- /login by email & password
- /register by email & password
- /passwords/forgot
- /passwords/reset
- /oauth/fb
2FA, if user logs in with a new device with a new device ids OR new IP we need to send them a otp via email to validate.
Consider using Kong for authentication layer. We don't write our own crypto, so why should we write our own auth?
AWS API Gateway fits our requirements better, although I'm still not sure if combining responses from multiple microservices is possible.
AWS API Gateway also has more straightforward testing utilities.
Example microservice: https://auth0.com/blog/2015/09/04/an-introduction-to-microservices-part-1/