Mimir

mimir
docs
plans

AUTH_IMPLEMENTATION_PLAN.md•19.6 kB

# Authentication Feature - Implementation Plan **Feature**: FOB-AUTH-LOGIN-1 Authentication and Login **Feature File**: `docs/features/act-0-auth/authentication.feature` **GitHub Issues**: #7, #8, #9, #10, #11 (AUTH-01 through AUTH-05) **Branch**: `feature/auth-scenarios` --- ## Current State Assessment ### ✅ What Exists (Reusable) 1. **Login View (Partial)** - `accounts/views.py::CustomLoginView` - Uses Django's `AuthenticationForm` ⚠️ (violates SAO.md "no Django Forms" rule) - Session management with remember me (30 days / 2 weeks) - Proper logging - **Decision**: Rebuild to use custom template validation 2. **Login Template** - `templates/accounts/login.html` - Bootstrap 5 styled - Has `data-testid` attributes - **Decision**: Keep structure, remove Django Form dependencies 3. **Logout View** - `accounts/views.py::custom_logout_view` - ✅ Fully implemented and correct - **Decision**: Keep as-is 4. **Settings Configuration** - LOGIN_URL, LOGIN_REDIRECT_URL configured - Session settings configured - **Decision**: Update URLs to match convention 5. **Base Template** - `templates/base.html` - Bootstrap 5.3.8 + Font Awesome + HTMX - **Decision**: Reuse for all auth templates ### ❌ What's Missing 1. **Custom User Model** - Using Django's default User 2. **Registration Views/Templates** - AUTH-03 3. **Password Reset Flow** - AUTH-04 4. **Dashboard Stub** - FOB-DASHBOARD-1 5. **Onboarding Stub** - FOB-ONBOARDING-1 6. **Integration Tests** - All scenarios 7. **URL Convention Compliance** - `/auth/user/` pattern ### ⚠️ Issues to Fix 1. **URL Pattern**: `/accounts/` → `/auth/` (violates convention) 2. **Django Forms**: Remove `AuthenticationForm`, use manual validation 3. **Missing Stubs**: Dashboard and onboarding pages needed --- ## Clarification Questions ### Q1: User Model **Question**: SAO.md says "extends Django's standard User model" but no custom fields specified. Start with built-in User? **Answer**: YES - Use Django's built-in User. Email field already exists. Can extend later if needed. ### Q2: Email-based Login **Question**: Login form shows "Username" but docs mention email. Use username or email? **Answer**: KEEP USERNAME - Django's default. Email-based login is future enhancement. ### Q3: Password Reset Email **Question**: AUTH-04 requires "receives a reset link". Use console email backend for MVP? **Answer**: YES - Console backend for now. SMTP later. --- ## Implementation Plan ### Phase 0: Preparation ✅ COMPLETE - [x] **0.1** Create feature branch ```bash git checkout -b feature/auth-scenarios ``` - [x] **0.2** Read workflow files - Read `.windsurf/workflows/dev-2-implement-backend.md` - Read `.windsurf/workflows/dev-3-implement-frontend.md` - Read `.windsurf/rules/do-github-issues.md` --- ### Phase 1: Fix URL Convention & Django Forms (AUTH-01, AUTH-02) ✅ COMPLETE **Scenario**: AUTH-01 Login with valid credentials, AUTH-02 Login with invalid credentials **GitHub Issue**: #7, #8 #### Backend Changes - [x] **1.1** Update URL routing - **File**: `mimir/urls.py` - Change: `path("accounts/", include("accounts.urls"))` → `path("auth/", include("accounts.urls"))` - [x] **1.2** Update accounts URLs to match convention - **File**: `accounts/urls.py` - Change: `login/` → `user/login/` - Change: `logout/` → `user/logout/` - Result: `/auth/user/login/`, `/auth/user/logout/` - [x] **1.3** Rebuild login view without Django Forms - **File**: `accounts/views.py` - Remove: `from django.contrib.auth.views import LoginView` - Remove: `class CustomLoginView(LoginView)` - Create: `def login_view(request)` with manual validation - Implement: POST handler with `authenticate()` and `login()` - Implement: Remember me checkbox handling - Add: Server-side validation errors - Add: Logging for