golem15/summercms-initial-research
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5f2e7b87c996c1f535aadb5fabb60424fd371454
summercms-initial-research/.planning/phases/06-backend-authentication/06-CONTEXT.md
Jakub Zych 90a2473fd0 docs(06): capture phase context 
Phase 06: Backend Authentication
- Implementation decisions documented
- Phase boundary established
2026-02-04 16:15:54 +01:00

2.2 KiB
Raw Blame History

Phase 6: Backend Authentication - Context

Gathered: 2026-02-04 Status: Ready for planning

## Phase Boundary

Secure admin backend with user accounts and role-based access. Admin users can log in, manage sessions, reset passwords, and access is controlled through roles with plugin-registered permissions. Frontend user authentication is a separate phase (Core Plugins).

## Implementation Decisions

Login Experience

  • Email/password authentication with optional TOTP 2FA
  • Generic error messages only ("Invalid email or password") - no hints about which field is wrong
  • Progressive lockout: 10 minutes after N failed attempts, 20 minutes after N*2, etc.
  • "Remember me" checkbox extends session duration significantly (weeks/months)

Session Behavior

  • Default session duration: 24 hours (without "Remember me")
  • No idle timeout - sessions only expire at their set duration
  • Unlimited concurrent sessions allowed per user
  • Users can view list of all active sessions and revoke any individually

Password Reset Flow

  • Password reset email includes context (IP address, location, request time)
  • After successful reset, redirect to login page (no auto-login)
  • All existing sessions terminated when password changes
  • Link expiry duration: Claude's discretion (based on security best practices)

Permission Model

  • WinterCMS-style plugin-registered permissions (e.g., acme.plugin.model.update, acme.plugin.model.custom_action)
  • Flat role structure - no inheritance between roles
  • Single role per user (not additive)
  • Default role: Super Admin only (additional roles created manually)

Claude's Discretion

  • Password reset link expiry duration
  • Exact lockout timing thresholds (what counts as N attempts)
  • 2FA implementation details (TOTP specifics, backup codes)
  • Session management UI design
  • Email template styling
## Specific Ideas
  • Permission system should work like WinterCMS - plugins register their own permissions that are easy to use through the system
  • 2FA should be optional, not mandatory
## Deferred Ideas

None - discussion stayed within phase scope

Phase: 06-backend-authentication Context gathered: 2026-02-04

Reference in New Issue View Git Blame Copy Permalink