113 lines
3.4 KiB
Markdown
113 lines
3.4 KiB
Markdown
# Story 1.2: Authentication & Role System
|
|
|
|
## Epic Reference
|
|
**Epic 1:** Core Foundation & Infrastructure
|
|
|
|
## User Story
|
|
As an **admin**,
|
|
I want **a secure authentication system with Admin/Client roles**,
|
|
So that **only authorized users can access the platform with appropriate permissions**.
|
|
|
|
## Story Context
|
|
|
|
### Existing System Integration
|
|
- **Integrates with:** Fortify authentication, users table
|
|
- **Technology:** Laravel Fortify, Livewire Volt
|
|
- **Follows pattern:** Existing `app/Actions/Fortify/` for custom logic
|
|
- **Touch points:** FortifyServiceProvider, login views, middleware
|
|
|
|
## Acceptance Criteria
|
|
|
|
### Functional Requirements
|
|
- [ ] Fortify configured with custom Volt views
|
|
- [ ] Login page with bilingual support (Arabic/English)
|
|
- [ ] Session timeout after 2 hours of inactivity
|
|
- [ ] Rate limiting on login attempts (5 attempts per minute)
|
|
- [ ] Admin role with full access to all features
|
|
- [ ] Client role with restricted access (own data only)
|
|
- [ ] Registration feature DISABLED (admin creates all accounts)
|
|
|
|
### Security Requirements
|
|
- [ ] CSRF protection enabled on all forms
|
|
- [ ] Password hashing using bcrypt
|
|
- [ ] Gates/Policies for authorization checks
|
|
- [ ] Secure session configuration
|
|
- [ ] Remember me functionality (optional)
|
|
|
|
### Integration Requirements
|
|
- [ ] Login redirects to appropriate dashboard (admin vs client)
|
|
- [ ] Logout clears session properly
|
|
- [ ] Middleware protects admin-only routes
|
|
- [ ] Failed login attempts logged
|
|
|
|
### Quality Requirements
|
|
- [ ] Login form validates inputs properly
|
|
- [ ] Error messages are clear and bilingual
|
|
- [ ] Tests cover authentication flow
|
|
- [ ] No security vulnerabilities
|
|
|
|
## Technical Notes
|
|
|
|
### Fortify Configuration
|
|
```php
|
|
// config/fortify.php
|
|
'features' => [
|
|
// Features::registration(), // DISABLED
|
|
Features::resetPasswords(),
|
|
Features::emailVerification(),
|
|
Features::updateProfileInformation(),
|
|
Features::updatePasswords(),
|
|
],
|
|
```
|
|
|
|
### Custom Views Setup
|
|
```php
|
|
// FortifyServiceProvider boot()
|
|
Fortify::loginView(fn () => view('auth.login'));
|
|
// No registerView - registration disabled
|
|
```
|
|
|
|
### Role Implementation
|
|
- Use `user_type` column: 'admin', 'individual', 'company'
|
|
- Admin check: `$user->user_type === 'admin'`
|
|
- Client check: `in_array($user->user_type, ['individual', 'company'])`
|
|
|
|
### Gate Definitions
|
|
```php
|
|
// AuthServiceProvider or AppServiceProvider
|
|
Gate::define('admin', fn (User $user) => $user->user_type === 'admin');
|
|
Gate::define('client', fn (User $user) => $user->user_type !== 'admin');
|
|
```
|
|
|
|
### Middleware
|
|
- `auth` - Require authentication
|
|
- `can:admin` - Require admin role
|
|
- Custom middleware for session timeout if needed
|
|
|
|
## Definition of Done
|
|
|
|
- [ ] Login page renders correctly in both languages
|
|
- [ ] Users can log in with valid credentials
|
|
- [ ] Invalid credentials show proper error
|
|
- [ ] Rate limiting prevents brute force
|
|
- [ ] Session expires after 2 hours inactivity
|
|
- [ ] Admin routes protected from clients
|
|
- [ ] Tests pass for authentication flow
|
|
- [ ] Code formatted with Pint
|
|
|
|
## Dependencies
|
|
|
|
- **Story 1.1:** Database schema (users table)
|
|
- **Story 1.3:** Bilingual infrastructure (for login page translations)
|
|
|
|
## Risk Assessment
|
|
|
|
- **Primary Risk:** Security misconfiguration
|
|
- **Mitigation:** Use Laravel's built-in security features, no custom auth logic
|
|
- **Rollback:** Restore Fortify defaults
|
|
|
|
## Estimation
|
|
|
|
**Complexity:** Medium
|
|
**Estimated Effort:** 3-4 hours
|