egg/Task_Reporter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
77091eefb5f3104510c93d4f0b72b0798661d6a4
Task_Reporter/openspec/changes/archive/2025-11-16-add-user-authentication/proposal.md
egg c8966477b9 feat: Initial commit - Task Reporter incident response system 
Complete implementation of the production line incident response system (生產線異常即時反應系統) including:

Backend (FastAPI):
- User authentication with AD integration and session management
- Chat room management (create, list, update, members, roles)
- Real-time messaging via WebSocket (typing indicators, reactions)
- File storage with MinIO (upload, download, image preview)

Frontend (React + Vite):
- Authentication flow with token management
- Room list with filtering, search, and pagination
- Real-time chat interface with WebSocket
- File upload with drag-and-drop and image preview
- Member management and room settings
- Breadcrumb navigation
- 53 unit tests (Vitest)

Specifications:
- authentication: AD auth, sessions, JWT tokens
- chat-room: rooms, members, templates
- realtime-messaging: WebSocket, messages, reactions
- file-storage: MinIO integration, file management
- frontend-core: React SPA structure

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-01 17:42:52 +08:00

2.0 KiB
Raw Blame History

Change: Add User Authentication with Auto-Refresh Session Management

Why

The system requires user authentication to identify users in incident chat rooms and maintain audit trails. We integrate with the existing Panjit AD authentication API (https://pj-auth-api.vercel.app/) for credential validation, but manage our own session lifecycle to avoid frequent re-logins. AD API tokens have limited validity, but we want users to stay logged in as long as they actively use the system within a 3-day window.

What Changes

  • Implement standalone auth module with clear API boundaries for reusability
  • Implement FastAPI login endpoint that validates credentials via AD API
  • Generate our own internal session tokens (separate from AD tokens)
  • Store encrypted passwords securely for auto-refresh capability
  • Auto-refresh AD tokens before expiry (when user is active, max 3 retry attempts)
  • Implement 3-day inactivity timeout (last_activity tracking)
  • Store session data in PostgreSQL with username, display_name, internal_token, ad_token, encrypted_password, token_expires_at, refresh_attempt_count, last_activity
  • Provide middleware to auto-refresh expired AD tokens on protected routes
  • Force logout when auto-refresh fails 3 consecutive times (e.g., password changed in AD)
  • Enable user identity to be used in chat room messages

Impact

  • Affected specs: authentication (new capability)
  • Affected code:
    • Backend: New standalone app/modules/auth/ module with:
      • Routes: /api/auth/login, /api/auth/logout
      • Middleware: AuthMiddleware for protected routes
      • Services: ADAuthService, SessionService, EncryptionService
      • Models: UserSession (SQLAlchemy)
    • Database: New user_sessions table with encrypted password storage
    • Future: This authentication module will be imported by chat room and other features
  • Dependencies:
    • External: Requires access to https://pj-auth-api.vercel.app/api/auth/login
    • Python packages: cryptography for password encryption