90a2473fd0
Phase 06: Backend Authentication - Implementation decisions documented - Phase boundary established
68 lines
2.2 KiB
Markdown
68 lines
2.2 KiB
Markdown
# Phase 6: Backend Authentication - Context
|
|
|
|
**Gathered:** 2026-02-04
|
|
**Status:** Ready for planning
|
|
|
|
<domain>
|
|
## Phase Boundary
|
|
|
|
Secure admin backend with user accounts and role-based access. Admin users can log in, manage sessions, reset passwords, and access is controlled through roles with plugin-registered permissions. Frontend user authentication is a separate phase (Core Plugins).
|
|
|
|
</domain>
|
|
|
|
<decisions>
|
|
## Implementation Decisions
|
|
|
|
### Login Experience
|
|
- Email/password authentication with optional TOTP 2FA
|
|
- Generic error messages only ("Invalid email or password") - no hints about which field is wrong
|
|
- Progressive lockout: 10 minutes after N failed attempts, 20 minutes after N*2, etc.
|
|
- "Remember me" checkbox extends session duration significantly (weeks/months)
|
|
|
|
### Session Behavior
|
|
- Default session duration: 24 hours (without "Remember me")
|
|
- No idle timeout - sessions only expire at their set duration
|
|
- Unlimited concurrent sessions allowed per user
|
|
- Users can view list of all active sessions and revoke any individually
|
|
|
|
### Password Reset Flow
|
|
- Password reset email includes context (IP address, location, request time)
|
|
- After successful reset, redirect to login page (no auto-login)
|
|
- All existing sessions terminated when password changes
|
|
- Link expiry duration: Claude's discretion (based on security best practices)
|
|
|
|
### Permission Model
|
|
- WinterCMS-style plugin-registered permissions (e.g., `acme.plugin.model.update`, `acme.plugin.model.custom_action`)
|
|
- Flat role structure - no inheritance between roles
|
|
- Single role per user (not additive)
|
|
- Default role: Super Admin only (additional roles created manually)
|
|
|
|
### Claude's Discretion
|
|
- Password reset link expiry duration
|
|
- Exact lockout timing thresholds (what counts as N attempts)
|
|
- 2FA implementation details (TOTP specifics, backup codes)
|
|
- Session management UI design
|
|
- Email template styling
|
|
|
|
</decisions>
|
|
|
|
<specifics>
|
|
## Specific Ideas
|
|
|
|
- Permission system should work like WinterCMS - plugins register their own permissions that are easy to use through the system
|
|
- 2FA should be optional, not mandatory
|
|
|
|
</specifics>
|
|
|
|
<deferred>
|
|
## Deferred Ideas
|
|
|
|
None - discussion stayed within phase scope
|
|
|
|
</deferred>
|
|
|
|
---
|
|
|
|
*Phase: 06-backend-authentication*
|
|
*Context gathered: 2026-02-04*
|