# Email Flow


```mermaid
sequenceDiagram
    autoNumber
    actor U as SIGit User
    participant W as SIGit Website
    participant D as DVM
    Participant DB as DataBase
    Note over W,D: All comms over <br> Nostr Relay
    U->>W: Click SIGNUP and enter <br>email address
    Note over W: Ephemeral key generated <br> to communicate with DVM
    W->>D: Request Account
    Note right of W: Event uses PoW and<br> encrypts only EMAIL<br> to DVM pubkey
    D -x DB: Verify PoW and check<br> if email exists
    Note over D: If email already exists, <br>send user to LOGIN.<br> Otherwise#58;
    D->>DB: Create Account
    Note over DB: Create entries#58;<br>#128274;user.id=uid()<br>user.email=lowcase(email())<br>user.verified=false<br>user.activated=false<br>user.entropy=""<br>user.pubkey=""<br>user.created_at=now()<br>user.bkp=""<br>#128274;session.pubkey="ephemeral pubkey"<br>session.user_id=user.id<br>session.email_code=INT (6 digits)<br>session.created_at=now()
    D->>U: Send session.email_code via email
    D->>W: Account created
    Note left of D: Payload is an empty string or<br> an encrypted (and detailed)<br> error message
    W->>U: Tell user to check email and<br>to open it in the <br> SAME BROWSER SESSION
    Note over W: Screen to accept the 6 digits <br> is already displayed<br>(mobile optimised if relevant)
    U->>W: User opens link or enters the code
    W->>D: Verify Account
    Note right of W: Event uses PoW and <br>encrypts only CODE<br> to DVM pubkey
    D -x DB: Check email_code where <br>session pk=event pk
    D->>DB: If code matches,<br>Update Account
    Note over DB: user.verified=true<br>user.entropy=uid()
    D->>W: Provide user.entropy
    Note left of D: Payload encrypted to ephemeral <br>pubkey. Is either a UID or a <br> detailed error message.
    W->>U: Ask for secure password
    Note right of U: This password is what prevents<br>backend from decrypting the nsec
    U->>W: Enter password (twice)

    Note over W: Nostr Keypair Generated <br> & Encrypted inside a <br> PRIVATE METHOD,<br>using password + entropy.<br> Password variable is not <br>stored, sent or printed <br> anywhere. Temporary <br>variables are destroyed.

    W->>D: Request account activation
    Note right of W: Event uses PoW and<br> encrypts both PUBKEY<br> and the already-<br>encrypted BACKUP<br> to the DVM pubkey
    D -x DB: Ensure event pubkey <br> in SESSION table
    D->>DB: Update Account
    Note over DB: user.activated=true <br>user.pubkey=$pubkey<br>user.bkp=$backup
    D->>W: Account activated
    Note left of D: Payload is an empty string or<br> an encrypted (and detailed)<br> error message
    W->>U: User is automatically logged in
    Note over W: Ephemeral key is destroyed<br>Default relay list applied
```