# Story 1.2: Authentication & Role System

## Epic Reference
**Epic 1:** Core Foundation & Infrastructure

## User Story
As an **admin**,
I want **a secure authentication system with Admin/Client roles**,
So that **only authorized users can access the platform with appropriate permissions**.

## Story Context

### Existing System Integration
- **Integrates with:** Fortify authentication, users table
- **Technology:** Laravel Fortify, Livewire Volt
- **Follows pattern:** Existing `app/Actions/Fortify/` for custom logic
- **Touch points:** FortifyServiceProvider, login views, middleware

## Acceptance Criteria

### Functional Requirements
- [ ] Fortify configured with custom Volt views
- [ ] Login page with bilingual support (Arabic/English)
- [ ] Session timeout after 2 hours of inactivity
- [ ] Rate limiting on login attempts (5 attempts per minute)
- [ ] Admin role with full access to all features
- [ ] Client role with restricted access (own data only)
- [ ] Registration feature DISABLED (admin creates all accounts)

### Security Requirements
- [ ] CSRF protection enabled on all forms
- [ ] Password hashing using bcrypt
- [ ] Gates/Policies for authorization checks
- [ ] Secure session configuration
- [ ] Remember me functionality (optional)

### Integration Requirements
- [ ] Login redirects to appropriate dashboard (admin vs client)
- [ ] Logout clears session properly
- [ ] Middleware protects admin-only routes
- [ ] Failed login attempts logged

### Quality Requirements
- [ ] Login form validates inputs properly
- [ ] Error messages are clear and bilingual
- [ ] Tests cover authentication flow
- [ ] No security vulnerabilities

## Technical Notes

### Fortify Configuration
```php
// config/fortify.php
'features' => [
    // Features::registration(), // DISABLED
    Features::resetPasswords(),
    Features::emailVerification(),
    Features::updateProfileInformation(),
    Features::updatePasswords(),
],
```

### Custom Views Setup
```php
// FortifyServiceProvider boot()
Fortify::loginView(fn () => view('auth.login'));
// No registerView - registration disabled
```

### Role Implementation
- Use `user_type` column: 'admin', 'individual', 'company'
- Admin check: `$user->user_type === 'admin'`
- Client check: `in_array($user->user_type, ['individual', 'company'])`

### Gate Definitions
```php
// AuthServiceProvider or AppServiceProvider
Gate::define('admin', fn (User $user) => $user->user_type === 'admin');
Gate::define('client', fn (User $user) => $user->user_type !== 'admin');
```

### Middleware
- `auth` - Require authentication
- `can:admin` - Require admin role
- Custom middleware for session timeout if needed

## Definition of Done

- [ ] Login page renders correctly in both languages
- [ ] Users can log in with valid credentials
- [ ] Invalid credentials show proper error
- [ ] Rate limiting prevents brute force
- [ ] Session expires after 2 hours inactivity
- [ ] Admin routes protected from clients
- [ ] Tests pass for authentication flow
- [ ] Code formatted with Pint

## Dependencies

- **Story 1.1:** Database schema (users table)
- **Story 1.3:** Bilingual infrastructure (for login page translations)

## Risk Assessment

- **Primary Risk:** Security misconfiguration
- **Mitigation:** Use Laravel's built-in security features, no custom auth logic
- **Rollback:** Restore Fortify defaults

## Estimation

**Complexity:** Medium
**Estimated Effort:** 3-4 hours