Bỏ qua để đến nội dung
DOL Wiki

STATE - Entry and Access Foundation

DomainsDOL EnglishProduct744 words4 min read
active

Current truth

Phần tiêu đề “Current truth”

Platform discovery runs outside-in: users can browse first, auth gates appear at persistence points, protected checkout starts only after login, and Home post-login is the default router in web-app scope.

Rules

Phần tiêu đề “Rules”
  • First-contact intents coexist:
    • course purchase,
    • self-study,
    • exploration.
  • Pre-auth browsing is allowed for:
    • self-study exercise-list discovery,
    • course-list/program discovery.
  • Auth gate point:
    • attempt start, or
    • first action that must persist user data.
  • Auth gate presentation at attempt start:
    • inline modal/bottom-sheet in current context by default,
    • full-page auth only as fallback when inline surface is unavailable.
    • user may dismiss auth gate; dismiss keeps current page and does not execute protected attempt action.
  • After successful login, user lands on unified Home post-login router.
  • If user must login/register while in a specific page/flow, after login success user returns to that exact page/flow.
  • After successful registration:
    • first landing is Home post-login empty-state,
    • onboarding goal prompt may appear on Home and remains optional.
  • Signup minimum required data:
    • auth identity,
    • terms acceptance.
  • If auth starts from protected context, preserve returnTo.
  • If user is returned to protected in-progress context after auth/signup, do not inject goal popup in the same return moment.
  • If returnTo target is valid after auth, return directly to exact protected target (not Home-first).
  • returnTo validity window: 24 hours.
  • Invalid/expired returnTo fallback hierarchy:
    • nearest valid route in same skill/program context first,
    • program-level valid route second,
    • Home post-login only as final fallback.
  • If multiple login-required pages are triggered before login completes, the most recent page is used for return.
  • For mixed contexts, system does not force a single lane; Home keeps parallel entries with soft ranking.
  • Auth set:
    • email + password login,
    • email OTP fallback login,
    • Google sign-in.
  • Scope boundary:
    • parent/child household and StudentCode/PIN flows belong to Product KID and are not active in DOL English Web V2.
  • Login default path is password-first with email OTP fallback.
  • Email signup requires password setup + email OTP verification.
  • No age-gate is applied in signup flow.
  • Password baseline: minimum 6 characters.
  • OTP baseline: validity 10 minutes, resend cooldown 60 seconds.
  • OTP anti-abuse baseline:
    • 5 wrong OTP attempts -> lock 10 minutes (signup/login OTP screens),
    • OTP retry cannot be unlimited,
    • lock is intent-scoped and does not propagate across other auth intents,
    • while intent lock is active, OTP channel-switch bypass is blocked inside that same intent,
    • wrong-attempt counter resets to 0 after lock window expires.
  • Phone is non-auth contact data.
  • Social account without phone can continue normal usage; contact completion is nudged later or collected during paid checkout.
  • Existing account detection at signup:
    • if email already exists: route directly to login step with clear notice,
    • keep email prefilled in login step,
    • no dedicated duplicate-resolution branch,
    • no auto-send OTP by default at handoff.
  • Trusted-device window: 30 days.
  • If upgrade/payment is triggered from landing/exploration context, success returns user to prior context and shows paid-welcome popup.
  • If upgrade/payment is triggered inside exercise flow, success reloads current exercise/result context and unlocks paid features immediately.
  • Contact persistence for checkout:
    • checkout is a protected flow; guest user must login before entering checkout,
    • Pro/Pro Max and course checkout require verified email + phone contact present,
    • phone does not need OTP verification and is not treated as auth/recovery channel,
    • blocker UI allows inline phone input/update without leaving blocker flow,
    • blocker preserves selected package/cycle/context and resumes same step after data is complete,
    • collected phone contact is saved back to profile.
  • Password-failure lock threshold:
    • 5 consecutive failed password attempts -> lock 15 minutes,
    • OTP unlock path is available during lock window.
  • Forgot-password entry:
    • starts directly from login step,
    • uses email verification path,
    • no redirect to signup flow for recovery,
    • after reset success, return to login with success message and prefilled verified email from the reset flow (no auto-login by default).
  • Attempt-start auth gate reopen anti-spam:
    • after user dismisses gate, rapid retrigger re-open is throttled by cooldown 3 seconds.

Decision trace

Phần tiêu đề “Decision trace”
  • DEC-0011
  • DEC-0006
  • DEC-0034
  • DEC-0040
  • DEC-0043
  • DEC-0044
  • DEC-0050
  • DEC-0056
  • DEC-0057
  • DEC-0059
  • DEC-0060
  • DEC-0061
  • DEC-0062
  • DEC-0063
  • DEC-0064
  • DEC-0094