Authentication & Authorization

Majestic Transport uses Better Auth as a unified identity engine for all applications. It handles multi-tenant isolation, session security, and role-based access control (RBAC).

🔐 Authentication Methods

The system supports multiple ways to authenticate, depending on the client:

1. Email & Password

Standard Login: Traditional credentials for the Admin Dashboard.
Security: Passwords are hashed before storage. Sign-ups are disabled by default; accounts are created by administrators.

2. Passwordless (Magic Link / OTP)

Magic Link: Login via an emailed link.
Email OTP: One-time verification codes (used for high-security actions or mobile login).

3. Biometrics (Passkeys)

Hardware-backed: Login using Fingerprint, FaceID, or physical security keys.
Standard: Implements the WebAuthn protocol for phishing-resistant security.

Google Auth: Configured for organization-specific domains.

🏛️ Authorization & RBAC

The system employs a dual-layer permission model:

Layer 1: Global Admin Roles

Governs system-wide access across all organizations.

super_admin: Full system control.
transport_admin: Oversight of transport operations.
company_admin: Management of a specific company.
driver: Standard field personnel role.

Layer 2: Organization Roles

Governs access within a specific tenant (Organization).

owner: The primary administrative account for the organization.
admin: Organizational administrators.
driver: Drivers belonging to the organization.
member: General organizational users.

⚙️ Technical Implementation

`session` & `bearer` Plugins

Web (Admin): Uses secure, HTTP-only cookies to maintain sessions.
Mobile (Driver App): Uses the Bearer Plugin, which issues a long-lived token sent in the Authorization: Bearer <token> header of every API request.

`organization` Plugin

Isolation: Every API request is scoped to an organization_id.
Switching: Users belonging to multiple organizations can "switch" their active context through the API.

`expo` Plugin

Deep Linking: Handles the specific authentication redirects required for the native Expo mobile app (e.g., exp://**).

🛠️ Key Identity Tables

user: Stores personal details, roles, and identity numbers.
account: Links a user to their authentication method (Google, Password, Passkey).
session: Tracks active login instances and security context.
member: Maps a user to an organization and defines their role within it.

Authentication & Authorization ​

🔐 Authentication Methods ​

1. Email & Password ​

2. Passwordless (Magic Link / OTP) ​

3. Biometrics (Passkeys) ​

4. Social Providers ​

🏛️ Authorization & RBAC ​

Layer 1: Global Admin Roles ​

Layer 2: Organization Roles ​

⚙️ Technical Implementation ​

session & bearer Plugins ​

organization Plugin ​

expo Plugin ​

🛠️ Key Identity Tables ​