Email & Password Login

low complexity critical priority must have MVP extracted Authentication & Access Control Confidence: 100%

Components

Shared

User Stories

Yes

Analyzed

Description

This feature provides the foundational email and password authentication flow for users who prefer or require traditional credential-based login. It includes a login screen with email/password fields, form validation, error handling for invalid credentials, and a complete password reset flow via email. The system integrates with Supabase Auth as the backend identity provider, ensuring secure credential storage and session management across devices. Password reset includes a tokenized email link flow with expiry handling and clear user feedback at each step.

Analysis

Business Value

Email and password login provides a universal fallback authentication method that ensures no user is excluded due to lack of BankID or Vipps access. This is particularly important for administrators, coordinators, and onboarding scenarios where Norwegian e-ID may not yet be linked. From a business continuity perspective, having a reliable credential-based path reduces support escalations and guarantees access during BankID/Vipps outages. It also enables internal staff and test users to access the system without third-party dependencies, accelerating development and QA cycles during early rollout phases.

Implementation Notes

Built on Supabase Auth using the email/password provider with Flutter BLoC for state management. The login screen uses the app's design token system (AppTextField, AppButton widgets) and handles Supabase AuthException types for localized error messages. Password reset uses Supabase's built-in email OTP/magic-link flow with a deep-link redirect back into the app. The Auth Repository abstracts all Supabase calls behind a clean interface, allowing future provider swaps. Session persistence uses Supabase's secure token storage. All fields must meet WCAG 2.2 AA contrast and label requirements from day one.

Definition of Done

User can log in with valid email and password

Invalid credentials show a localized error message

Password reset email is sent and deep-link redirects correctly

Session persists across app restarts

All form fields pass WCAG 2.2 AA contrast and label checks

Auth Repository unit tests cover success and error paths

No credentials stored in plaintext or logs

Components (5)

User Stories (18)

Log out securely

medium 1 pts

As a As a user

I want I want to log out of the app and have my session fully terminated

So that So that my account is protected when I hand my device to another person or when I am finished with my session

Acceptance Criteria

Given an authenticated user in the settings screen, when they tap Log Out, then a confirmation dialog or direct logout action clears the session and navigates to the login screen
Given logout is confirmed, when the Auth Service processes the request, then the Supabase session is revoked server-side and all local tokens are removed from Flutter Secure Storage
Given a successful logout, when the user presses the back button or navigates to any protected route, then they are redirected to the login screen
+2 more

View Full Story →

Log out securely

medium 1 pts

As a As a user

I want I want to log out of the app and have my session fully terminated

So that So that my account is protected when I hand my device to another person or when I am finished with my session

Acceptance Criteria

Given an authenticated user in the settings screen, when they tap Log Out, then a confirmation dialog or direct logout action clears the session and navigates to the login screen
Given logout is confirmed, when the Auth Service processes the request, then the Supabase session is revoked server-side and all local tokens are removed from Flutter Secure Storage
Given a successful logout, when the user presses the back button or navigates to any protected route, then they are redirected to the login screen
+2 more

View Full Story →

Log out securely

medium 1 pts

As a As a user

I want I want to log out of the app and have my session fully terminated

So that So that my account is protected when I hand my device to another person or when I am finished with my session

Acceptance Criteria

Given an authenticated user in the settings screen, when they tap Log Out, then a confirmation dialog or direct logout action clears the session and navigates to the login screen
Given logout is confirmed, when the Auth Service processes the request, then the Supabase session is revoked server-side and all local tokens are removed from Flutter Secure Storage
Given a successful logout, when the user presses the back button or navigates to any protected route, then they are redirected to the login screen
+2 more

View Full Story →

Receive clear, localized error feedback on login failure

high 2 pts

As a As a user

I want I want to see a clear and specific error message when my login attempt fails

So that So that I understand what went wrong and know exactly what action to take to resolve the issue

Acceptance Criteria

Given a user enters an incorrect password, when they submit the form, then an inline error message 'Incorrect email or password. Forgot your password?' is shown with a tappable reset link
Given a user attempts login with an unverified email, when authentication is rejected, then the error message states that email verification is required and offers to resend the verification email
Given a network failure during login, when the Supabase call times out, then a user-friendly offline message is shown with a retry option
+3 more

