Sequence Diagram (Mert Eren Kaplan) - bounswe/bounswe2026group4 GitHub Wiki

Scope

This diagram models the happy path and primary alternative flows of the Login / Logout use case. It covers the interaction from the moment a user submits login credentials through the mobile application until authentication succeeds or fails, and from the moment an authenticated user requests logout until the persisted session is removed and the refresh token is invalidated.

Assumptions

  • The User DB / JWT lifeline represents both the persistence layer used to retrieve the user record and the token infrastructure used to issue or invalidate JWT-based authentication data.
  • Login is available only for users who have already completed registration.
  • The backend authenticates users by email and password.
  • Password verification and account status checks are represented as internal operations inside the authentication API layer for clarity.
  • Failed login attempts caused by non-existent email, incorrect password, or inactive account are intentionally shown as the same Invalid credentials outcome, reflecting the current implementation.
  • Session persistence on the client side is represented by Local Storage, since the mobile application stores and clears session data locally.
  • Logout is modeled as refresh-token invalidation plus local session removal, rather than explicit server-side session destruction.

Intentionally Left Out

  • Infrastructure failures such as database timeouts, server errors, or local storage failures are not modeled.
  • Registration, email verification, forgot password, and reset password are separate use cases and are outside the scope of this diagram.
  • Account lockout, brute-force protection, multi-factor authentication, and remember-me functionality are intentionally omitted.
  • Detailed cryptographic implementation of password hashing, JWT signing, and token validation is abstracted away.
  • Internal interceptor behavior such as automatic redirect on unauthorized API responses is not included, since the diagram focuses only on direct login and logout interactions.