User Account Service (UAS)

Appearance

Domain Rules (Summary)

  • User status FSM: unverified → verified; unverified → doomed; verified ↔ suspended; suspended → doomed; verified → doomed. Primary email must be verified + passcode set to reach verified. Doomed is terminal.
  • Emails: inputs are canonicalized (trim + lowercase); last token wins; token TTL 48h; primary cannot be doomed; if primary becomes unverified, user becomes unverified. Doomed emails TTL 31d (auto delete).
  • Passcodes: Argon2id (64 MiB, time cost 2, parallelism 2, hashLen 32). Min 8 chars with upper/lower/number/special. No reuse within 90 days.
  • Payment methods: statuses pending → active ↔ suspended; any → doomed (token cleared). Ordering: active > pending > suspended > doomed. Default method follows ordering. Uniqueness on processor + token_type + token. Maintain status_history with reason and timestamp.
  • Data model: DynamoDB uas_main, PK USER#<id>, SK varies (META, EMAIL#, PASSCODE, TOKEN, PM#, AUDIT#). GSIs: email uniqueness (GSI1), account_ref (GSI2), payment ordering (GSI3). PITR on; TTL on doomed emails and audits.
  • Eventing/audit: Emit events to EventBridge uas-events; change logs to Firehose → S3 uas-changelog-<account>-<region> (1y). Events/stats include build metadata and context (actor/session/org/cc/user). Redact secrets/PII.