alexei.dolgolyov/web-app-launcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
dc9bd3bba4f740c0197d1e5128058ca20429b4f4
web-app-launcher/plans/mvp-web-app-launcher/phase-3-authentication.md
T

3.5 KiB
Raw Blame History

Phase 3: Authentication System

Status: Not Started Parent plan: PLAN.md Domain: fullstack

Objective

Implement the full local authentication flow: login, registration, session management with JWT + refresh tokens in HTTP-only cookies, auth middleware in hooks.server.ts, and guest mode support.

Tasks

  • Task 1: Implement src/lib/server/utils/jwt.ts — sign, verify, refresh token generation
  • Task 2: Implement src/lib/server/utils/password.ts — bcrypt hash/compare
  • Task 3: Implement src/hooks.server.ts — auth middleware, session injection into event.locals
  • Task 4: Create src/routes/login/+page.server.ts — login form action (Superforms + Zod)
  • Task 5: Create src/routes/login/+page.svelte — login page UI
  • Task 6: Create src/routes/register/+page.server.ts — registration form action (respects admin toggle)
  • Task 7: Create src/routes/register/+page.svelte — registration page UI
  • Task 8: Create src/routes/auth/refresh/+server.ts — token refresh endpoint
  • Task 9: Create src/routes/+layout.server.ts — root layout load: inject user session
  • Task 10: Create src/routes/+layout.svelte — root layout shell (minimal, polished in Phase 7)
  • Task 11: Implement src/lib/server/middleware/authenticate.ts — reusable auth check helper
  • Task 12: Implement src/lib/server/middleware/authorize.ts — role-based access check
  • Task 13: Implement src/lib/server/middleware/guestAccess.ts — guest mode board visibility
  • Task 14: Create src/routes/+page.svelte — root page (redirect to default board or login)
  • Task 15: Create logout endpoint/action — invalidate refresh token, clear cookies

Files to Modify/Create

  • src/hooks.server.ts — auth middleware
  • src/lib/server/utils/jwt.ts — JWT utilities
  • src/lib/server/utils/password.ts — password utilities
  • src/lib/server/middleware/authenticate.ts
  • src/lib/server/middleware/authorize.ts
  • src/lib/server/middleware/guestAccess.ts
  • src/routes/login/+page.svelte
  • src/routes/login/+page.server.ts
  • src/routes/register/+page.svelte
  • src/routes/register/+page.server.ts
  • src/routes/auth/refresh/+server.ts
  • src/routes/+layout.server.ts
  • src/routes/+layout.svelte
  • src/routes/+page.svelte
  • src/app.d.ts — augment Locals with user session type

Acceptance Criteria

  • Users can register (when enabled) and log in with email/password
  • JWT access token + refresh token issued in HTTP-only cookies
  • hooks.server.ts validates tokens on every request and injects user into event.locals
  • Refresh token rotation works (old token invalidated)
  • Logout clears cookies and invalidates refresh token
  • Guest mode: unauthenticated users can access guest-accessible boards
  • Protected routes redirect to login
  • Form validation with Superforms + Zod shows errors inline

Notes

  • Access token expiry: 15 minutes; Refresh token expiry: 7 days
  • Store refresh tokens in DB (User model) for server-side invalidation
  • OAuth is deferred to Phase 2 of the project (post-MVP)
  • Registration toggle is read from SystemSettings
  • ⚠️ Big Bang: login page will be functional but unstyled/minimal until Phase 7

Review Checklist

  • All tasks completed
  • Code follows project conventions
  • No unintended side effects
  • Build passes
  • Tests pass (new + existing)

Handoff to Next Phase

Reference in New Issue View Git Blame Copy Permalink