generated sotries
This commit is contained in:
@@ -0,0 +1,112 @@
|
||||
# Story 1.2: Authentication & Role System
|
||||
|
||||
## Epic Reference
|
||||
**Epic 1:** Core Foundation & Infrastructure
|
||||
|
||||
## User Story
|
||||
As an **admin**,
|
||||
I want **a secure authentication system with Admin/Client roles**,
|
||||
So that **only authorized users can access the platform with appropriate permissions**.
|
||||
|
||||
## Story Context
|
||||
|
||||
### Existing System Integration
|
||||
- **Integrates with:** Fortify authentication, users table
|
||||
- **Technology:** Laravel Fortify, Livewire Volt
|
||||
- **Follows pattern:** Existing `app/Actions/Fortify/` for custom logic
|
||||
- **Touch points:** FortifyServiceProvider, login views, middleware
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
### Functional Requirements
|
||||
- [ ] Fortify configured with custom Volt views
|
||||
- [ ] Login page with bilingual support (Arabic/English)
|
||||
- [ ] Session timeout after 2 hours of inactivity
|
||||
- [ ] Rate limiting on login attempts (5 attempts per minute)
|
||||
- [ ] Admin role with full access to all features
|
||||
- [ ] Client role with restricted access (own data only)
|
||||
- [ ] Registration feature DISABLED (admin creates all accounts)
|
||||
|
||||
### Security Requirements
|
||||
- [ ] CSRF protection enabled on all forms
|
||||
- [ ] Password hashing using bcrypt
|
||||
- [ ] Gates/Policies for authorization checks
|
||||
- [ ] Secure session configuration
|
||||
- [ ] Remember me functionality (optional)
|
||||
|
||||
### Integration Requirements
|
||||
- [ ] Login redirects to appropriate dashboard (admin vs client)
|
||||
- [ ] Logout clears session properly
|
||||
- [ ] Middleware protects admin-only routes
|
||||
- [ ] Failed login attempts logged
|
||||
|
||||
### Quality Requirements
|
||||
- [ ] Login form validates inputs properly
|
||||
- [ ] Error messages are clear and bilingual
|
||||
- [ ] Tests cover authentication flow
|
||||
- [ ] No security vulnerabilities
|
||||
|
||||
## Technical Notes
|
||||
|
||||
### Fortify Configuration
|
||||
```php
|
||||
// config/fortify.php
|
||||
'features' => [
|
||||
// Features::registration(), // DISABLED
|
||||
Features::resetPasswords(),
|
||||
Features::emailVerification(),
|
||||
Features::updateProfileInformation(),
|
||||
Features::updatePasswords(),
|
||||
],
|
||||
```
|
||||
|
||||
### Custom Views Setup
|
||||
```php
|
||||
// FortifyServiceProvider boot()
|
||||
Fortify::loginView(fn () => view('auth.login'));
|
||||
// No registerView - registration disabled
|
||||
```
|
||||
|
||||
### Role Implementation
|
||||
- Use `user_type` column: 'admin', 'individual', 'company'
|
||||
- Admin check: `$user->user_type === 'admin'`
|
||||
- Client check: `in_array($user->user_type, ['individual', 'company'])`
|
||||
|
||||
### Gate Definitions
|
||||
```php
|
||||
// AuthServiceProvider or AppServiceProvider
|
||||
Gate::define('admin', fn (User $user) => $user->user_type === 'admin');
|
||||
Gate::define('client', fn (User $user) => $user->user_type !== 'admin');
|
||||
```
|
||||
|
||||
### Middleware
|
||||
- `auth` - Require authentication
|
||||
- `can:admin` - Require admin role
|
||||
- Custom middleware for session timeout if needed
|
||||
|
||||
## Definition of Done
|
||||
|
||||
- [ ] Login page renders correctly in both languages
|
||||
- [ ] Users can log in with valid credentials
|
||||
- [ ] Invalid credentials show proper error
|
||||
- [ ] Rate limiting prevents brute force
|
||||
- [ ] Session expires after 2 hours inactivity
|
||||
- [ ] Admin routes protected from clients
|
||||
- [ ] Tests pass for authentication flow
|
||||
- [ ] Code formatted with Pint
|
||||
|
||||
## Dependencies
|
||||
|
||||
- **Story 1.1:** Database schema (users table)
|
||||
- **Story 1.3:** Bilingual infrastructure (for login page translations)
|
||||
|
||||
## Risk Assessment
|
||||
|
||||
- **Primary Risk:** Security misconfiguration
|
||||
- **Mitigation:** Use Laravel's built-in security features, no custom auth logic
|
||||
- **Rollback:** Restore Fortify defaults
|
||||
|
||||
## Estimation
|
||||
|
||||
**Complexity:** Medium
|
||||
**Estimated Effort:** 3-4 hours
|
||||
Reference in New Issue
Block a user