Sign in / Sign up
- Path:
/sign-inand/sign-up(or unified/auth) (TBD) - Parent:
app.conversioniq.ai.md
Purpose (business goal)
Section titled “Purpose (business goal)”Authenticate users to access ConversionIQ workspaces and apps.
User roles & permissions
Section titled “User roles & permissions”- Unauthenticated users only.
- Authenticated users should be redirected to their destination.
Reference: Domain: Authentication & Identity Reference: Roles & Permissions Model
Layout structure
Section titled “Layout structure”- ConversionIQ logo header
- Auth card (single-column, centered)
- Sign in screen (email-only for MVP)
- Sign up screen (first name, last name, email, company, phone)
- Verify your identity screen (verification code entry)
- Legal/consent links (Terms of Service, Privacy Policy)
- SSO hooks (future)
Components used
Section titled “Components used”TBD
States
Section titled “States”- Empty: first load
- Loading: requesting verification code / submitting verification
- Error:
- invalid email format (TBD)
- verification failed (invalid/expired code) (TBD)
- locked account / abuse protection triggered (TBD)
- Complete: session created + redirect
Business logic (high-level)
Section titled “Business logic (high-level)”- Sign in (MVP):
- User enters email and proceeds to verification.
- Email existence is validated against server user records (not browser-local storage), so sign-in works from external/new browsers.
- User must enter a verification code to create a session.
- Sign-in does not re-write profile fields; profile data is established by sign-up.
- Sign up (MVP):
- User provides required fields (first name, last name, email, company, phone).
- System sends a verification code to the provided email.
- User must verify to complete sign-up and create a session.
- Verify your identity (shared step):
- Verification code entry gate used to complete sign-in/sign-up.
- MVP simplification: verification code is fixed to
123456(must be replaced post-MVP).
- Post-auth:
- Route user into the Get Started fullscreen overlay (Get Started – Stepper (3 steps)).
- Access to authenticated platform surfaces (
/account/*,/get-started/*,/profile/*) requires a complete sign-up profile (first name, last name, email, company, phone). Incomplete profiles are redirected to/sign-up. - If the overlay is dismissed/closed, route the user to Account → Dashboard (Account – Dashboard).
- Closing/dismissing the overlay does not complete onboarding; it will appear again on the next authenticated entry until onboarding is complete.
- Onboarding is considered complete only after the user completes Step 3: Train ConversionIQ AI; only then should the user bypass the overlay and land on Account → Dashboard by default.
Domain refs:
API dependencies
Section titled “API dependencies”POST /auth/sign-in(initiate verification for email) (TBD)POST /auth/sign-up(create pending user + send email verification) (TBD)POST /auth/verify(verify code and create session) (TBD)
Enterprise constraints
Section titled “Enterprise constraints”- SSO (SAML/OIDC) readiness (future)
- Password policies (TBD)
- Verification must be rate-limited and abuse-protected (TBD)
Edge cases
Section titled “Edge cases”- Account exists but not assigned to any workspace
- Forced password reset
- Verification email delayed or blocked; allow resend with throttling (TBD)
- Sign-up email already exists; expected behavior is TBD
Security & compliance considerations
Section titled “Security & compliance considerations”- Brute-force protections
- CSRF protections (if cookie-based)
- Verification codes must not be static outside MVP; implement expiry and throttling post-MVP (TBD)
Reference: Security & Compliance
Analytics events (if applicable)
Section titled “Analytics events (if applicable)”auth.sign_in.successauth.sign_in.failure- Sign-up and verification analytics events are TBD (do not emit PII)
Reference: Analytics Events (MVP)