login-flow.puml

@startuml
Actor Email
Actor Browser
Actor OtherBrowser
Participant ServerApp
Database Database


== Authenticate by Link\n<size:10>obtain persistent session cookie ""WP_COLLECTME_AUTH"" via link</size> ==
Email -> Browser : ""GET /app?action=create&token...""
Browser -> ServerApp : ""GET /app?action=create&token...""
ServerApp -> Database : getAccountToken
Database --> ServerApp : AccountToken
ServerApp -> Database  : getOrCreateUser
Database --> ServerApp : User
ServerApp -> Database  : createPersistentSession
note right: create activated session
Database --> ServerApp : PersistentSession
ServerApp --> Browser  : ""WP_COLLECTME_AUTH"" Cookie\nPersistentSession

== Authenticate by Login Form\n<size:10>obtain persistent session cookie ""WP_COLLECTME_AUTH"" via login form</size> ==
Browser -> ServerApp   : ""POST /auth""
ServerApp -> Database  : getOrCreateUser
Database --> ServerApp : User
ServerApp -> Database  : createPersistentSession
note right: session not activated
Database --> ServerApp : PersistentSession
ServerApp -> Email     : ActivationSecret
ServerApp --> Browser  : ""WP_COLLECTME_AUTH"" Cookie\nPersistentSession
Email -> OtherBrowser  : ""GET /app?action=activate&token...""
OtherBrowser -> ServerApp: ""GET /app?action=activate&token...""
ServerApp -> Database  : activatePersistentSession

== Login\n<size:10>authenticate by ""WP_COLLECTME_AUTH"" cookie</size> ==
Browser -> ServerApp : ""GET /sessions/current""
ServerApp -> Database : getSession
Database --> ServerApp : Session
ServerApp -> ServerApp : isSessionActive\n&& checkSessionSecret
ServerApp -> Database : noteLogin
ServerApp -> ServerApp : addSessionToPhpSession
ServerApp --> Browser : Session

note over Browser, Database
Repeat authentication steps (poll) if ServerApp responds with status code 401.
It means, the user hasn't clicked the activation link in the email yet.

If the persistent session was closed or not found, a 404 is returned.
end note
@enduml