DocHub
DocHub/Hypnoelp App/Authentication System/Security & Data Storage
Security features, data storage locations, profile caching, and error handling

Security & Data Storage

Security Features

Password Security

  • Minimum 6 characters required
  • Encrypted using bcrypt
  • Never stored in plain text
  • Confirmation required for signup

Email Verification

  • Required for new accounts
  • Confirmation link expires in 24 hours
  • Resend limited to 60-second intervals
  • Deep link support for mobile

Session Management

  • JWT tokens for authentication
  • Automatic token refresh
  • Secure storage in Supabase
  • Session persistence across app restarts

Rate Limiting

  • Email operations: 60-second cooldown
  • Login attempts: Protected by Supabase
  • API calls: Automatic retry with backoff
  • Prevention of brute force attacks

Data Storage Locations

Supabase Database

  • Authentication credentials (auth.users)
  • User profile data (public.user_profile)
  • Application logs (public.app_logs)

SharedPreferences (Local)

  • user_id: Current authenticated user ID
  • is_new_user: Flag for welcome flow
  • cached_user_profile: JSON-serialized profile for offline access
  • pending_email: Email address during confirmation polling

JSON Files (Local)

  • user_profile.json: Complete user profile with subscription, courses, preferences, manifest

Profile Caching Strategy

  1. User profile is saved to SharedPreferences as JSON
  2. Cached profile is loaded when app starts
  3. Enables offline access to user data
  4. Updates cache whenever profile changes
  5. Returns cached data when network is unavailable

user_profile.json Structure

Key fields in the local JSON profile:

Field Type Description
user_email String User email address
user_id String Supabase user ID
user_name String Display name
subscription Object Type, name, expiry date
ai_usage Object Limit minutes, used minutes, reset period
current_selected_course String Currently active course code
free_course_code Array Codes for free courses
purchased_courses Array Codes for purchased courses
course_preferences Object Per-course voice/background/length settings
manifest Object Last sync check date and required files list

Error Handling

Error Type User Message Resolution
Network Error “Unable to connect. Please check your internet connection” Retry button, offline mode activated
Duplicate Email “This email is already registered” Suggest sign-in instead
Invalid Credentials “Invalid login credentials” Clear password, show forgot password
Rate Limit “Too many requests. Please wait X seconds” Countdown timer, disable button
Email Not Confirmed “Please check your email to confirm your account” Resend button with cooldown
Unlinked Auth Cleanup Transparent to user (background process) Edge function deletes auth user
Edge Function Error Signup continues normally Cleanup fails gracefully
Email Send Rate Limit “For security purposes, you can only request this after X seconds” Cleanup skipped, fresh signup attempted