auth attempts - Re-read: `.windsurf/rules/do-docstring-format.md` before implementing - Re-read: `.windsurf/rules/informative-logging.md` before implementing - [x] **1.4** Update settings.py - **File**: `mimir/settings.py` - Change: `LOGIN_URL = "/auth/user/login/"` - Change: `LOGIN_REDIRECT_URL` (see Phase 2 for dashboard) - Change: `LOGOUT_REDIRECT_URL = "/auth/user/login/"` #### Frontend Changes - [x] **1.5** Update login template - **File**: `templates/accounts/login.html` - Remove: Django Form rendering (`{{ form.username }}`) - Add: Manual input fields with Bootstrap classes - Add: Server-side error display using `{% if errors %}` - Keep: `data-testid` attributes - Add: Font Awesome icons per IA guidelines - Add: Bootstrap tooltips on buttons - Ensure: Follows validation pattern from IA_guidelines.md (red errors under fields) - Re-read: `.windsurf/rules/tooltips.md` before implementing - Re-read: `.windsurf/rules/do-semantic-versioning-on-ui-elements.md` #### Tests - [x] **1.6** Create integration test for AUTH-01 - **File**: `tests/integration/test_auth_login.py` - Test: `test_login_with_valid_credentials()` - Create test user - POST to `/auth/user/login/` - Assert: 302 redirect to dashboard - Assert: User is authenticated - Assert: Session created - Re-read: `.windsurf/rules/do-not-mock-in-integration-tests.md` before implementing - [x] **1.7** Create integration test for AUTH-02 - **File**: `tests/integration/test_auth_login.py` - Test: `test_login_with_invalid_credentials()` - POST invalid credentials to `/auth/user/login/` - Assert: 200 status (stays on page) - Assert: Error message in response - Assert: User not authenticated - [x] **1.8** Commit & Update Issue #7 #8 - Re-read: `.windsurf/rules/do-follow-commit-convention.md` - Commit message: `feat(auth): implement login with custom validation (AUTH-01, AUTH-02)` - Body: List changes, mention no Django Forms per SAO.md - Update GitHub issues #7 and #8 with progress --- ### Phase 2: Create Dashboard & Onboarding Stubs ✅ COMPLETE **Purpose**: Provide redirect targets for authentication flows #### Backend - Dashboard Stub - [x] **2.1** Create dashboard view - **File**: `methodology/views.py` (or new `accounts/views.py`) - Function: `def dashboard(request)` - Decorator: `@login_required` - Return: `render(request, 'dashboard.html')` - Re-read: `.windsurf/rules/do-docstring-format.md` - [x] **2.2** Add dashboard URL - **File**: `mimir/urls.py` - Add: `path('dashboard/', views.dashboard, name='dashboard')` #### Frontend - Dashboard Stub - [x] **2.3** Create dashboard template - **File**: `templates/dashboard.html` - Extends: `base.html` - Content: Simple card with "FOB-DASHBOARD-1 - This will be the dashboard" - Add: `data-testid="dashboard-stub"` - Note: "Dashboard implementation tracked in navigation.feature issues #17-22" #### Backend - Onboarding Stub - [x] **2.4** Create onboarding view - **File**: `accounts/views.py` - Function: `def onboarding(request)` - Decorator: `@login_required` - Return: `render(request, 'accounts/onboarding.html')` - [x] **2.5** Add onboarding URL - **File**: `accounts/urls.py` - Add: `path('user/onboarding/', views.onboarding, name='onboarding')` - Result: `/auth/user/onboarding/` #### Frontend - Onboarding Stub - [x] **2.6** Create onboarding template - **File**: `templates/accounts/onboarding.html` - Extends: `base.html` - Content: Simple card with "FOB-ONBOARDING-1 - This will be onboarding" - Add: `data-testid="onboarding-stub"` - Note: "Onboarding implementation tracked in onboarding.feature issues #12-16" #### Update Settings - [x] **2.7** Update LOGIN_REDIRECT_URL - **File**: `mimir/settings.py` - Change: `LOGIN_REDIRECT_URL = "/dashboard/"` #### Tests - [x] **2.8** Test dashboard stub - **File**: `tests/integration/test_dashboard_stub.py` - Test: `test_dashboard_requires_login()` - Test: `test_dashboard_displays_stub()` - [x] **2.9** Test onboarding stub - **File**: `tests/integration/test_onboarding_stub.py` - Test: `test_onboarding_requires_login()` - Test: `test_onboarding_displays_stub()` - [x] **2.10** Commit stubs - Commit: `feat(stubs): add dashboard and onboarding placeholder pages` - Body: "Stub pages for FOB-DASHBOARD-1 and FOB-ONBOARDING-1. Full implementation tracked separately." --- ### Phase 3: User Registration (AUTH-03) ✅ COMPLETE **Scenario**: AUTH-03 First-time user registration **GitHub Issue**: #9 #### Backend - [x] **3.1** Create registration view - **File**: `accounts/views.py` - Function: `def register(request)` - GET: Show registration form - POST: - Validate: username, email, password, password_confirm - Check: username/email uniqueness - Create: User with `User.objects.create_user()` - Login: Auto-login new user - Redirect: `/auth/user/onboarding/` - Add: Extensive logging per rules - Re-read: `.windsurf/rules/informative-logging.md` - Re-read: `.windsurf/rules/do-docstring-format.md` - [x] **3.2** Add registration URL - **File**: `accounts/urls.py` - Add: `path('user/register/', views.register, name='register')` #### Frontend - [x] **3.3** Create registration template - **File**: `templates/accounts/register.html` - Extends: `base.html` - Form fields: - Username (required) - Email (required, with email validation) - Password (required, min 8 chars) - Confirm Password (must match) - Add: Field-level validation errors (red text under fields) - Add: Font Awesome icons - Add: Bootstrap tooltips - Add: Link to login page - Add: `data-testid` attributes - Re-read: `.windsurf/rules/tooltips.md` - [x] **3.4** Add registration link to login template - **File**: `templates/accounts/login.html` - Add: "Don't have an account? [Sign Up]" link below form #### Tests - [x] **3.5** Create registration integration tests - **File**: `tests/integration/test_auth_registration.py` - Test: `test_register_new_user()` - POST valid registration data - Assert: User created in database - Assert: User auto-logged in - Assert: Redirected to `/auth/user/onboarding/` - Test: `test_register_duplicate_username()` - Create user - Attempt register with same username - Assert: Error message displayed - Test: `test_register_password_mismatch()` - POST with mismatched passwords - Assert: Error message - Test: `test_register_invalid_email()` - Re-read: `.windsurf/rules/do-not-mock-in-integration-tests.md` - [x] **3.6** Commit & Update Issue #9 - Commit: `feat(auth): implement user registration (AUTH-03)` - Update: GitHub issue #9 with completion status --- ### Phase 4: Password Reset Flow (AUTH-04) ✅ COMPLETE **Scenario**: AUTH-04 Password reset flow **GitHub Issue**: #10 #### Backend - [x] **4.1** Configure email backend - **File**: `mimir/settings.py` - Add: `EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'` - Note: Console backend for MVP, SMTP for production - [x] **4.2** Create password reset request view - **File**: `accounts/views.py` - Function: `def password_reset_request(request)` - POST: Generate reset token, send email - Use: Django's `PasswordResetTokenGenerator` - Re-read: `.windsurf/rules/do-docstring-format.md` - [x] **4.3** Create password reset confirm view - **File**: `accounts/views.py` - Function: `def password_reset_confirm(request, uidb64, token)` - Validate: Token and user ID - POST: Set new password - Redirect: Login with success message - [x] **4.4** Add password reset URLs - **File**: `accounts/urls.py` - Add: `path('user/password-reset/', views.password_reset_request, name='password_reset')` - Add: `path('user/password-reset/<uidb64>/<token>/', views.password_reset_confirm, name='password_reset_confirm')` #### Frontend - [x] **4.5** Create