golem15/summercms-initial-research
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b05e85cd55988fd812c27e57dade9f1a16f3cca6
summercms-initial-research/.planning/phases/06-backend-authentication/06-CONTEXT.md
Jakub Zych 90a2473fd0 docs(06): capture phase context 
Phase 06: Backend Authentication
- Implementation decisions documented
- Phase boundary established
2026-02-04 16:15:54 +01:00

68 lines
2.2 KiB
Markdown
Raw Blame History

# Phase 6: Backend Authentication - Context
**Gathered:** 2026-02-04
**Status:** Ready for planning
<domain>
## Phase Boundary
Secure admin backend with user accounts and role-based access. Admin users can log in, manage sessions, reset passwords, and access is controlled through roles with plugin-registered permissions. Frontend user authentication is a separate phase (Core Plugins).
</domain>
<decisions>
## Implementation Decisions
### Login Experience
- Email/password authentication with optional TOTP 2FA
- Generic error messages only ("Invalid email or password") - no hints about which field is wrong
- Progressive lockout: 10 minutes after N failed attempts, 20 minutes after N*2, etc.
- "Remember me" checkbox extends session duration significantly (weeks/months)
### Session Behavior
- Default session duration: 24 hours (without "Remember me")
- No idle timeout - sessions only expire at their set duration
- Unlimited concurrent sessions allowed per user
- Users can view list of all active sessions and revoke any individually
### Password Reset Flow
- Password reset email includes context (IP address, location, request time)
- After successful reset, redirect to login page (no auto-login)
- All existing sessions terminated when password changes
- Link expiry duration: Claude's discretion (based on security best practices)
### Permission Model
- WinterCMS-style plugin-registered permissions (e.g., `acme.plugin.model.update`, `acme.plugin.model.custom_action`)
- Flat role structure - no inheritance between roles
- Single role per user (not additive)
- Default role: Super Admin only (additional roles created manually)
### Claude's Discretion
- Password reset link expiry duration
- Exact lockout timing thresholds (what counts as N attempts)
- 2FA implementation details (TOTP specifics, backup codes)
- Session management UI design
- Email template styling
</decisions>
<specifics>
## Specific Ideas
- Permission system should work like WinterCMS - plugins register their own permissions that are easy to use through the system
- 2FA should be optional, not mandatory
</specifics>
<deferred>
## Deferred Ideas
None - discussion stayed within phase scope
</deferred>
---
*Phase: 06-backend-authentication*
*Context gathered: 2026-02-04*
Reference in New Issue View Git Blame Copy Permalink