Local user authentication #11

Closed
opened 2026-06-12 20:27:26 +00:00 by james · 0 comments
Owner

Scope

  • Sign-up + sign-in for username/email + password.
  • Password hashing: argon2id with reasonable parameters.
  • Session storage server-side (the cookie holds a session ID, never user data).
  • Sign-out clears the session.
  • Rate-limit sign-in attempts per account and per IP.
  • An instance hosts multiple users. The PR must decide and document the registration policy:
    • open — anyone can register (recommended default for v0)
    • invite-only — registration requires a single-use invite code generated by an existing user
    • admin-approval — registrations land in a pending state until an admin approves
      Pick one as the default and make the policy configurable (env var or admin setting). The first registered user is the instance admin.

Acceptance criteria

  • A new install lets the first user register, sign in, and reach an authorized endpoint.
  • A second user can register on the same instance under the chosen policy and reach the same flow, with their own session.
  • User A's session never authenticates as User B; session IDs are unguessable.
  • Passwords are never logged or returned by any API. CI grep check catches accidents.
  • Tests cover: register, login success, login failure, session expiry, sign-out, rate-limit kicking in, and isolation between two registered users.

Part of epic #1. Depends on #8, #10.

## Scope - Sign-up + sign-in for username/email + password. - Password hashing: **argon2id** with reasonable parameters. - Session storage server-side (the cookie holds a session ID, never user data). - Sign-out clears the session. - Rate-limit sign-in attempts per account and per IP. - An instance hosts **multiple users**. The PR must decide and document the registration policy: - **open** — anyone can register (recommended default for v0) - **invite-only** — registration requires a single-use invite code generated by an existing user - **admin-approval** — registrations land in a pending state until an admin approves Pick one as the default and make the policy configurable (env var or admin setting). The first registered user is the instance admin. ## Acceptance criteria - [ ] A new install lets the first user register, sign in, and reach an authorized endpoint. - [ ] A second user can register on the same instance under the chosen policy and reach the same flow, with their own session. - [ ] User A's session never authenticates as User B; session IDs are unguessable. - [ ] Passwords are never logged or returned by any API. CI grep check catches accidents. - [ ] Tests cover: register, login success, login failure, session expiry, sign-out, rate-limit kicking in, and isolation between two registered users. Part of epic #1. Depends on #8, #10.
james closed this issue 2026-06-14 00:05:51 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#11
No description provided.