User Authentication
Source file: 2026-06-08-user-manual-user-authentication.html
User Manual
| Field | Value |
|---|---|
| Document Type | User Manual |
| Portal | GRINEA – Internal Operations Portal |
| Module | User Authentication |
| Version Number | 1.0 |
| Document Date | Jun 5, 2026 |
| Prepared by | Christian Canlubo |
Version History
| Version Number | Version Details | Author | Date Published |
|---|---|---|---|
| 1.0 | Initial Version | Christian Canlubo | Jun 5, 2026 |
1.0 Introduction
This section provides an overview of the purpose, scope, and intended audience of this document. Platform users are encouraged to review this document in full before proceeding to other manuals to ensure that they understand how this document applies to their roles and responsibilities within the organization and within the platform.
1.1 Purpose of the Document
This document serves as the official user manual for the User Authentication module of the GRINEA Internal Operations Portal. The User Authentication module is the entry point to all portal activity. It governs how users log in, manage passwords, and end their sessions. No portal module or function is accessible without a valid, active session.
This manual provides step-by-step guidance on all authentication-related operations, including first login via invitation link, standard login, password recovery, and logout. Users who follow this manual can independently complete each flow without administrator assistance.
This document is intended to complement, not replace, any organization-specific security policies or system administration guidelines. Users who encounter platform issues not covered in this manual should contact their designated system administrator.
1.2 Scope of the Document
This document covers all user-facing authentication flows in the GRINEA Internal Operations Portal. The scope is limited to authentication-related functionality and does not extend to account provisioning, role assignment, or other portal modules. Specifically, this document covers the following areas:
- Navigating to the portal login page
- Logging in with a registered email address and password
- Completing the first login flow via invitation email link
- Requesting a password reset via the Forgot Password flow
- Resetting a password using the reset link
- Requesting a new reset link via the Resend Link option
- Understanding session lifetime and automatic session timeout
- Logging out via the User Menu
- Navigating login page elements including Terms of Use, Privacy Policy, and language toggle
- Understanding session statuses: ACTIVE, EXPIRED, and REVOKED
This document applies to the production environment of the Internal Operations Platform. Any references to system behaviour, screen layouts, or processes are based on the current release of the platform at the time of publication. Users should note that the interface and procedures may be subject to updates as the platform evolves; the most current version of this manual will be maintained and distributed by the designated platform administrator.
The following areas are out of scope for this document and are addressed in separate documentation:
- User account provisioning and invitation dispatch, handled by the Backoffice Administrator and covered in the User Management manual
- RBAC role assignment and permission configuration, covered in the RBAC manual
- Access to specific portal modules following successful login, covered in their respective module manuals
- IT infrastructure, network access, and device management policies
1.3 Intended Audience
This manual is intended for all platform users across the GRINEA Internal Operations Portal. It has been written to be accessible to users regardless of their level of technical experience. The primary audiences for this document are outlined below:
Frontoffice and Backoffice Users
Any user holding a platform account passes through the authentication module. Frontoffice and Backoffice users access the login page to authenticate, use the Forgot Password and Reset Password flows when needed, and log out via the User Menu at the end of their session. Role-specific portal access is displayed immediately on successful login based on each user's assigned role.
Backoffice Administrator
The Backoffice Administrator creates user accounts in the User Management module and triggers the invitation email that initiates each user's first login. The Administrator does not log in on behalf of other users; however, understanding the first login and invitation flows is relevant to the Administrator's account provisioning responsibilities. If an invitation link expires or fails, the Administrator must resend it from the User Management module.
2.0 Module Overview
2.1 Description
2.1.1 The User Authentication module is the entry point to the GRINEA Internal Operations Portal. It is accessed by navigating to the portal URL, which loads the login page directly. Every user with a platform account passes through this module before accessing any other portal function. At 11 hours of inactivity, the platform displays a session timeout warning. The user may extend the session by clicking Stay logged in, which resets the timer to 12 hours.
