismatched email cannot authenticate to reach this endpoint.","parameters":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ResolveEmailsDto"}}}},"responses":{"200":{"description":"Email aliases resolved and stored","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ResolveEmailsResponse"}}}}},"tags":["Authentication"]}}},"components":{"schemas":{"ResolveEmailsDto":{"type":"object","properties":{"access_token":{"type":"string","description":"The Supabase access token (JWT) for identity verification"},"provider_token":{"type":"string","description":"The GitHub OAuth provider token"}},"required":["access_token","provider_token"]},"ResolveEmailsResponse":{"type":"object","properties":{"aliases":{"description":"List of verified email aliases stored","type":"array","items":{"type":"string"}}},"required":["aliases"]}}}}
```

## Admin login with username and password

> Authenticates an admin user with email and password credentials

```json
{"openapi":"3.0.0","info":{"title":"sfp server","version":"51.3.0"},"paths":{"/sfp/api/auth/admin/login":{"post":{"operationId":"AuthController_adminLogin","summary":"Admin login with username and password","description":"Authenticates an admin user with email and password credentials","parameters":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AdminLoginDto"}}}},"responses":{"200":{"description":"Authentication successful","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AdminLoginResponse"}}}},"401":{"description":"Unauthorized - Invalid credentials or insufficient permissions"},"429":{"description":"Too Many Requests - Rate limit exceeded"},"500":{"description":"Internal server error"}},"tags":["Authentication"]}}},"components":{"schemas":{"AdminLoginDto":{"type":"object","properties":{"email":{"type":"string","description":"Email address of the admin user"},"password":{"type":"string","description":"Password for the admin user"}},"required":["email","password"]},"AdminLoginResponse":{"type":"object","properties":{"success":{"type":"boolean","description":"Indicates if the login was successful"},"access_token":{"type":"string","description":"Access token for authenticated requests"},"refresh_token":{"type":"string","description":"Refresh token for obtaining new access tokens"},"user":{"type":"object","description":"User information"},"error":{"type":"string","description":"Error message if login failed"}},"required":["success","access_token","refresh_token","user","error"]}}}}
```

## Login (if required) and continue to the requested action

> Renders a dynamic login page. If the user is already authenticated, proceeds directly to the requested action with provided parameters. Used as an entry point for browser-based, context-aware authentication and routing.

```json
{"openapi":"3.0.0","info":{"title":"sfp server","version":"51.3.0"},"paths":{"/sfp/api/auth/continue":{"get":{"operationId":"AuthController_continue","summary":"Login (if required) and continue to the requested action","description":"Renders a dynamic login page. If the user is already authenticated, proceeds directly to the requested action with provided parameters. Used as an entry point for browser-based, context-aware authentication and routing.","parameters":[{"name":"action","required":true,"in":"query","description":"The action to continue to after login (e.g., frontdoorUrl)","schema":{"type":"string"}},{"name":"params","required":true,"in":"query","description":"Comma-separated key:value pairs for action context. For frontDoorUrl action: targetOrg:myorg (required), repository:org/repo (optional), prodOrg:prod@salesforce.com (optional)","schema":{"type":"string"}}],"responses":{"200":{"description":"HTML page for login and continuation."}},"tags":["Authentication"]}}}}
```