refactor(auth): redesign authentication and identity models

[Harxhit]

Summary

#519

Redesign the authentication schema to improve account security, support multiple authentication providers, and provide a stronger foundation for future authentication features such as email/password, OAuth, and phone-based login.

Context

The previous authentication design stored provider-specific information directly on the User model, making it difficult to support multiple authentication methods for a single account.

This PR introduces a dedicated identity layer and enhances account management by separating authentication concerns from user profile data. The redesign also improves refresh token tracking, session management, account verification, and auditing capabilities.

Changes

Added roles

SUPERADMIN
ADMIN
USER

User gets deafault user role.

User Identity Redesign

• Introduced a dedicated UserIdentity model.

• Moved authentication provider information out of the User model.

• Users can now be associated with multiple authentication identities.

• Added constraints and indexes for efficient provider lookups:

  • Unique (provider, providerId)
  • Indexed userId

Benefits:

• Supports multiple login methods per account.
• Simplifies future OAuth integrations.
• Decouples authentication data from profile data.
• Improves maintainability and extensibility of the authentication system.

User Model Improvements

Added:

• emailVerified

  • Tracks email verification status.
  • Enables verification-gated features.

• phoneNumber

  • Dedicated field for phone-based authentication.
  • Supports Firebase Phone Authentication and future SMS login flows.

• lastSignInAt

  • Records the user's most recent successful sign-in.
  • Useful for auditing and account activity monitoring.

• isActive

  • Allows accounts to be activated, suspended, or disabled without deletion.
  • Provides better account lifecycle management.

Refresh Token Enhancements

Extended refresh token storage to improve session security and token management.

Added:

• family

  • Groups refresh tokens belonging to the same login session.
  • Enables refresh token rotation strategies.
  • Helps detect token reuse and session compromise.

• tokenHash

  • Stores hashed refresh tokens instead of raw tokens.
  • Prevents token disclosure if the database is compromised.

• userAgent

  • Stores device/browser information.
  • Improves session visibility and auditing.

• ipHash (planned)

  • Stores a hashed representation of the client IP.
  • Adds an additional security signal while avoiding storage of raw IP addresses.

Benefits:

• Stronger session management.
• Secure refresh token rotation.
• Improved compromise detection.
• Better auditing and device tracking.
• Reduced impact of database leaks.

Proofs

[vercel]

@Harxhit is attempting to deploy a commit to the Prashantkumar Khatri's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

CI — Checks Failed

Backend — FAIL

Check	Result
Lint	SKIP
Test	SKIP
Typecheck	SKIP

Mobile — SKIP

Check	Result
Lint	-
Test	-

Web — SKIP

Check	Result
Check	-
Build	-

---

Last updated: Sun, 07 Jun 2026 15:48:58 GMT

[ShantKhatri]

LGTM!

[ShantKhatri]

The checks are failing, needs to fix this before merge.

[Harxhit]

The checks are failing, needs to fix this before merge.

The problem is with the workflow I will make changes.