# Phase 6: Backend Authentication - Context

**Gathered:** 2026-02-04
**Status:** Ready for planning

<domain>
## Phase Boundary

Secure admin backend with user accounts and role-based access. Admin users can log in, manage sessions, reset passwords, and access is controlled through roles with plugin-registered permissions. Frontend user authentication is a separate phase (Core Plugins).

</domain>

<decisions>
## Implementation Decisions

### Login Experience
- Email/password authentication with optional TOTP 2FA
- Generic error messages only ("Invalid email or password") - no hints about which field is wrong
- Progressive lockout: 10 minutes after N failed attempts, 20 minutes after N*2, etc.
- "Remember me" checkbox extends session duration significantly (weeks/months)

### Session Behavior
- Default session duration: 24 hours (without "Remember me")
- No idle timeout - sessions only expire at their set duration
- Unlimited concurrent sessions allowed per user
- Users can view list of all active sessions and revoke any individually

### Password Reset Flow
- Password reset email includes context (IP address, location, request time)
- After successful reset, redirect to login page (no auto-login)
- All existing sessions terminated when password changes
- Link expiry duration: Claude's discretion (based on security best practices)

### Permission Model
- WinterCMS-style plugin-registered permissions (e.g., `acme.plugin.model.update`, `acme.plugin.model.custom_action`)
- Flat role structure - no inheritance between roles
- Single role per user (not additive)
- Default role: Super Admin only (additional roles created manually)

### Claude's Discretion
- Password reset link expiry duration
- Exact lockout timing thresholds (what counts as N attempts)
- 2FA implementation details (TOTP specifics, backup codes)
- Session management UI design
- Email template styling

</decisions>

<specifics>
## Specific Ideas

- Permission system should work like WinterCMS - plugins register their own permissions that are easy to use through the system
- 2FA should be optional, not mandatory

</specifics>

<deferred>
## Deferred Ideas

None - discussion stayed within phase scope

</deferred>

---

*Phase: 06-backend-authentication*
*Context gathered: 2026-02-04*