docs(02): create phase 2 plan — Users & Authentication
5 plans across 5 waves covering AUTH-01..08, SEC-01..03/05..07, ADMIN-01..05/07. Includes security hardening (Origin validation, per-account rate limiting, TOTP replay prevention, refresh token family revocation with security alert), TOTP + backup code login, and admin panel frontend. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
+26
-4
@@ -1,6 +1,6 @@
|
||||
# DocuVault — v1 Roadmap
|
||||
|
||||
_Last updated: 2026-05-21_
|
||||
_Last updated: 2026-05-22_
|
||||
|
||||
## Phases
|
||||
|
||||
@@ -48,7 +48,29 @@ _Last updated: 2026-05-21_
|
||||
4. A user can trigger "sign out all devices" from account settings; all other active sessions are immediately invalidated and any reuse of a rotated refresh token revokes the entire token family
|
||||
5. An admin user can create, deactivate, and reset a user account, and assign an AI provider and model to that user; attempting to access document content via an admin JWT returns 403
|
||||
|
||||
**Plans**: TBD
|
||||
**Plans**: 5 plans
|
||||
|
||||
**Wave 1** — Foundation
|
||||
- [ ] 02-01-PLAN.md — Auth service layer (Argon2, JWT, refresh tokens, TOTP, backup codes, HIBP, security alert), FastAPI deps, BackupCode model + password_must_change migration
|
||||
|
||||
**Wave 2** *(blocked on Wave 1 completion)*
|
||||
- [ ] 02-02-PLAN.md — Register/login (TOTP + backup code paths) + refresh/logout/change-password endpoints + CSP/Origin validation/rate-limit (IP + per-account) + Vue auth store + router guard + Login/Register views
|
||||
|
||||
**Wave 3** *(blocked on Wave 2 completion)*
|
||||
- [ ] 02-03-PLAN.md — TOTP enrollment + backup codes + password reset + sign-out-all endpoints + AccountView + TotpEnrollment + BackupCodesDisplay + PasswordReset views
|
||||
|
||||
**Wave 4** *(blocked on Wave 3 completion)*
|
||||
- [ ] 02-04-PLAN.md — Admin backend: user CRUD, quota, AI config endpoints with get_current_admin enforced + tests
|
||||
|
||||
**Wave 5** *(blocked on Wave 4 completion)*
|
||||
- [ ] 02-05-PLAN.md — Admin panel frontend: AdminView + three tab components + AppSidebar admin link and user identity footer
|
||||
|
||||
**Cross-cutting constraints:**
|
||||
- JWT access token in Pinia memory only — never localStorage (Plans 02, 03, 05)
|
||||
- Refresh token httpOnly SameSite=Strict cookie on all token issuance (Plans 02, 03)
|
||||
- Admin endpoints never return document content or credentials_enc (Plans 04, 05)
|
||||
- All auth endpoints rate-limited per-IP and per-account (Plans 02, 03)
|
||||
|
||||
**UI hint**: yes
|
||||
|
||||
---
|
||||
@@ -110,8 +132,8 @@ _Last updated: 2026-05-21_
|
||||
|
||||
| Phase | Plans Complete | Status | Completed |
|
||||
|-------|----------------|--------|-----------|
|
||||
| 1. Infrastructure Foundation | 4/5 | In Progress | - |
|
||||
| 2. Users & Authentication | 0/? | Not started | - |
|
||||
| 1. Infrastructure Foundation | 5/5 | Complete | 2026-05-22 |
|
||||
| 2. Users & Authentication | 0/5 | Planned | - |
|
||||
| 3. Document Migration & Multi-User Isolation | 0/? | Not started | - |
|
||||
| 4. Folders, Sharing, Quotas & Document UX | 0/? | Not started | - |
|
||||
| 5. Cloud Storage Backends | 0/? | Not started | - |
|
||||
|
||||
Reference in New Issue
Block a user