ContextQMD
Back to Forgecode

Add User Authentication System

.forge/skills/create-plan/references/example-plan.md

2.12.106.8 KB
Original Source

Add User Authentication System

Objective

Implement a secure user authentication system with JWT-based token management, password hashing, and session handling. The system should support user registration, login, logout, and token refresh capabilities while maintaining security best practices.

Implementation Plan

  • 1. Set up authentication dependencies and configuration

    • Add JWT library (e.g., jsonwebtoken) and bcrypt for password hashing
    • Configure environment variables for JWT secrets and token expiration
    • Rationale: Establishes foundation for secure authentication
    • Dependencies: None - this is the first step

  • 2. Create user model and database schema

    • Define User entity with fields: id, email, password_hash, created_at, updated_at
    • Add unique constraint on email field
    • Create database migration for users table
    • Rationale: Provides data structure for storing user credentials
    • Dependencies: Database connection must be configured

  • 3. Implement password hashing service

    • Create service to hash passwords using bcrypt with appropriate salt rounds
    • Add password verification function
    • Include unit tests for hashing and verification
    • Rationale: Ensures passwords are never stored in plain text
    • Dependencies: User model must exist

  • 4. Build JWT token generation and validation

    • Create service to generate JWT tokens with user claims
    • Implement token verification and decoding logic
    • Add refresh token functionality with longer expiration
    • Rationale: Enables stateless authentication and session management
    • Dependencies: User model and environment configuration

  • 5. Create authentication endpoints

    • POST /auth/register - User registration with email/password
    • POST /auth/login - User login returning access and refresh tokens
    • POST /auth/logout - Invalidate user session
    • POST /auth/refresh - Generate new access token from refresh token
    • Rationale: Provides API interface for authentication operations
    • Dependencies: All services from previous steps

  • 6. Implement authentication middleware

    • Create middleware to validate JWT tokens on protected routes
    • Extract user information from valid tokens
    • Return 401 for invalid or expired tokens
    • Rationale: Protects routes requiring authentication
    • Dependencies: JWT validation service

  • 7. Add rate limiting for authentication endpoints

    • Implement rate limiting on login and registration endpoints
    • Configure appropriate limits (e.g., 5 attempts per 15 minutes)
    • Rationale: Prevents brute force attacks
    • Dependencies: Authentication endpoints must exist

  • 8. Write integration tests for authentication flow

    • Test complete registration → login → access protected route flow
    • Test token refresh mechanism
    • Test error cases (invalid credentials, expired tokens)
    • Rationale: Ensures entire authentication system works correctly
    • Dependencies: All implementation steps complete

Verification Criteria

  • User can successfully register with valid email and password
  • User can login and receive valid JWT tokens
  • Protected routes return 401 for unauthenticated requests
  • Protected routes allow access with valid JWT token
  • Tokens expire after configured duration
  • Refresh tokens can generate new access tokens
  • Passwords are hashed and never stored in plain text
  • Rate limiting prevents excessive authentication attempts
  • All unit and integration tests pass
  • Security audit shows no critical vulnerabilities

Potential Risks and Mitigations

  1. Token Secret Exposure

    • Impact: If JWT secret is exposed, attackers can forge valid tokens
    • Likelihood: Medium
    • Mitigation: Store secrets in environment variables, never commit to repository, rotate secrets periodically
    • Contingency: Implement secret rotation mechanism and token revocation list

  2. Weak Password Policy

    • Impact: Users choose weak passwords that are easily compromised
    • Likelihood: High
    • Mitigation: Enforce minimum password requirements (length, complexity), implement password strength meter
    • Contingency: Add option to require password reset for weak passwords

  3. Session Hijacking

    • Impact: Attacker steals valid token and impersonates user
    • Likelihood: Medium
    • Mitigation: Use HTTPS only, implement short token expiration, add IP address validation
    • Contingency: Implement token revocation and force logout capability

  4. Brute Force Attacks

    • Impact: Attacker attempts many password combinations to gain access
    • Likelihood: High
    • Mitigation: Implement rate limiting, add CAPTCHA after failed attempts, temporary account lockout
    • Contingency: Monitor failed login attempts and alert on suspicious patterns

Alternative Approaches

  1. Session-Based Authentication

    • Description: Use traditional server-side sessions with cookies instead of JWT
    • Pros: Easier to invalidate sessions, better for server-rendered applications, no token size limitations
    • Cons: Requires session storage (Redis/database), harder to scale horizontally, not suitable for APIs consumed by multiple clients
    • Recommendation: Not chosen - JWT better suits stateless API architecture

  2. OAuth 2.0 / Third-Party Authentication

    • Description: Use OAuth providers (Google, GitHub) for authentication instead of custom system
    • Pros: No password management, better security through established providers, easier for users
    • Cons: Dependency on external services, requires API keys and setup, limited control over authentication flow
    • Recommendation: Consider as future enhancement alongside custom authentication

  3. Passwordless Authentication

    • Description: Use magic links or OTP sent via email/SMS instead of passwords
    • Pros: No password management, simpler user experience, eliminates weak password risk
    • Cons: Requires reliable email/SMS delivery, slower authentication flow, potential cost for SMS
    • Recommendation: Consider as alternative authentication method in future iteration

Assumptions

  • Application already has database connection configured
  • HTTPS/TLS is configured at infrastructure level
  • Email service is available for potential password reset features
  • Frontend application exists to consume authentication endpoints
  • Environment variable management system is in place

Dependencies

  • Database system (PostgreSQL, MySQL, or similar)
  • JWT library compatible with the programming language
  • Password hashing library (bcrypt or argon2)
  • HTTP server framework with middleware support
  • Environment configuration system

Notes

  • Consider implementing password reset functionality in a follow-up iteration
  • May want to add two-factor authentication (2FA) as security enhancement
  • Monitor token expiration times and adjust based on usage patterns
  • Plan for token revocation strategy if needed for security incidents