docs(06): capture phase context
Phase 06: Backend Authentication - Implementation decisions documented - Phase boundary established
This commit is contained in:
Jakub Zych
67
.planning/phases/06-backend-authentication/06-CONTEXT.md
Normal file
67
.planning/phases/06-backend-authentication/06-CONTEXT.md
Normal file
@@ -0,0 +1,67 @@
|
||||
# Phase 6: Backend Authentication - Context
|
||||
|
||||
**Gathered:** 2026-02-04
|
||||
**Status:** Ready for planning
|
||||
|
||||
<domain>
|
||||
## Phase Boundary
|
||||
|
||||
Secure admin backend with user accounts and role-based access. Admin users can log in, manage sessions, reset passwords, and access is controlled through roles with plugin-registered permissions. Frontend user authentication is a separate phase (Core Plugins).
|
||||
|
||||
</domain>
|
||||
|
||||
<decisions>
|
||||
## Implementation Decisions
|
||||
|
||||
### Login Experience
|
||||
- Email/password authentication with optional TOTP 2FA
|
||||
- Generic error messages only ("Invalid email or password") - no hints about which field is wrong
|
||||
- Progressive lockout: 10 minutes after N failed attempts, 20 minutes after N*2, etc.
|
||||
- "Remember me" checkbox extends session duration significantly (weeks/months)
|
||||
|
||||
### Session Behavior
|
||||
- Default session duration: 24 hours (without "Remember me")
|
||||
- No idle timeout - sessions only expire at their set duration
|
||||
- Unlimited concurrent sessions allowed per user
|
||||
- Users can view list of all active sessions and revoke any individually
|
||||
|
||||
### Password Reset Flow
|
||||
- Password reset email includes context (IP address, location, request time)
|
||||
- After successful reset, redirect to login page (no auto-login)
|
||||
- All existing sessions terminated when password changes
|
||||
- Link expiry duration: Claude's discretion (based on security best practices)
|
||||
|
||||
### Permission Model
|
||||
- WinterCMS-style plugin-registered permissions (e.g., `acme.plugin.model.update`, `acme.plugin.model.custom_action`)
|
||||
- Flat role structure - no inheritance between roles
|
||||
- Single role per user (not additive)
|
||||
- Default role: Super Admin only (additional roles created manually)
|
||||
|
||||
### Claude's Discretion
|
||||
- Password reset link expiry duration
|
||||
- Exact lockout timing thresholds (what counts as N attempts)
|
||||
- 2FA implementation details (TOTP specifics, backup codes)
|
||||
- Session management UI design
|
||||
- Email template styling
|
||||
|
||||
</decisions>
|
||||
|
||||
<specifics>
|
||||
## Specific Ideas
|
||||
|
||||
- Permission system should work like WinterCMS - plugins register their own permissions that are easy to use through the system
|
||||
- 2FA should be optional, not mandatory
|
||||
|
||||
</specifics>
|
||||
|
||||
<deferred>
|
||||
## Deferred Ideas
|
||||
|
||||
None - discussion stayed within phase scope
|
||||
|
||||
</deferred>
|
||||
|
||||
---
|
||||
|
||||
*Phase: 06-backend-authentication*
|
||||
*Context gathered: 2026-02-04*
|
||||
Reference in New Issue
Block a user