User Auth
A comprehensive guide to user authentication and management features in R2R
Introduction
R2R provides a complete set of user authentication and management features, allowing developers to implement secure and feature-rich authentication systems, or to integrate directly with their authentication provider of choice.
In addition to this page, you refer to documentation on configuring authentication inside of R2R, or refer to the user API reference.
When authentication is not required (require_authentication is set to false, which is the default in r2r.toml
), unauthenticated requests will default to using the credentials of the default admin user.
This behavior ensures that operations can proceed smoothly in development or testing environments where authentication may not be enforced, but it should be used with caution in production settings.
Basic Usage
User Registration and Login
Let’s start by registering a new user and logging in:
This code snippet demonstrates the basic user registration and login process. The register
method creates a new user account, while the login
method authenticates the user and returns access and refresh tokens. In the example above, it was assumed that email verification was disabled.
Email Verification (Optional)
If email verification is enabled in your R2R configuration, you’ll need to verify the user’s email before they can log in:
Token Refresh
After logging in, you gain immediate access to user information such as general account details, documents overview, and utility functions like token refresh:
Document Management
R2R allows users to manage their documents securely. Here’s how to ingest and search a given users documents:
Ingesting Documents
Listing User Documents
Search & RAG
Advanced Authentication Features
R2R offers several advanced authentication features to enhance security and user experience:
Password Management
Users can change their passwords and request password resets:
User Profile Management
Users can view and update their profiles:
Account Deletion
Users can delete their accounts:
Logout
To end a user session:
Superuser Capabilities and Default Admin Creation
R2R includes powerful superuser capabilities and a mechanism for default admin creation, which are crucial for system management and initial setup. Let’s explore these features:
Superuser Capabilities
Superusers in R2R have elevated privileges that allow them to perform system-wide operations and access sensitive information. Some key superuser capabilities include:
- User Management: Superusers can view, modify, and delete user accounts.
- System-wide Document Access: They can access and manage documents across all users.
- Analytics and Observability: Superusers have access to system-wide analytics and logs.
- Configuration Management: They can modify system configurations and settings.
To use superuser capabilities, you need to authenticate as a superuser. The methods for accessing these features are the same as regular user methods, but with expanded scope and permissions.
Default Admin Creation
R2R automatically creates a default admin user during initialization. This process is handled by the R2RAuthProvider
class. Here’s how it works:
- During system initialization, R2R attempts to create a default admin user.
- The admin email and password are typically set through environment variables or configuration files.
- If the admin user already exists, R2R logs this information and continues without creating a duplicate.
The relevant part of the configuration that affects this process is:
- With
"require_authentication": false
, the system allows unauthenticated access for testing and development. In a production environment, this should be set totrue
. "require_email_verification": false
means that email verification is not required for new users, including the default admin. For increased security in production, consider enabling this.
Accessing Superuser Features
To access superuser features, you need to authenticate as the default admin or another user with superuser privileges. Here’s an example of how to do this:
Security Considerations for Superusers
When using superuser capabilities, keep the following security considerations in mind:
- Limit Superuser Access: Only grant superuser privileges to trusted individuals who require full system access.
- Use Strong Passwords: Ensure that superuser accounts, especially the default admin, use strong, unique passwords.
- Enable Authentication and Verification: In production, set
"require_authentication": true
and"require_email_verification": true
for enhanced security. - Audit Superuser Actions: Regularly review logs of superuser activities to detect any unusual or unauthorized actions.
- Rotate Credentials: Periodically update superuser credentials, including the default admin password.
By understanding and properly managing superuser capabilities and default admin creation, you can ensure secure and effective administration of your R2R deployment.
Security Considerations
When implementing user authentication, consider the following security best practices:
- Use HTTPS: Always use HTTPS in production to encrypt data in transit.
- Implement rate limiting: Protect against brute-force attacks by limiting login attempts.
- Use secure password hashing: R2R uses bcrypt for password hashing by default, which is a secure choice.
- Implement multi-factor authentication (MFA): Consider adding MFA for an extra layer of security.
- Regular security audits: Conduct regular security audits of your authentication system.
Customizing Authentication
R2R’s authentication system is flexible and can be customized to fit your specific needs:
- Custom user fields: Extend the User model to include additional fields.
- OAuth integration: Integrate with third-party OAuth providers for social login.
- Custom password policies: Implement custom password strength requirements.
- User roles and permissions: Implement a role-based access control system.
Troubleshooting
Here are some common issues and their solutions:
- Login fails after registration: Ensure email verification is completed if enabled.
- Token refresh fails: Check if the refresh token has expired; the user may need to log in again.
- Unable to change password: Verify that the current password is correct.
Conclusion
R2R provides a comprehensive set of user authentication and management features, allowing developers to create secure and user-friendly applications. By leveraging these capabilities, you can implement robust user authentication, document management, and access control in your R2R-based projects.
For more advanced use cases or custom implementations, refer to the R2R documentation or reach out to the community for support.