2.1.2 The login page displays the email and password fields, a Forgot Password link, and options to view the Terms of Use and Privacy Policy. A language toggle on the login page switches the interface between Polish and English, including the full content of both policy modals.
2.2 Key Features and Functionalities
2.2.1 Login Page
The login page is the default entry point for returning users. It loads when a user navigates to the portal URL or is redirected after completing the first login. The following elements are present on the login page:
| Element | Description |
|---|---|
| Email field | Required. Accepts the registered email address of the user. |
| Password field | Required. Accepts the user's account password. |
| Login button | Submits the entered credentials for authentication. |
| Forgot Password link | Opens the Forgot Password flow. See section 2.2.3. |
| Terms of Use | Opens a modal displaying the platform Terms of Use in the currently selected language. |
| Privacy Policy | Opens a modal displaying the platform Privacy Policy in the currently selected language. |
| Language toggle | Switches the interface between Polish and English. All interface labels and the full content of the Terms of Use and Privacy Policy modals update to the selected language. |
To log in:
- Navigate to the portal URL or open the link from the first login success screen.
- Enter your registered email address and password.
- Click Login.
- On success, the portal landing page loads and the navigation pane shows the modules assigned to your role.
[Screenshot: Login Page]
2.2.2 First Login (Invitation Flow)
A new user account is created by the Backoffice Administrator. The platform dispatches an invitation email to the registered address. The invitation link is valid for 24 hours and can only be used once.
To complete first login:
- Open the invitation link from the email.
- Enter a new password that meets the following requirements, then click Set Password.
- A success message is displayed. The page redirects to the login page.
- Log in using your registered email address and the password you just set.
Password Requirements
- At least 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character (e.g. !@#$%)
Warning: If the invitation link has expired or has already been used, contact the Backoffice Administrator. The Administrator must resend the invitation from the User Management module, which issues a new link and invalidates the previous one.
[Screenshot: First Login – Set Your New Password]
2.2.3 Forgot Password
The Forgot Password flow allows a user to request a password reset link by email when they cannot log in.
To request a password reset:
- Click Forgot Password on the login page.
- Enter your registered email address.
- Click Send reset link.
- The platform sends a reset link to the address if it matches a registered account.
Note: The platform does not confirm whether the entered email address matches a registered account. Response behaviour is the same regardless of whether the address is recognised.
Requests are rate-limited to 3 submissions per day. The Resend Link option becomes available 60 seconds after the initial request. See section 2.2.5.
[Screenshot: Forgot Password]
2.2.4 Reset Password
The Reset Password flow is accessed via the link contained in the password reset email. The link is valid for 15 minutes and can only be used once.
To reset a password:
- Open the password reset link from the email.
- Enter a new password meeting the requirements above. Confirm the new password.
- Click Submit.
- The password is updated. All active sessions for the account are ended.
- Log in using the new password.
| Token Attribute | Value |
|---|---|
| Expiry | 15 minutes from issue. |
| Reuse | Single-use. Once used, the link is invalid. |
| Session effect | All active sessions for the user are ended on password update. |
2.2.5 Resend Reset Link
If the reset email was not received or the reset link has expired, a new link can be requested from the Forgot Password screen.
To request a new reset link:
- On the Forgot Password screen, wait 60 seconds after the initial request.
- Click Resend Link.
- A new reset link is sent to the registered email address. The previous link is invalidated immediately.
[Screenshot: Resend Reset Link]
2.2.6 Logout
The Logout option is available in the User Menu in the top navigation bar of the portal.
To log out:
- Click the User Menu in the top navigation bar.
- Click Logout.
- The session ends. Active sessions for the account are revoked. The page redirects to the login screen.
Note: Back-navigation in the browser does not restore portal access. All protected portal pages enforce re-authentication after logout.
