feat: implement user authentication module

- Backend (FastAPI):
  - External API authentication (pj-auth-api.vercel.app)
  - JWT token validation with Redis session storage
  - RBAC with department isolation
  - User, Role, Department models with pjctrl_ prefix
  - Alembic migrations with project-specific version table
  - Complete test coverage (13 tests)

- Frontend (React + Vite):
  - AuthContext for state management
  - Login page with error handling
  - Protected route component
  - Dashboard with user info display

- OpenSpec:
  - 7 capability specs defined
  - add-user-auth change archived

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/auth/__init__.py

@@ -0,0 +1,3 @@
+from app.api.auth import router
+
+__all__ = ["router"]

backend/app/api/auth/router.py

@@ -0,0 +1,127 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+
+from app.core.database import get_db
+from app.core.security import create_access_token, create_token_payload
+from app.core.redis import get_redis
+from app.models.user import User
+from app.schemas.auth import LoginRequest, LoginResponse, UserInfo
+from app.services.auth_client import (
+    verify_credentials,
+    AuthAPIError,
+    AuthAPIConnectionError,
+)
+from app.middleware.auth import get_current_user
+
+router = APIRouter()
+
+
+@router.post("/login", response_model=LoginResponse)
+async def login(
+    request: LoginRequest,
+    db: Session = Depends(get_db),
+    redis_client=Depends(get_redis),
+):
+    """
+    Authenticate user via external API and return JWT token.
+    """
+    try:
+        # Verify credentials with external API
+        auth_result = await verify_credentials(request.email, request.password)
+    except AuthAPIConnectionError:
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail="Authentication service temporarily unavailable",
+        )
+    except AuthAPIError as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid credentials",
+        )
+
+    # Find or create user in local database
+    user = db.query(User).filter(User.email == request.email).first()
+
+    if not user:
+        # Create new user based on auth API response
+        user = User(
+            email=request.email,
+            name=auth_result.get("name", request.email.split("@")[0]),
+            is_active=True,
+        )
+        db.add(user)
+        db.commit()
+        db.refresh(user)
+
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="User account is disabled",
+        )
+
+    # Get role name
+    role_name = user.role.name if user.role else None
+
+    # Create token payload
+    token_data = create_token_payload(
+        user_id=user.id,
+        email=user.email,
+        role=role_name,
+        department_id=user.department_id,
+        is_system_admin=user.is_system_admin,
+    )
+
+    # Create access token
+    access_token = create_access_token(token_data)
+
+    # Store session in Redis
+    redis_client.setex(
+        f"session:{user.id}",
+        900,  # 15 minutes
+        access_token,
+    )
+
+    return LoginResponse(
+        access_token=access_token,
+        user=UserInfo(
+            id=user.id,
+            email=user.email,
+            name=user.name,
+            role=role_name,
+            department_id=user.department_id,
+            is_system_admin=user.is_system_admin,
+        ),
+    )
+
+
+@router.post("/logout")
+async def logout(
+    current_user: User = Depends(get_current_user),
+    redis_client=Depends(get_redis),
+):
+    """
+    Logout user and invalidate session.
+    """
+    # Remove session from Redis
+    redis_client.delete(f"session:{current_user.id}")
+
+    return {"message": "Successfully logged out"}
+
+
+@router.get("/me", response_model=UserInfo)
+async def get_current_user_info(
+    current_user: User = Depends(get_current_user),
+):
+    """
+    Get current authenticated user information.
+    """
+    role_name = current_user.role.name if current_user.role else None
+
+    return UserInfo(
+        id=current_user.id,
+        email=current_user.email,
+        name=current_user.name,
+        role=role_name,
+        department_id=current_user.department_id,
+        is_system_admin=current_user.is_system_admin,
+    )

backend/app/api/departments/__init__.py

@@ -0,0 +1,3 @@
+from app.api.departments import router
+
+__all__ = ["router"]