password reset request template - **File**: `templates/accounts/password_reset.html` - Form: Email input - Message: "Enter your email to receive a reset link" - Add: `data-testid` attributes - [x] **4.6** Create password reset confirm template - **File**: `templates/accounts/password_reset_confirm.html` - Form: New password, confirm password - Add: Password strength indicator (optional) - Add: `data-testid` attributes - [x] **4.7** Create password reset email template - **File**: `templates/accounts/password_reset_email.txt` - Content: Plain text with reset link - [x] **4.8** Add "Forgot Password" link to login - **File**: `templates/accounts/login.html` - Add: Link below form #### Tests - [x] **4.9** Create password reset integration tests - **File**: `tests/integration/test_auth_password_reset.py` - Test: `test_password_reset_request()` - POST email to reset view - Assert: Email sent (check mail.outbox) - Assert: Reset link generated - Test: `test_password_reset_confirm_valid_token()` - Generate token - POST new password - Assert: Password changed - Assert: Can login with new password - Test: `test_password_reset_confirm_invalid_token()` - Re-read: `.windsurf/rules/do-not-mock-in-integration-tests.md` - [x] **4.10** Commit & Update Issue #10 - Commit: `feat(auth): implement password reset flow (AUTH-04)` - Update: GitHub issue #10 --- ### Phase 5: Logout Tests (AUTH-05) ✅ COMPLETE **Scenario**: AUTH-05 Logout **GitHub Issue**: #11 **Note**: Logout view already implemented, only tests needed #### Tests - [x] **5.1** Create logout integration tests - **File**: `tests/integration/test_auth_logout.py` - Test: `test_logout_authenticated_user()` - Login user - GET `/auth/user/logout/` - Assert: User logged out - Assert: Redirected to `/auth/user/login/` - Assert: Success message displayed - Test: `test_logout_unauthenticated_user()` - GET logout without login - Assert: Redirected to login (no error) - [x] **5.2** Commit & Update Issue #11 - Commit: `test(auth): add logout integration tests (AUTH-05)` - Update: GitHub issue #11 (mark complete) --- ### Phase 6: Testing Implementation ✅ COMPLETE **Purpose**: Comprehensive testing per two-tier strategy (Tier 1 sufficient for AUTH feature) **Note**: Two-tier testing strategy exists per `/dev-4-1-feature-at` and `/dev-4-2-journey-certification`. For AUTH feature, **Tier 1 provides complete coverage**. Tier 2 (browser-based) reserved for future features with heavy HTMX/JavaScript. #### Tier 1: Feature Acceptance Tests (AT) ✅ COMPLETE (SATISFIES PHASE 6) - [x] **6.1** Feature-level integration tests with Django Test Client - **Files**: - `tests/integration/test_auth_login.py` (8 tests) ✅ - `tests/integration/test_auth_registration.py` (9 tests) ✅ - `tests/integration/test_auth_password_reset.py` (8 tests) ✅ - `tests/integration/test_auth_logout.py` (5 tests) ✅ - **Tool**: Django Test Client (fast, reliable) - **Coverage**: ALL scenarios from authentication.feature - **Status**: 29 tests passing in 3.5s - **Per workflow**: `.windsurf/workflows/dev-4-1-feature-at.md` - [x] **6.2** E2E journey tests with Django Test Client - **File**: `tests/e2e/test_auth_e2e.py` (5 tests) ✅ - **Tool**: Django Test Client (not browser-based yet) - **Coverage**: Complete user journeys 1. New user registration → onboarding → dashboard 2. Login with invalid then valid credentials 3. Password reset complete flow 4. Logout and access control 5. Registration validation errors - **Status**: 5 tests passing in 1.5s #### Tier 2: Journey Certification (Browser-Based) � NOT PART OF AUTH IMPLEMENTATION **Status**: Not implemented for AUTH feature (not needed) **Rationale**: - AUTH feature has minimal JavaScript/HTMX interactions - Tier 1 tests provide complete scenario coverage (34 tests) - Django Test Client validates all authentication logic, redirects, sessions - No visual/UI complexity requiring browser validation **Future Use**: - **When needed**: Features with heavy HTMX (e.g., dashboard navigation, dynamic workflow updates) - **Tool**: LiveServerTestCase + Playwright - **Per workflow**: `.windsurf/workflows/dev-4-2-journey-certification.md` - **Example**: Dashboard navigation with HTMX tab switching would benefit from Tier 2 tests **This is guidance for FUTURE features, not a requirement for AUTH completion.