[Screenshot: Logout]
2.2.7 Session Timeout Warning
The platform monitors session activity. A session becomes inactive when no user interaction — including mouse movement, clicks, keystrokes, or page navigation — is detected. At 11 hours of inactivity, the platform displays a session timeout warning modal. The warning informs the user that their session will expire in 1 hour.
The modal includes a Stay logged in button. Clicking Stay logged in resets the inactivity timer to 12 hours and dismisses the modal. If the user does not interact with the warning before the timer reaches zero, the session is terminated and the user is redirected to the login page. If multiple browser tabs are open, the warning appears on the tab with the earliest inactivity counter.
| Event | Timing |
|---|---|
| Session timeout warning displayed | 11 hours after last activity |
| Session terminated | 12 hours after last activity |
| Timer reset on "Stay logged in" | Resets to 12 hours from the click |
2.3 Session Statuses
Each user session carries one of the following statuses:
| # | Status | Description |
|---|---|---|
| 1 | ACTIVE | The session is live. The user can navigate and interact with all portal modules assigned to their role. A session becomes ACTIVE on successful login and remains active for 12 hours. |
| 2 | EXPIRED | The session has reached its 12-hour lifetime without a logout. The token is no longer accepted by the platform. The user is redirected to the login page and must re-authenticate. No portal data is lost on expiry. A warning is displayed 1 hour before expiry. See section 2.2.7. |
| 3 | REVOKED | The session was explicitly ended before natural expiry. All active sessions for the user are revoked on logout, password reset, or password change. The user must log in again to access the portal. |
3.0 Error Handling and Troubleshooting
This section lists the most common scenarios users may encounter while using the User Authentication module, the typical underlying cause, and the recommended resolution. Issues that persist after the suggested resolution should be escalated to the system administrator.
| Scenario | Possible Cause | Resolution |
|---|---|---|
| Login fails with blank fields | One or both required fields (email, password) were submitted empty. The form validates locally and does not send the request to the authentication service. | Enter both your email address and password before clicking Login. |
| Login fails after entering credentials | The email address or password entered does not match a valid account. The platform does not distinguish between an unrecognised email and an incorrect password in its error message. | Check your credentials and try again. Use Forgot Password if you cannot recall your password. |
| Invitation link does not work | The invitation link has expired (24-hour limit) or has already been used. Each link is single-use. | Contact the Backoffice Administrator to resend the invitation. A new link will be issued and the previous one will be invalidated. |
| Reset link does not work | The reset link has expired (15-minute limit) or has already been used. | Return to the login page, click Forgot Password, and submit a new request. |
| Reset email not received | The email may be delayed, filtered as spam, or the address entered may not match a registered account. The platform does not confirm whether an address is recognised. | Check your spam folder. Wait a few minutes and use Resend Link after 60 seconds if available. If the issue continues, contact the system administrator. |
| Redirected to login page unexpectedly | The session has expired after 12 hours of inactivity. The token is rejected on the next request. Or the session timeout warning was dismissed or ignored. | Log in again. No portal data is lost as a result of session expiry. |
4.0 FAQs
The following frequently asked questions address common queries about the User Authentication module.
| Question | Answer |
|---|---|
| How long does a session last? | A session is active for 12 hours from the time of login. After 12 hours the session expires automatically and you are redirected to the login page to re-authenticate. |
| What happens to my other sessions when I reset my password? | Resetting your password immediately ends all active sessions across all devices and browsers. You must log in again with the new password on each device. |
| My invitation link is not working. What do I do? | The invitation link expires after 24 hours and can only be used once. If the link no longer works, contact the Backoffice Administrator to resend the invitation. A new link will be issued and the previous one will be invalidated. |
| Can I switch the interface language on the login page? | Yes. A language toggle on the login page switches the interface between Polish and English. This includes all interface labels and the full content of the Terms of Use and Privacy Policy modals. |
| What happens if I click Back in the browser after logging out? | Back-navigation in the browser does not restore portal access. All protected portal pages enforce re-authentication. You must log in again. |