Signing in
ARGUS uses Firebase Authentication as its identity provider. Every sign-in method
resolves to a Firebase User, the session token auto-refreshes every hour, and routes
protected by the authGuard redirect to /login if the token disappears.
The sign-in screen
Open /. Unauthenticated, the authGuard sends you to /login. Default mode is
email + password:
- Email — autofill (
autocomplete="username") enabled. - Password —
autocomplete="current-password". Enter to submit. - Login button — on success you land back at
/.
Below the form: a mode toggle to phone (SMS OTP, requires a phone-auth enabled org) and
a capabilities panel (circular i bottom-right).
Sign-in methods
Email and password
The default for every org. If you don’t have an account yet, an admin has to send you an invite — you can’t self-register on a fresh email.
Single sign-on (SSO)
On the Command or Sovereign plan, SSO is enabled at the org level (SAML / OIDC through Firebase). On success the user record is provisioned automatically and mapped to your assigned role.
Aspirational: the shipped login template exposes email + phone only. SSO-enabled orgs redirect straight to the IdP from their login subdomain.
Phone OTP
Toggle to phone mode, enter your number in E.164 format (e.g. +14155551234), clear the
reCAPTCHA, press Send OTP, then enter the 6-digit code and press Verify.
Magic-link invites
When an admin invites you, you get an email with a link like
https://app.argus.tactical/invite?token=<opaque>. Opening it validates the token, shows the
org + role being offered, and lets you sign in or register in one flow — see
Invites.
Forgot password
The shipped template does not currently include an inline “Forgot password” link (aspirational). Today an admin sends a password-reset email from Admin → Users → [user] → Send password reset. When the UI ships, it’ll be a standard Firebase reset flow.
Multi-org selection
If your account belongs to more than one org, ARGUS restores the last one you used
(persisted in localStorage under sar.activeOrg via OrgService.restoreActiveOrg()).
Switch from the avatar menu — click your avatar, the dropdown header shows the active
org and role badge, pick Switch organisation. Changing the active org reloads
permission-gated nav and the dashboard.
Session lifetime
- ID tokens refresh every 1 hour silently.
- The refresh token is a 24-hour rolling window — stay active and you stay signed in; close the tab for >24h and you’ll sign in again on next visit.
- Signing out from another device invalidates the refresh token everywhere.
Common errors
The login card shakes and shows a message. All come from Firebase Auth; operator text is intentionally vague where appropriate.
| Shown | Firebase code | Meaning |
|---|---|---|
| Wrong credentials. | auth/invalid-credential, auth/wrong-password, auth/user-not-found, auth/invalid-email | Email or password wrong. Same message for all four — we don’t leak which field failed. |
| Access denied. Contact your administrator. | auth/user-disabled | Account disabled. |
| Too many failed attempts. | auth/too-many-requests | Rate-limited. |
| Network error. | auth/network-request-failed | Can’t reach Firebase. |
| This sign-in method is not enabled. | auth/operation-not-allowed | Method off for your org. |
| Session expired. | auth/requires-recent-login | Re-authenticate. |
| Sign-in cancelled. | auth/popup-closed-by-user | Popup closed before finishing. |
In dev builds the raw code is shown under the friendly message; in prod it’s hidden.
“No organisation” is separate: auth succeeded but your user has no org membership — land on the dashboard with an empty state, ask an admin to invite you.
Signing out
Click your avatar (top-right) → Sign out (bottom of the dropdown, in red). Sign-out calls
signOut() on the Firebase Auth instance, clears app state, navigates to /login, and hard
reloads the page (window.location.replace('/login')) to reset runtime state.