User Account

The user account system in this boilerplate is designed to be secure, flexible, and easy to manage. It handles everything from profile updates and avatar management to security settings like password changes and account deletion.

How User Accounts Work

Account management is primarily handled by the AuthNotifier provider, which maintains the authentication state and provides methods for interacting with user data.

Key Logic & Providers

• AuthProvider: The central hub for authentication state (authenticated, unauthenticated, loading). It handles API calls for profile updates, password changes, and verification.
• UserProvider: A simple provider that stores the current user's profile data (User model) once authenticated.
• Session Persistence: User tokens and basic profile information are persisted locally using secure storage, allowing the app to stay logged in across restarts.

Authentication Flow

1. Registration: Supports email/password with automatic device tracking and FCM token registration.
2. Login: Traditional email/password login and one-tap Google Sign-In.
3. Session Validation: On app launch, the checkAuth method validates the stored token against the backend to ensure the session is still active.

Edit Profile

The profile editing feature allows users to keep their personal information up to date. This is managed via the EditProfilePage.

Functionality

• Display Name: Users can update the name they use within the application.
• Phone Number: Optional field for user contact information.
• Email (Read-Only): For security and identity reasons, the email address is immutable once the account is created.
• Avatar Management: Users can view their current avatar (integrated with UI Avatars or remote URLs) and trigger a picker to update it.

Implementation Example

To update a profile programmatically, you can use the updateProfile method from AuthNotifier:

await ref.read(authProvider.notifier).updateProfile(
  user.uuid,
  name: "New Name",
  phoneNumber: "+1234567890",
);

Account Security & Management

Security is a top priority. The app includes a dedicated Security section within Settings to manage account-wide safety features.

Security Features

• Change Password: A dedicated flow for users to update their credentials securely.
• Active Sessions: Users can view all devices currently logged into their account, including IP addresses and "Last Active" timestamps.
• Session Revocation: The ability to remotely sign out of specific devices or "Sign out of all devices" at once.
• Login History: A 성공/실패 (Success/Fail) audit log of recent login attempts to help users identify suspicious activity.

Deleting an Account (Danger Zone)

The boilerplate includes a "Danger Zone" for permanent account deletion. This process is irreversible and ensures all user data is removed from the system.

1. User Action: The user selects "Delete Account" in the Security settings.
2. Confirmation: A destructive confirmation dialog (UiDialogConfirm) is shown to prevent accidental deletion.
3. API Call: The deleteAccount() method in AccountSecurity sends a DELETE request to the backend.
4. Local Cleanup: Upon success, the app automatically clears all local tokens and session data, redirecting the user back to the login screen.

// Deletion logic in SecurityProvider
Future<void> deleteAccount() async {
  final response = await ApiService.handleApiCall(
    dioService.delete(Endpoints.routeDeleteAccount, BasicResponse.fromJson),
  );

  if (response is Success) {
    // Triggers global logout state
    ref.read(authProvider.notifier).checkAuth();
  }
}

Best Practices

• Eager Loading: User data is cached locally to ensure a "zero-lag" experience when opening the profile page, with a background refreshUser call to sync with the server.
• Validation: Profile updates use server-side validation, and errors are gracefully displayed to the user via SnackBar notifications.
• UI Tokens: All account pages use the global DesignTokens system to ensure consistent padding, spacing, and theming across light and dark modes.