# Phase 3: Authentication System **Status:** ⬜ Not Started **Parent plan:** [PLAN.md](./PLAN.md) **Domain:** fullstack ## Objective Implement the full local authentication flow: login, registration, session management with JWT + refresh tokens in HTTP-only cookies, auth middleware in hooks.server.ts, and guest mode support. ## Tasks - [ ] Task 1: Implement `src/lib/server/utils/jwt.ts` — sign, verify, refresh token generation - [ ] Task 2: Implement `src/lib/server/utils/password.ts` — bcrypt hash/compare - [ ] Task 3: Implement `src/hooks.server.ts` — auth middleware, session injection into `event.locals` - [ ] Task 4: Create `src/routes/login/+page.server.ts` — login form action (Superforms + Zod) - [ ] Task 5: Create `src/routes/login/+page.svelte` — login page UI - [ ] Task 6: Create `src/routes/register/+page.server.ts` — registration form action (respects admin toggle) - [ ] Task 7: Create `src/routes/register/+page.svelte` — registration page UI - [ ] Task 8: Create `src/routes/auth/refresh/+server.ts` — token refresh endpoint - [ ] Task 9: Create `src/routes/+layout.server.ts` — root layout load: inject user session - [ ] Task 10: Create `src/routes/+layout.svelte` — root layout shell (minimal, polished in Phase 7) - [ ] Task 11: Implement `src/lib/server/middleware/authenticate.ts` — reusable auth check helper - [ ] Task 12: Implement `src/lib/server/middleware/authorize.ts` — role-based access check - [ ] Task 13: Implement `src/lib/server/middleware/guestAccess.ts` — guest mode board visibility - [ ] Task 14: Create `src/routes/+page.svelte` — root page (redirect to default board or login) - [ ] Task 15: Create logout endpoint/action — invalidate refresh token, clear cookies ## Files to Modify/Create - `src/hooks.server.ts` — auth middleware - `src/lib/server/utils/jwt.ts` — JWT utilities - `src/lib/server/utils/password.ts` — password utilities - `src/lib/server/middleware/authenticate.ts` - `src/lib/server/middleware/authorize.ts` - `src/lib/server/middleware/guestAccess.ts` - `src/routes/login/+page.svelte` - `src/routes/login/+page.server.ts` - `src/routes/register/+page.svelte` - `src/routes/register/+page.server.ts` - `src/routes/auth/refresh/+server.ts` - `src/routes/+layout.server.ts` - `src/routes/+layout.svelte` - `src/routes/+page.svelte` - `src/app.d.ts` — augment `Locals` with user session type ## Acceptance Criteria - Users can register (when enabled) and log in with email/password - JWT access token + refresh token issued in HTTP-only cookies - `hooks.server.ts` validates tokens on every request and injects user into `event.locals` - Refresh token rotation works (old token invalidated) - Logout clears cookies and invalidates refresh token - Guest mode: unauthenticated users can access guest-accessible boards - Protected routes redirect to login - Form validation with Superforms + Zod shows errors inline ## Notes - Access token expiry: 15 minutes; Refresh token expiry: 7 days - Store refresh tokens in DB (User model) for server-side invalidation - OAuth is deferred to Phase 2 of the project (post-MVP) - Registration toggle is read from SystemSettings - ⚠️ Big Bang: login page will be functional but unstyled/minimal until Phase 7 ## Review Checklist - [ ] All tasks completed - [ ] Code follows project conventions - [ ] No unintended side effects - [ ] Build passes - [ ] Tests pass (new + existing) ## Handoff to Next Phase