** --- ### Phase 7: Documentation & Cleanup - [ ] **7.1** Update README if needed - Add: Default user creation command - Add: Testing instructions - [ ] **7.2** Run all tests ```bash pytest tests/ -v ``` - [ ] **7.3** Check test coverage ```bash pytest --cov=accounts --cov-report=html ``` - [ ] **7.4** Final commit - Commit: `docs(auth): update documentation for authentication implementation` - [ ] **7.5** Push branch ```bash git push origin feature/auth-scenarios ``` - [ ] **7.6** Create Pull Request - Title: "feat(auth): Implement authentication scenarios (AUTH-01 to AUTH-05)" - Body: Link to issues #7-11, describe changes - Request review per `.windsurf/rules/cp-2-review-copilot-work.md` --- ## Test Summary ### Unit Tests - `tests/unit/test_auth_config.py` - ✅ Already exists ### Tests Implemented for AUTH Feature ✅ COMPLETE **Tier 1: Feature Acceptance Tests (Django Test Client)** - `tests/integration/test_auth_login.py` - AUTH-01, AUTH-02 (8 tests) ✅ - `tests/integration/test_auth_registration.py` - AUTH-03 (9 tests) ✅ - `tests/integration/test_auth_password_reset.py` - AUTH-04 (8 tests) ✅ - `tests/integration/test_auth_logout.py` - AUTH-05 (5 tests) ✅ - `tests/e2e/test_auth_e2e.py` - Complete user journeys (5 tests) ✅ **Status**: 34 tests passing in ~5 seconds **Per workflow**: `.windsurf/workflows/dev-4-1-feature-at.md` ### Tier 2: Not Implemented for AUTH (Not Needed) 📋 **Tier 2** (browser-based with LiveServerTestCase + Playwright) is **not part of AUTH implementation**. **Why not needed**: - AUTH has minimal JavaScript/HTMX - Tier 1 provides complete coverage - No visual/UI complexity requiring browser validation **When to use Tier 2**: Future features with heavy HTMX/JavaScript interactions **Per workflow**: `.windsurf/workflows/dev-4-2-journey-certification.md` **Total Tests Implemented for AUTH**: 34 test functions --- ## Success Criteria - ✅ All 5 authentication scenarios pass integration tests - ✅ No Django Forms used (per SAO.md) - ✅ URL conventions followed (`/auth/user/*`) - ✅ Dashboard and onboarding stubs in place - ✅ Bootstrap toasts for success messages - ✅ Field-level validation errors per IA guidelines - ✅ Font Awesome icons and tooltips on all buttons - ✅ All `data-testid` attributes present for testing - ✅ Extensive logging per project rules - ✅ Test coverage > 90% for accounts app - ✅ Issues #7-11 marked complete --- ## Dependencies **Python Packages** (already in requirements.txt): - Django 5.2.8 - pytest-django - No additional packages needed **Documentation References**: - `docs/architecture/SAO.md` - Architecture patterns - `docs/ux/IA_guidelines.md` - UI/UX patterns - `.windsurf/rules/*.md` - Development rules --- ## Estimated Scope - **5 Scenarios**: AUTH-01 through AUTH-05 - **2 Stub Pages**: Dashboard, Onboarding - **6 Views**: Login, logout, register, password_reset (2 views), dashboard, onboarding - **6 Templates**: Login, register, password_reset (2), email, dashboard, onboarding - **7 Test Files**: ~20 test functions total - **URL Updates**: Restructure to `/auth/user/` pattern **Complexity**: Medium (login already exists, need to rebuild without Forms)

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/phainestai/mimir'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

AUTH_IMPLEMENTATION_PLAN.md•19.6 kB