View Full Story →

Remain authenticated across app restarts

high 2 pts

As a As a user

I want I want to stay logged in when I close and reopen the app

So that So that I don't need to re-enter my credentials on every app session, reducing friction for frequent use

Acceptance Criteria

Given a user has successfully logged in, when they close and reopen the app within the session validity window, then they are navigated directly to the home screen without seeing the login screen
Given the app starts with a stored session that is close to expiry, when the Auth Repository detects a refresh is needed, then the token is silently refreshed without interrupting the user
Given a session has fully expired, when the app restarts, then the user is navigated to the login screen
+2 more

View Full Story →

Request a password reset via email

high 3 pts

As a As a user

I want I want to request a password reset email when I have forgotten my password

So that So that I can regain access to my account without contacting support

Acceptance Criteria

Given the login screen, when the user taps 'Forgot password?', then they are navigated to the Password Reset Screen with an email input and a Send Reset Link button
Given the user enters a valid email format and taps Send, when the request is submitted, then a confirmation screen shows 'A reset link has been sent to [email]' regardless of whether the email exists in the system
Given the confirmation screen, when 60 seconds have elapsed, then a Resend button becomes active and the user can request another email
+3 more

View Full Story →

Set a new password via the email reset link

high 3 pts

As a As a user

I want I want to open the password reset link from my email and set a new password in the app

So that So that I can complete the password reset flow and log in with my new credentials

Acceptance Criteria

Given a valid reset deep-link is opened, when the app handles the URI, then the new-password form is displayed with password and confirm-password fields
Given the new-password form, when the user enters matching passwords that meet minimum strength requirements and submits, then the password is updated and a success confirmation is shown
Given the success confirmation, when 3 seconds elapse or the user taps 'Back to login', then they are navigated to the Login Screen
+3 more

View Full Story →

Receive clear, localized error feedback on login failure

high 2 pts

As a As a user

I want I want to see a clear and specific error message when my login attempt fails

So that So that I understand what went wrong and know exactly what action to take to resolve the issue

Acceptance Criteria

Given a user enters an incorrect password, when they submit the form, then an inline error message 'Incorrect email or password. Forgot your password?' is shown with a tappable reset link
Given a user attempts login with an unverified email, when authentication is rejected, then the error message states that email verification is required and offers to resend the verification email
Given a network failure during login, when the Supabase call times out, then a user-friendly offline message is shown with a retry option
+3 more

View Full Story →

Remain authenticated across app restarts

high 2 pts

As a As a user

I want I want to stay logged in when I close and reopen the app

So that So that I don't need to re-enter my credentials on every app session, reducing friction for frequent use

Acceptance Criteria

Given a user has successfully logged in, when they close and reopen the app within the session validity window, then they are navigated directly to the home screen without seeing the login screen
Given the app starts with a stored session that is close to expiry, when the Auth Repository detects a refresh is needed, then the token is silently refreshed without interrupting the user
Given a session has fully expired, when the app restarts, then the user is navigated to the login screen
+2 more

View Full Story →

Request a password reset via email

high 3 pts

As a As a user

I want I want to request a password reset email when I have forgotten my password

So that So that I can regain access to my account without contacting support

Acceptance Criteria

Given the login screen, when the user taps 'Forgot password?', then they are navigated to the Password Reset Screen with an email input and a Send Reset Link button
Given the user enters a valid email format and taps Send, when the request is submitted, then a confirmation screen shows 'A reset link has been sent to [email]' regardless of whether the email exists in the system
Given the confirmation screen, when 60 seconds have elapsed, then a Resend button becomes active and the user can request another email
+3 more

View Full Story →

Set a new password via the email reset link

high 3 pts

As a As a user

I want I want to open the password reset link from my email and set a new password in the app

So that So that I can complete the password reset flow and log in with my new credentials

Acceptance Criteria

Given a valid reset deep-link is opened, when the app handles the URI, then the new-password form is displayed with password and confirm-password fields
Given the new-password form, when the user enters matching passwords that meet minimum strength requirements and submits, then the password is updated and a success confirmation is shown
Given the success confirmation, when 3 seconds elapse or the user taps 'Back to login', then they are navigated to the Login Screen
+3 more

View Full Story →

Receive clear, localized error feedback on login failure

high 2 pts

As a As a user

I want I want to see a clear and specific error message when my login attempt fails