backend/app/api/departments/router.py

@@ -0,0 +1,152 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+
+from app.core.database import get_db
+from app.models.department import Department
+from app.models.user import User
+from app.schemas.department import DepartmentCreate, DepartmentUpdate, DepartmentResponse
+from app.middleware.auth import require_permission, require_system_admin
+
+router = APIRouter()
+
+
+@router.get("", response_model=List[DepartmentResponse])
+async def list_departments(
+    skip: int = 0,
+    limit: int = 100,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_permission("users.read")),
+):
+    """
+    List all departments.
+    """
+    departments = db.query(Department).offset(skip).limit(limit).all()
+    return departments
+
+
+@router.get("/{department_id}", response_model=DepartmentResponse)
+async def get_department(
+    department_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_permission("users.read")),
+):
+    """
+    Get a specific department by ID.
+    """
+    department = db.query(Department).filter(Department.id == department_id).first()
+    if not department:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Department not found",
+        )
+    return department
+
+
+@router.post("", response_model=DepartmentResponse, status_code=status.HTTP_201_CREATED)
+async def create_department(
+    department_data: DepartmentCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_system_admin),
+):
+    """
+    Create a new department. Requires system admin.
+    """
+    # Check if parent exists if specified
+    if department_data.parent_id:
+        parent = db.query(Department).filter(
+            Department.id == department_data.parent_id
+        ).first()
+        if not parent:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail="Parent department not found",
+            )
+
+    department = Department(**department_data.model_dump())
+    db.add(department)
+    db.commit()
+    db.refresh(department)
+    return department
+
+
+@router.patch("/{department_id}", response_model=DepartmentResponse)
+async def update_department(
+    department_id: str,
+    department_update: DepartmentUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_system_admin),
+):
+    """
+    Update a department. Requires system admin.
+    """
+    department = db.query(Department).filter(Department.id == department_id).first()
+    if not department:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Department not found",
+        )
+
+    # Check if new parent exists if specified
+    update_data = department_update.model_dump(exclude_unset=True)
+    if "parent_id" in update_data and update_data["parent_id"]:
+        # Prevent circular reference
+        if update_data["parent_id"] == department_id:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Department cannot be its own parent",
+            )
+
+        parent = db.query(Department).filter(
+            Department.id == update_data["parent_id"]
+        ).first()
+        if not parent:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail="Parent department not found",
+            )
+
+    for field, value in update_data.items():
+        setattr(department, field, value)
+
+    db.commit()
+    db.refresh(department)
+    return department
+
+
+@router.delete("/{department_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_department(
+    department_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_system_admin),
+):
+    """
+    Delete a department. Requires system admin.
+    """
+    department = db.query(Department).filter(Department.id == department_id).first()
+    if not department:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Department not found",
+        )
+
+    # Check if department has users
+    user_count = db.query(User).filter(User.department_id == department_id).count()
+    if user_count > 0:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"Cannot delete department with {user_count} users",
+        )
+
+    # Check if department has children
+    child_count = db.query(Department).filter(
+        Department.parent_id == department_id
+    ).count()
+    if child_count > 0:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"Cannot delete department with {child_count} child departments",
+        )
+
+    db.delete(department)
+    db.commit()

backend/app/api/users/__init__.py

@@ -0,0 +1,3 @@
+from app.api.users import router
+
+__all__ = ["router"]

backend/app/api/users/router.py

@@ -0,0 +1,148 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+
+from app.core.database import get_db
+from app.models.user import User
+from app.models.role import Role
+from app.schemas.user import UserResponse, UserUpdate
+from app.middleware.auth import (
+    get_current_user,
+    require_permission,
+    require_system_admin,
+    check_department_access,
+)
+
+router = APIRouter()
+
+
+@router.get("", response_model=List[UserResponse])
+async def list_users(
+    skip: int = 0,
+    limit: int = 100,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_permission("users.read")),
+):
+    """
+    List all users. Filtered by department if not system admin.
+    """
+    query = db.query(User)
+
+    # Filter by department if not system admin
+    if not current_user.is_system_admin and current_user.department_id:
+        query = query.filter(User.department_id == current_user.department_id)
+
+    users = query.offset(skip).limit(limit).all()
+    return users
+
+
+@router.get("/{user_id}", response_model=UserResponse)
+async def get_user(
+    user_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_permission("users.read")),
+):
+    """
+    Get a specific user by ID.
+    """
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found",
+        )
+
+    # Check department access
+    if not check_department_access(current_user, user.department_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied to this user",
+        )
+
+    return user
+
+
+@router.patch("/{user_id}", response_model=UserResponse)
+async def update_user(
+    user_id: str,
+    user_update: UserUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_permission("users.write")),
+):
+    """
+    Update user information.
+    """
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found",
+        )
+
+    # Check department access
+    if not check_department_access(current_user, user.department_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied to this user",
+        )
+
+    # Prevent modification of system admin properties by non-system-admins
+    if user.is_system_admin and not current_user.is_system_admin:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Cannot modify system administrator",
+        )
+
+    # Update fields
+    update_data = user_update.model_dump(exclude_unset=True)
+    for field, value in update_data.items():
+        setattr(user, field, value)
+
+    db.commit()
+    db.refresh(user)
+    return user
+
+
+@router.patch("/{user_id}/role", response_model=UserResponse)
+async def assign_role(
+    user_id: str,
+    role_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_system_admin),
+):
+    """
+    Assign a role to a user. Requires system admin.
+    """
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found",
+        )
+
+    # Prevent modification of system admin
+    if user.is_system_admin:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Cannot modify system administrator role",
+        )
+
+    # Verify role exists
+    role = db.query(Role).filter(Role.id == role_id).first()
+    if not role:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Role not found",
+        )
+
+    # Prevent assigning system role to non-system-admin
+    if role.is_system_role:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Cannot assign system role",
+        )
+
+    user.role_id = role_id
+    db.commit()
+    db.refresh(user)
+    return user