---
title: "Account Center"
type: entity
created: 2026-04-18
updated: 2026-04-18
sources: ["raw/notes/memory.md", "raw/articles/03-architecture.md", "raw/articles/07-sso.md"]
tags: [service, sso, auth, identity, account-center]
---

# Account Center

The Account Center is the central identity and authentication hub for all adult accounts on the [[Pickatale]] platform. It handles registration, login, session management, and SSO for every adult-facing surface: [[Teacher Portal]], parent portal, and school administrator views.

## Service Details

| Attribute | Value |
|---|---|
| Domain | account.readingtester.com |
| Code location | `/home/ubuntu/user-center/` |
| Database | `user_center` on shared MySQL |
| Session cookie | `uc_session` on `.readingtester.com` domain |
| CORS | Wildcard allow for `*.readingtester.com` |
| Status | ✅ Live — SSO integrated across all adult portals |

## Role Coverage

The Account Center manages identity for three adult roles:

| Role | Description |
|---|---|
| `teacher` | Licensed teachers managing one or more classes |
| `school_admin` | School-level administrators who can manage teacher accounts within their institution |
| `parent` | Parents linked to one or more student accounts via the [[Teacher Portal]] parent-claim flow |

**⚠️ Non-Negotiable (Sig):** Student accounts are **not** managed by the Account Center. Students authenticate directly through the [[Reader App]] using their username + 4-digit PIN. The Account Center is exclusively for adult (B2B) identities.

## SSO Flow

All adult portals delegate authentication to the Account Center rather than managing their own sessions. The flow is:

```mermaid
sequenceDiagram
    participant U as User (browser)
    participant TP as Teacher Portal
    participant AC as Account Center (account.readingtester.com)

    U->>TP: Visit teacher.readingtester.com
    TP->>U: Redirect → account.readingtester.com/login?redirect=teacher
    U->>AC: Submit credentials
    AC->>AC: Validate, create session
    AC->>U: Set uc_session cookie on .readingtester.com
    AC->>U: Redirect → teacher.readingtester.com
    TP->>AC: GET /api/auth/session (reads uc_session cookie)
    AC-->>TP: { user_id, role, school_id, ... }
    TP->>U: Authorized — serve dashboard
```

The `uc_session` cookie is scoped to the `.readingtester.com` domain, making it automatically available to all subdomains. Each service verifies the session by calling `GET /api/auth/session` against the Account Center on every protected request.

## Session Verification API

All services that need to authenticate an adult user call:

```
GET https://account.readingtester.com/api/auth/session
Cookie: uc_session=<token>
```

Response (authenticated):
```json
{
  "user_id": "uuid",
  "email": "teacher@school.com",
  "role": "teacher",
  "school_id": "uuid",
  "display_name": "Ms Smith"
}
```

Response (unauthenticated):
```json
{ "error": "unauthorized" }
```

Services treat a non-2xx or `{ error }` response as unauthenticated and redirect to the Account Center login page.

## CORS Configuration

The Account Center allows CORS requests from any `*.readingtester.com` origin. This enables browser-side session checks from portal frontends without triggering CORS errors. The wildcard is intentional and scoped to the `readingtester.com` domain only — no external origins are permitted.

## Admin CLI

The Account Center does not expose a self-registration path for the first platform administrator. Bootstrapping the initial admin account requires SSH access to the server:

```bash
docker exec user-center-server node dist/cli/create-admin.js \
  --email admin@pickatale.com \
  --password <strong-password> \
  --role school_admin \
  --school-id <school-uuid>
```

**⚠️ Non-Negotiable (Sig):** This CLI command must only be run over SSH by authorized infrastructure administrators. It is never exposed via API or any web UI.

## Identity as the Source of Truth

All services in the platform write identity-linked data using the `user_id` issued by the Account Center as the foreign key. The Account Center is the authoritative source for:

- User email and display name
- Role assignment (`teacher` / `school_admin` / `parent`)
- School affiliation (`school_id`)
- Account status (active, suspended, pending verification)

When a teacher or school_admin is deleted or suspended in the Account Center, all dependent services (Teacher Portal, Curriculum Mapper) should treat the `user_id` as unauthorized on next session check.

## Related Pages

- [[entities/Teacher Portal]] — authenticates all teacher and school_admin sessions via Account Center
- [[concepts/user-flows/Teacher Flow]] — step-by-step teacher registration and login flow
- [[concepts/architecture/Service Map]] — shows Account Center in the platform service graph
- [[concepts/data-model/Core Tables]] — `users` table owned by Account Center