- /login by email & password
- /register by email & password
- /passwords/forgot
- /passwords/reset
- /oauth/fb
2FA, if user logs in with a new device with a new device ids OR new IP we need to send them a otp via email to validate.
Consider using Kong for authentication layer. We don't write our own crypto, so why should we write our own auth?
Explain Kong: https://getkong.org/about/faq/#how-does-it-work
https://github.com/PGBI/kong-dashboard
In the future, we can easily add oauth consent third party flow https://getkong.org/plugins/oauth2-authentication/
https://github.com/Mashape/kong-oauth2-hello-world