So that So that I understand what went wrong and know exactly what action to take to resolve the issue

Acceptance Criteria

Given a user enters an incorrect password, when they submit the form, then an inline error message 'Incorrect email or password. Forgot your password?' is shown with a tappable reset link
Given a user attempts login with an unverified email, when authentication is rejected, then the error message states that email verification is required and offers to resend the verification email
Given a network failure during login, when the Supabase call times out, then a user-friendly offline message is shown with a retry option
+3 more

View Full Story →

Remain authenticated across app restarts

high 2 pts

As a As a user

I want I want to stay logged in when I close and reopen the app

So that So that I don't need to re-enter my credentials on every app session, reducing friction for frequent use

Acceptance Criteria

Given a user has successfully logged in, when they close and reopen the app within the session validity window, then they are navigated directly to the home screen without seeing the login screen
Given the app starts with a stored session that is close to expiry, when the Auth Repository detects a refresh is needed, then the token is silently refreshed without interrupting the user
Given a session has fully expired, when the app restarts, then the user is navigated to the login screen
+2 more

View Full Story →

Request a password reset via email

high 3 pts

As a As a user

I want I want to request a password reset email when I have forgotten my password

So that So that I can regain access to my account without contacting support

Acceptance Criteria

Given the login screen, when the user taps 'Forgot password?', then they are navigated to the Password Reset Screen with an email input and a Send Reset Link button
Given the user enters a valid email format and taps Send, when the request is submitted, then a confirmation screen shows 'A reset link has been sent to [email]' regardless of whether the email exists in the system
Given the confirmation screen, when 60 seconds have elapsed, then a Resend button becomes active and the user can request another email
+3 more

View Full Story →

Set a new password via the email reset link

high 3 pts

As a As a user

I want I want to open the password reset link from my email and set a new password in the app

So that So that I can complete the password reset flow and log in with my new credentials

Acceptance Criteria

Given a valid reset deep-link is opened, when the app handles the URI, then the new-password form is displayed with password and confirm-password fields
Given the new-password form, when the user enters matching passwords that meet minimum strength requirements and submits, then the password is updated and a success confirmation is shown
Given the success confirmation, when 3 seconds elapse or the user taps 'Back to login', then they are navigated to the Login Screen
+3 more

View Full Story →

critical 3 pts

As a As a user

I want I want to log in to the app using my email address and password

So that So that I can access the system when BankID or Vipps is unavailable or not yet linked to my account

Acceptance Criteria

Given a registered user on the login screen, when they enter a valid email and password and tap Sign In, then they are authenticated and navigated to their role-specific home screen
Given the login screen is displayed, when the user has not interacted with any field, then the Sign In button is enabled but form validation triggers on tap
Given a user submits the form, when the Supabase Auth call is in progress, then a loading indicator is displayed and the Sign In button is disabled to prevent duplicate submissions
+3 more

View Full Story →

critical 3 pts

As a As a user

I want I want to log in to the app using my email address and password

So that So that I can access the system when BankID or Vipps is unavailable or not yet linked to my account

Acceptance Criteria

Given a registered user on the login screen, when they enter a valid email and password and tap Sign In, then they are authenticated and navigated to their role-specific home screen
Given the login screen is displayed, when the user has not interacted with any field, then the Sign In button is enabled but form validation triggers on tap
Given a user submits the form, when the Supabase Auth call is in progress, then a loading indicator is displayed and the Sign In button is disabled to prevent duplicate submissions
+3 more

View Full Story →

critical 3 pts

As a As a user

I want I want to log in to the app using my email address and password

So that So that I can access the system when BankID or Vipps is unavailable or not yet linked to my account

Acceptance Criteria

Given a registered user on the login screen, when they enter a valid email and password and tap Sign In, then they are authenticated and navigated to their role-specific home screen
Given the login screen is displayed, when the user has not interacted with any field, then the Sign In button is enabled but form validation triggers on tap
Given a user submits the form, when the Supabase Auth call is in progress, then a loading indicator is displayed and the Sign In button is disabled to prevent duplicate submissions
+3 more

View Full Story →

Description

Analysis

Definition of Done

Components (5)

User Interface (2)

Service Layer (1)

Data Layer (1)

Infrastructure (1)

User Stories (18)