Auth flow — spec, plan, and implementation #3

Merged

arne merged 39 commits from auth-flow-spec into main 2026-05-04 22:12:38 +02:00

Conversation 0 Commits 39 Files changed 54 +11399 -20

arne commented 2026-05-02 00:17:22 +02:00

Owner

Copy link

Summary

Lands the full auth slice end-to-end:

• Spec — docs/superpowers/specs/2026-05-01-auth-flow-design.md. Public open signup, passkey + magic-link login (no password), dedicated off-center auth shell, BFF-resident state in local SQLite.
• Plan — docs/superpowers/plans/2026-05-01-auth-flow.md. 31 tasks, full TDD code in every step.
• Implementation — 31 task commits, 52 files changed, ~11k LOC.

What ships

• New `internal/auth` package: `Service`, sessions, `RequireSession` middleware, Origin/Referer CSRF check, WebAuthn registration + discoverable assertion.
• New `internal/auth/store` package: SQLite (`modernc.org/sqlite`, pure-Go) with users, sessions, magic-link tokens, passkey credentials, activity log.
• New `internal/mail` package: `Mailer` interface, `LogMailer` (writes to stderr in dev/fixtures mode), `SMTPMailer` (env-driven for prod), three magic-link email body templates.
• New auth-shell layout (`web/templates/auth.html`) — off-center wayfinding, no card, scaling across 6 page states by changing only the headline.
• New CSS in `components.css` — `.auth-shell`, `.auth-column`, eyebrow / display headline / hairline rule rhythm, narrow-viewport collapse, prefers-reduced-motion-aware staggered reveal.
• New design-system specimens in `/design` — four mini-mockups of the auth shell across its states.
• New `passkey.js` browser helpers (~100 lines, no library).
• Sign-in form integrates WebAuthn conditional UI mediation (`autocomplete="username webauthn"` + `isConditionalMediationAvailable` + `mediation: "conditional"`).
• `/zones` and `/zones/{zone}` are gated behind `RequireSession`.

Verified

• 55+ tests across `internal/auth`, `internal/auth/store`, `internal/mail`, `internal/server` — all green.
• `go vet ./...` clean.
• Smoke tests against the running app:
  • `GET /` → 302 `/zones`
  • `GET /sign-up` → 200 with form
  • `POST /sign-up` with matching `Origin` → 303 to `/sign-up/sent`
  • `POST /sign-up` without `Origin` → 403 (CSRF)
  • `GET /zones` anon → 303 `/sign-in`
  • Magic link printed to log in fixtures mode
  • `/design` renders the auth-shell specimen section

Known follow-ups

• Two API drift adjustments to the plan during implementation (noted in commit messages on the WebAuthn tasks): `webauthn.User` no longer requires `WebAuthnIcon()`; `SessionData` is taken by value, not pointer. Both fixed at implementation time, not in the plan doc.
• One plan typo fixed during implementation: `http.SameSiteLaxMode == 2`, not `4` (plan comment was wrong; test uses the constant correctly).
• A small number of empty commits in Phase C and Phase E (where task code shipped together with an earlier task in the same file). Final state is correct; commit history is slightly messier than the plan's intent.
• E2E browser test of the passkey flow (register → sign out → conditional UI sign-in) requires a WebAuthn client mock; left as a manual / integration verification step. Smoke tested manually during implementation.

Open questions still pending (per spec)

• Production RP ID — env-driven, defaults to `localhost`. Settle when production hostname is settled.
• Email subject lines / body copy — small editorial pass when ready.
• Marcus's API expectations at signup — out of scope for this slice; one outbound call to add later.

