naser
/
libra
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libra/docs/stories/story-1.2-authentication-ro...

3.4 KiB
Raw Blame History

Story 1.2: Authentication & Role System

Epic Reference

Epic 1: Core Foundation & Infrastructure

User Story

As an admin, I want a secure authentication system with Admin/Client roles, So that only authorized users can access the platform with appropriate permissions.

Story Context

Existing System Integration

  • Integrates with: Fortify authentication, users table
  • Technology: Laravel Fortify, Livewire Volt
  • Follows pattern: Existing app/Actions/Fortify/ for custom logic
  • Touch points: FortifyServiceProvider, login views, middleware

Acceptance Criteria

Functional Requirements

  • Fortify configured with custom Volt views
  • Login page with bilingual support (Arabic/English)
  • Session timeout after 2 hours of inactivity
  • Rate limiting on login attempts (5 attempts per minute)
  • Admin role with full access to all features
  • Client role with restricted access (own data only)
  • Registration feature DISABLED (admin creates all accounts)

Security Requirements

  • CSRF protection enabled on all forms
  • Password hashing using bcrypt
  • Gates/Policies for authorization checks
  • Secure session configuration
  • Remember me functionality (optional)

Integration Requirements

  • Login redirects to appropriate dashboard (admin vs client)
  • Logout clears session properly
  • Middleware protects admin-only routes
  • Failed login attempts logged

Quality Requirements

  • Login form validates inputs properly
  • Error messages are clear and bilingual
  • Tests cover authentication flow
  • No security vulnerabilities

Technical Notes

Fortify Configuration

// config/fortify.php
'features' => [
    // Features::registration(), // DISABLED
    Features::resetPasswords(),
    Features::emailVerification(),
    Features::updateProfileInformation(),
    Features::updatePasswords(),
],

Custom Views Setup

// FortifyServiceProvider boot()
Fortify::loginView(fn () => view('auth.login'));
// No registerView - registration disabled

Role Implementation

  • Use user_type column: 'admin', 'individual', 'company'
  • Admin check: $user->user_type === 'admin'
  • Client check: in_array($user->user_type, ['individual', 'company'])

Gate Definitions

// AuthServiceProvider or AppServiceProvider
Gate::define('admin', fn (User $user) => $user->user_type === 'admin');
Gate::define('client', fn (User $user) => $user->user_type !== 'admin');

Middleware

  • auth - Require authentication
  • can:admin - Require admin role
  • Custom middleware for session timeout if needed

Definition of Done

  • Login page renders correctly in both languages
  • Users can log in with valid credentials
  • Invalid credentials show proper error
  • Rate limiting prevents brute force
  • Session expires after 2 hours inactivity
  • Admin routes protected from clients
  • Tests pass for authentication flow
  • Code formatted with Pint

Dependencies

  • Story 1.1: Database schema (users table)
  • Story 1.3: Bilingual infrastructure (for login page translations)

Risk Assessment

  • Primary Risk: Security misconfiguration
  • Mitigation: Use Laravel's built-in security features, no custom auth logic
  • Rollback: Restore Fortify defaults

Estimation

Complexity: Medium Estimated Effort: 3-4 hours