busya/ss-tools
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
cc244c2d866a66174695a171846f6c7b5208bbc9
ss-tools/specs/016-multi-user-auth/tasks.md
busya cc244c2d86 tasks ready
2026-01-27 13:26:06 +03:00

6.7 KiB
Raw Blame History

Tasks: Multi-User Authentication and Authorization

Feature Branch: 016-multi-user-auth Feature Spec: specs/016-multi-user-auth/spec.md Implementation Plan: specs/016-multi-user-auth/plan.md

Phase 1: Setup & Infrastructure (Blocking)

Goal: Initialize the auth database, core dependencies, and backend infrastructure.

  • T001 Install backend dependencies (Authlib, Passlib, PyJWT, SQLAlchemy) in backend/requirements.txt
  • T002 Implement core configuration for Auth and Database in backend/src/core/auth/config.py
  • T003 Implement database connection logic for auth.db in backend/src/core/database.py
  • T004 Create SQLAlchemy models for User, Role, Permission in backend/src/models/auth.py
  • T005 Create migration/init script to generate auth.db schema in backend/src/scripts/init_auth_db.py
  • T006 Implement password hashing utility using Passlib in backend/src/core/auth/security.py
  • T007 Implement JWT token generation and validation logic in backend/src/core/auth/jwt.py
  • T008 [P] Implement CLI tool for creating the initial admin user in backend/src/scripts/create_admin.py

Phase 2: User Story 1 - Local User Authentication (Priority: P1)

Goal: Enable users to log in with username/password and receive a JWT session.

  • T009 [US1] Create Pydantic schemas for User, UserCreate, Token in backend/src/schemas/auth.py
  • T010 [US1] Implement AuthRepository for DB operations in backend/src/core/auth/repository.py
  • T011 [US1] Implement AuthService for login logic (verify password, create token) in backend/src/services/auth_service.py
  • T012 [US1] Create API endpoint POST /api/auth/login in backend/src/api/auth.py
  • T013 [US1] Implement get_current_user dependency for JWT verification in backend/src/dependencies.py
  • T014 [US1] Create API endpoint GET /api/auth/me to retrieve current user profile in backend/src/api/auth.py
  • T043 [US1] Implement session revocation (Logout) endpoint in backend/src/api/auth.py
  • T044 [US1] Implement account status check (is_active) in authentication flow in backend/src/services/auth_service.py
  • T015 [US1] Implement frontend auth store (Svelte store) in frontend/src/lib/auth/store.ts
  • T016 [US1] Implement Login Page UI using src/lib/ui and src/lib/i18n in frontend/src/routes/login/+page.svelte
  • T017 [US1] Integrate Login Page with Backend API in frontend/src/routes/login/+page.svelte
  • T018 [US1] Implement ProtectedRoute component to redirect unauthenticated users in frontend/src/components/auth/ProtectedRoute.svelte
  • T037 [US1] Implement password complexity validation logic in backend/src/core/auth/security.py

Phase 3: User Story 2 - Plugin-Based Access Control (Priority: P1)

Goal: Restrict access to plugins based on user roles and permissions.

  • T019 [US2] Update PluginBase to include required permission strings in backend/src/core/plugin_base.py
  • T020 [US2] Implement has_permission dependency for route protection in backend/src/dependencies.py
  • T021 [US2] Protect existing plugin API routes using has_permission in backend/src/api/routes/*.py
  • T022 [US2] Implement SystemAdminPlugin inheriting from PluginBase for User/Role management in backend/src/plugins/system_admin.py
  • T023 [US2] Implement Admin API endpoints within SystemAdminPlugin (with pagination) in backend/src/api/routes/admin.py
  • T024 [US2] Create Admin Dashboard UI using src/lib/ui and src/lib/i18n in frontend/src/routes/admin/users/+page.svelte
  • T025 [US2] Update Navigation Bar to hide links and show user profile/logout using src/lib/ui in frontend/src/components/Navbar.svelte
  • T042 [US2] Implement PermissionGuard frontend component for granular UI element protection in frontend/src/components/auth/PermissionGuard.svelte
  • T045 [US2] Implement multi-role permission resolution logic (union of permissions) in backend/src/services/auth_service.py

Phase 4: User Story 3 - ADFS Integration (Priority: P2)

Goal: Enable corporate SSO login via ADFS and JIT provisioning.

  • T026 [US3] Configure Authlib for ADFS OIDC in backend/src/core/auth/oauth.py
  • T027 [US3] Create ADGroupMapping model in backend/src/models/auth.py and update DB init script
  • T028 [US3] Implement JIT provisioning logic (create user if maps to group) in backend/src/services/auth_service.py
  • T029 [US3] Create API endpoints GET /api/auth/login/adfs and GET /api/auth/callback/adfs in backend/src/api/auth.py
  • T030 [US3] Update Login Page to include "Login with ADFS" button using src/lib/ui in frontend/src/routes/login/+page.svelte
  • T031 [US3] Implement Admin UI for configuring AD Group Mappings in frontend/src/routes/admin/settings/+page.svelte
  • T041 [US3] Create ADFS mock provider for local testing and CI in backend/tests/auth/mock_adfs.py
  • T046 [US3] Implement token refresh logic for ADFS OIDC tokens in backend/src/core/auth/jwt.py

Phase 5: Polish & Security Hardening

Goal: Ensure security best practices and smooth UX.

  • T032 Ensure all cookies are set with HttpOnly and Secure flags in backend/src/api/auth.py
  • T033 Implement rate limiting and account lockout policy in backend/src/api/auth.py
  • T034 Verify error messages are generic (no username enumeration) across all auth endpoints
  • T035 Add "Session Expired" handling in frontend interceptor in frontend/src/lib/api/client.ts
  • T036 Final manual test of switching between Local and ADFS login flows
  • T040 Add confirmation dialogs for destructive admin actions using src/lib/ui in frontend/src/routes/admin/users/+page.svelte
  • T047 Implement audit logging for security events (login, logout, permission changes) in backend/src/core/auth/logger.py
  • T048 Perform UI accessibility audit (keyboard nav, ARIA alerts) for all auth components
  • T049 Implement unit and integration tests for Local Auth and RBAC in backend/tests/auth/
  • T050 Implement E2E tests for ADFS flow using mock provider in tests/e2e/auth.spec.ts

Dependencies

  1. Phase 1 must be completed before any User Stories.
  2. Phase 2 (Local Auth) is the foundation for authentication and session management.
  3. Phase 3 (RBAC) depends on Phase 2 (needs authenticated users to check permissions).
  4. Phase 4 (ADFS) depends on Phase 2 (uses same session mechanism) and Phase 3 (needs roles for JIT).

Implementation Strategy

  • MVP: Complete Phases 1 and 2. This gives a working auth system with local users.
  • Increment 1: Complete Phase 3. This adds the critical security controls (RBAC).
  • Increment 2: Complete Phase 4. This adds corporate SSO convenience.