🤖 Generated with Claude Code

## Summary Lands the full auth slice end-to-end: - **Spec** — `docs/superpowers/specs/2026-05-01-auth-flow-design.md`. Public open signup, passkey + magic-link login (no password), dedicated off-center auth shell, BFF-resident state in local SQLite. - **Plan** — `docs/superpowers/plans/2026-05-01-auth-flow.md`. 31 tasks, full TDD code in every step. - **Implementation** — 31 task commits, 52 files changed, ~11k LOC. ## What ships - New \`internal/auth\` package: \`Service\`, sessions, \`RequireSession\` middleware, Origin/Referer CSRF check, WebAuthn registration + discoverable assertion. - New \`internal/auth/store\` package: SQLite (\`modernc.org/sqlite\`, pure-Go) with users, sessions, magic-link tokens, passkey credentials, activity log. - New \`internal/mail\` package: \`Mailer\` interface, \`LogMailer\` (writes to stderr in dev/fixtures mode), \`SMTPMailer\` (env-driven for prod), three magic-link email body templates. - New auth-shell layout (\`web/templates/auth.html\`) — off-center wayfinding, no card, scaling across 6 page states by changing only the headline. - New CSS in \`components.css\` — \`.auth-shell\`, \`.auth-column\`, eyebrow / display headline / hairline rule rhythm, narrow-viewport collapse, prefers-reduced-motion-aware staggered reveal. - New design-system specimens in \`/design\` — four mini-mockups of the auth shell across its states. - New \`passkey.js\` browser helpers (~100 lines, no library). - Sign-in form integrates WebAuthn conditional UI mediation (\`autocomplete=\"username webauthn\"\` + \`isConditionalMediationAvailable\` + \`mediation: \"conditional\"\`). - \`/zones\` and \`/zones/{zone}\` are gated behind \`RequireSession\`. ## Verified - 55+ tests across \`internal/auth\`, \`internal/auth/store\`, \`internal/mail\`, \`internal/server\` — all green. - \`go vet ./...\` clean. - Smoke tests against the running app: - \`GET /\` → 302 \`/zones\` - \`GET /sign-up\` → 200 with form - \`POST /sign-up\` with matching \`Origin\` → 303 to \`/sign-up/sent\` - \`POST /sign-up\` without \`Origin\` → 403 (CSRF) - \`GET /zones\` anon → 303 \`/sign-in\` - Magic link printed to log in fixtures mode - \`/design\` renders the auth-shell specimen section ## Known follow-ups - Two API drift adjustments to the plan during implementation (noted in commit messages on the WebAuthn tasks): \`webauthn.User\` no longer requires \`WebAuthnIcon()\`; \`SessionData\` is taken by value, not pointer. Both fixed at implementation time, not in the plan doc. - One plan typo fixed during implementation: \`http.SameSiteLaxMode == 2\`, not \`4\` (plan comment was wrong; test uses the constant correctly). - A small number of empty commits in Phase C and Phase E (where task code shipped together with an earlier task in the same file). Final state is correct; commit history is slightly messier than the plan's intent. - E2E browser test of the passkey flow (register → sign out → conditional UI sign-in) requires a WebAuthn client mock; left as a manual / integration verification step. Smoke tested manually during implementation. ## Open questions still pending (per spec) - Production RP ID — env-driven, defaults to \`localhost\`. Settle when production hostname is settled. - Email subject lines / body copy — small editorial pass when ready. - Marcus's API expectations at signup — out of scope for this slice; one outbound call to add later. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

arne added 1 commit 2026-05-02 00:17:22 +02:00

Auth flow design: signup, sign-in, passkey ... 276bd54806

Spec for the first non-read-only slice through the stack: account
creation (name + email), magic-link sign-in, opt-in passkey enrollment
on a dedicated auth shell. Mirrors the format of the knot-rest
prototype spec.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

arne added 1 commit 2026-05-02 00:40:15 +02:00

WIP: auth flow plan tasks 1-7 (store + mail foundation) 41c9be7401

arne added 1 commit 2026-05-02 00:43:28 +02:00

WIP: auth flow plan tasks 8-15 (service, sessions, middleware) 00f632d0bb

arne added 1 commit 2026-05-02 00:47:32 +02:00

WIP: auth flow plan tasks 16-25 (UI surfaces, magic-link flow, gating) 518a323910

arne added 1 commit 2026-05-02 00:50:15 +02:00

WIP: auth flow plan tasks 26-30 (WebAuthn, passkey UI) + final verification a89a0a2a1c

arne added 1 commit 2026-05-02 00:52:14 +02:00

Add CSRF middleware task; complete plan self-review 931540770c

arne added 6 commits 2026-05-02 06:38:41 +02:00

Bootstrap auth/store with embedded SQLite schema 365d72e929

Add users CRUD to auth store 9c0026432b

Add magic-link token CRUD with expiry, single-use, latest-wins dc12bb928b

Add sessions CRUD with WebAuthn challenge slot 555a94dfa2

Add passkey credentials CRUD d6c59fdd47

Add activity log append 5727ce0c18

arne added 2 commits 2026-05-02 06:41:36 +02:00

Add mail package with Mailer interface, LogMailer, and templates 283697127a

Add SMTPMailer and env-driven mailer factory 44efcc1a4f

arne added 7 commits 2026-05-02 06:47:35 +02:00

Add auth.Service skeleton + sentinel errors ... fe24872593

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add Service.Signup with enumeration-safe variant selection ... f812a6f390

