c8966477b9
Complete implementation of the production line incident response system (生產線異常即時反應系統) including: Backend (FastAPI): - User authentication with AD integration and session management - Chat room management (create, list, update, members, roles) - Real-time messaging via WebSocket (typing indicators, reactions) - File storage with MinIO (upload, download, image preview) Frontend (React + Vite): - Authentication flow with token management - Room list with filtering, search, and pagination - Real-time chat interface with WebSocket - File upload with drag-and-drop and image preview - Member management and room settings - Breadcrumb navigation - 53 unit tests (Vitest) Specifications: - authentication: AD auth, sessions, JWT tokens - chat-room: rooms, members, templates - realtime-messaging: WebSocket, messages, reactions - file-storage: MinIO integration, file management - frontend-core: React SPA structure 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
31 lines
2.0 KiB
Markdown
31 lines
2.0 KiB
Markdown
# Change: Add User Authentication with Auto-Refresh Session Management
|
|
|
|
## Why
|
|
The system requires user authentication to identify users in incident chat rooms and maintain audit trails. We integrate with the existing Panjit AD authentication API (https://pj-auth-api.vercel.app/) for credential validation, but manage our own session lifecycle to avoid frequent re-logins. AD API tokens have limited validity, but we want users to stay logged in as long as they actively use the system within a 3-day window.
|
|
|
|
## What Changes
|
|
- Implement standalone `auth` module with clear API boundaries for reusability
|
|
- Implement FastAPI login endpoint that validates credentials via AD API
|
|
- Generate our own internal session tokens (separate from AD tokens)
|
|
- Store encrypted passwords securely for auto-refresh capability
|
|
- Auto-refresh AD tokens before expiry (when user is active, max 3 retry attempts)
|
|
- Implement 3-day inactivity timeout (last_activity tracking)
|
|
- Store session data in PostgreSQL with username, display_name, internal_token, ad_token, encrypted_password, token_expires_at, refresh_attempt_count, last_activity
|
|
- Provide middleware to auto-refresh expired AD tokens on protected routes
|
|
- Force logout when auto-refresh fails 3 consecutive times (e.g., password changed in AD)
|
|
- Enable user identity to be used in chat room messages
|
|
|
|
## Impact
|
|
- **Affected specs**: `authentication` (new capability)
|
|
- **Affected code**:
|
|
- Backend: New standalone `app/modules/auth/` module with:
|
|
- Routes: `/api/auth/login`, `/api/auth/logout`
|
|
- Middleware: `AuthMiddleware` for protected routes
|
|
- Services: `ADAuthService`, `SessionService`, `EncryptionService`
|
|
- Models: `UserSession` (SQLAlchemy)
|
|
- Database: New `user_sessions` table with encrypted password storage
|
|
- Future: This authentication module will be imported by chat room and other features
|
|
- **Dependencies**:
|
|
- External: Requires access to `https://pj-auth-api.vercel.app/api/auth/login`
|
|
- Python packages: `cryptography` for password encryption
|