From 90a2473fd047c9a54c1e5f274a2f43922367a140 Mon Sep 17 00:00:00 2001 From: Jakub Zych Date: Wed, 4 Feb 2026 16:15:54 +0100 Subject: [PATCH] docs(06): capture phase context Phase 06: Backend Authentication - Implementation decisions documented - Phase boundary established --- .../06-backend-authentication/06-CONTEXT.md | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .planning/phases/06-backend-authentication/06-CONTEXT.md diff --git a/.planning/phases/06-backend-authentication/06-CONTEXT.md b/.planning/phases/06-backend-authentication/06-CONTEXT.md new file mode 100644 index 0000000..9869638 --- /dev/null +++ b/.planning/phases/06-backend-authentication/06-CONTEXT.md @@ -0,0 +1,67 @@ +# Phase 6: Backend Authentication - Context + +**Gathered:** 2026-02-04 +**Status:** Ready for planning + + +## Phase Boundary + +Secure admin backend with user accounts and role-based access. Admin users can log in, manage sessions, reset passwords, and access is controlled through roles with plugin-registered permissions. Frontend user authentication is a separate phase (Core Plugins). + + + + +## Implementation Decisions + +### Login Experience +- Email/password authentication with optional TOTP 2FA +- Generic error messages only ("Invalid email or password") - no hints about which field is wrong +- Progressive lockout: 10 minutes after N failed attempts, 20 minutes after N*2, etc. +- "Remember me" checkbox extends session duration significantly (weeks/months) + +### Session Behavior +- Default session duration: 24 hours (without "Remember me") +- No idle timeout - sessions only expire at their set duration +- Unlimited concurrent sessions allowed per user +- Users can view list of all active sessions and revoke any individually + +### Password Reset Flow +- Password reset email includes context (IP address, location, request time) +- After successful reset, redirect to login page (no auto-login) +- All existing sessions terminated when password changes +- Link expiry duration: Claude's discretion (based on security best practices) + +### Permission Model +- WinterCMS-style plugin-registered permissions (e.g., `acme.plugin.model.update`, `acme.plugin.model.custom_action`) +- Flat role structure - no inheritance between roles +- Single role per user (not additive) +- Default role: Super Admin only (additional roles created manually) + +### Claude's Discretion +- Password reset link expiry duration +- Exact lockout timing thresholds (what counts as N attempts) +- 2FA implementation details (TOTP specifics, backup codes) +- Session management UI design +- Email template styling + + + + +## Specific Ideas + +- Permission system should work like WinterCMS - plugins register their own permissions that are easy to use through the system +- 2FA should be optional, not mandatory + + + + +## Deferred Ideas + +None - discussion stayed within phase scope + + + +--- + +*Phase: 06-backend-authentication* +*Context gathered: 2026-02-04*