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add Service.Signin with enumeration safety ... 0454c3270e

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add Service.Resend with per-email and per-IP rate limits ... 8ca8c73afb

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add Service.ConsumeLink with first-time detection ... 6c26010bc1

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add Service.Signout ... 9a4a609192

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add cookie helpers and RequireSession middleware ... fa4657da88

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

arne added 2 commits 2026-05-02 06:50:12 +02:00

Add auth-shell layout template and CSS grammar 8352cc176d

Add auth shell specimens to /design 0c1417a803

arne added 8 commits 2026-05-02 06:59:30 +02:00

Wire auth.Service into server; add signup form, submit, and sent interstitial ... 5a6c97e7ff

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add sign-in form, submit, and sent interstitial (magic-link path) ... 9d11c19c60

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add magic-link consume handler with first-time routing ... e01c635592

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add sign-out handler ... f13271a91a

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add /welcome page with placeholder passkey button ... db1695f12c

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add /auth/resend with htmx fragment swaps ... 38ac5a6ee4

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Add link-error pages (expired / used) ... 5c005595c5

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Gate /zones routes behind RequireSession ... e628dd1545

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

arne added 5 commits 2026-05-02 07:08:31 +02:00

Add WebAuthn config and registration ceremony plumbing 115bd3e24f

Add passkey browser helpers (register, assert) 0ca24143d9

Wire /welcome passkey button live 123b474e10

Add WebAuthn assertion (discoverable login) end-to-end 87f0ef2f5c

Add passkey conditional UI to sign-in form abddc821d5

arne added 1 commit 2026-05-02 07:12:02 +02:00

Add Origin/Referer CSRF check on POST routes 77c7891119

arne changed title from Auth flow design (spec) to Auth flow — spec, plan, and implementation 2026-05-02 07:13:05 +02:00

arne added 2 commits 2026-05-04 22:12:34 +02:00

Harden auth: cookie Secure, FK pragma, hashed tokens, GET interstitial ... 2078ae3339

Critical/high findings from PR review:

- Set Secure on session and passkey-assert cookies; default true,
  opt out for local dev with NORDAAKER_COOKIE_INSECURE=1.
- Move PRAGMA foreign_keys=ON (plus journal_mode=WAL, busy_timeout)
  to the SQLite DSN so it binds to every pooled connection, not just
  the first. Verified out-of-band: FK violations are now rejected.
- Store sha256(token) for magic-link tokens; the raw value only ever
  exists in the issued email and the inbound URL. A read of the DB
  file no longer hands an attacker every outstanding link.
- Split /auth/link into a GET confirmation page + POST consume so
  email-safety scanners pre-fetching the URL can't burn the token
  before the user clicks Sign in.
- clientIP: use net.SplitHostPort (IPv6-safe); honour X-Forwarded-For
  only when NORDAAKER_TRUSTED_PROXY=1.
- Stop leaking err.Error() to clients on signup/signin/resend/consume
  and the four passkey handlers; log full error, return short text.

Test helpers swapped from DB-token peeking to a recordingMailer
since the DB no longer holds the raw token. New tests cover the GET
interstitial, empty-token GET, bad-token POST, and the cookie Secure
flag in both states.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore: never track STRATEGY.md ... 6db5111b34

Local-only strategy / planning doc; lives in the working tree but
must stay out of git history.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

arne merged commit 1c1c6a24e2 into main 2026-05-04 22:12:38 +02:00

arne deleted branch auth-flow-spec 2026-05-04 22:12:38 +02:00

arne referenced this pull request from a commit 2026-05-04 22:12:39 +02:00

Auth flow — spec, plan, and implementation (#3)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

nordaaker/web!3

No description provided.