🔐 Authentication & License Management
User login, license key validation, token management, and API integration.
Overview
ThermX includes a token-based authentication system for license validation and user account management. The system supports:
- Email/password login — Traditional user accounts
- License key authentication — Direct license code validation
- Token persistence — localStorage-based token storage
- Session management — Token validation and logout
Architecture
Components
Authentication API (src/api/auth.ts)
High-level functions for login and token validation:
export async function login(email: string, password: string): Promise<void>
export async function loginWithLicence(licence: string): Promise<void>
export async function validateToken(): Promise<boolean>
export function logout(): voidToken Store (src/auth/tokenStore.ts)
Low-level token persistence (localStorage wrapper):
export function saveToken(token: string): void
export function loadToken(): string | null
export function clearToken(): voidAPI Endpoints
POST /api/auth/login
Email/password authentication.
Request:
{
"email": "user@example.com",
"password": "secret123"
}Response (200 OK):
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}Error (401):
Unauthorized: Invalid credentialsPOST /api/auth/license
License key validation.
Request:
{
"licence": "THERMX-2026-XXXXX"
}Response (200 OK):
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}Error (400):
License validation failed: Invalid or expired keyUsage
Basic Login Flow
import { login, logout, validateToken } from './api/auth';
// 1. Log in with email/password
try {
await login('user@example.com', 'password123');
console.log('Login successful, token saved');
} catch (error) {
console.error('Login failed:', error.message);
}
// 2. Validate stored token
const isValid = await validateToken();
if (isValid) {
console.log('User has valid license');
} else {
console.log('No valid license found');
}
// 3. Log out
logout();
console.log('Logged out, token cleared');License Key Login
import { loginWithLicence } from './api/auth';
try {
await loginWithLicence('THERMX-2026-ABC123DEF456');
console.log('License validated, token saved');
} catch (error) {
console.error('License invalid:', error.message);
}Token Persistence
import { saveToken, loadToken, clearToken } from './auth/tokenStore';
// Save token manually
saveToken('my-jwt-token-xyz');
// Load token (returns null if not found)
const token = loadToken();
if (token) {
console.log('User has token:', token.substring(0, 10) + '...');
}
// Clear token
clearToken();Token Storage
localStorage Keys
| Key | Value | Scope |
|---|---|---|
license-token | JWT token string | User |
Security Considerations
⚠️ Warning
localStorage is NOT secure for sensitive tokens. For production:
- Use HttpOnly cookies — Server sets token in cookie, inaccessible to JavaScript
- Implement CSRF protection — Verify origin headers on API calls
- Add token expiration — JWT
expclaim with reasonable TTL (e.g., 1 hour) - Refresh token rotation — Issue new tokens before expiry
- Secure transport — Always use HTTPS in production
Current implementation is suitable for:
- Browser-based testing
- Desktop app (isolated execution context)
- Development environments
Current Limitations
The current validateToken() implementation only checks for token existence. No backend validation is performed. In production, this should:
- Send token to backend
/api/auth/validate - Verify JWT signature
- Check expiration
- Return user info
Future Roadmap
- Backend JWT validation endpoint
- Token refresh flow (exp + refresh tokens)
- Multi-factor authentication (MFA)
- API key support (for CLI/scripting)
- User account dashboard
- Cloud project sync (tied to account)
- Usage analytics & telemetry
- Feature licensing (beta, pro, enterprise tiers)