Authentication System - Tasks & Roadmap
Current status, active work, and future plans for the authentication system.
System Status
| Component |
Status |
Notes |
| User Registration |
✅ Complete |
Door A (owner) and Door B (invite) |
| Login Flow |
✅ Complete |
Two-step login with team selection |
| JWT Tokens |
✅ Complete |
Access + refresh with HttpOnly cookies |
| RBAC |
✅ Complete |
Wildcard + exact match permissions |
| Email Verification |
✅ Complete |
24-hour TTL, single-use tokens |
| Password Reset |
✅ Complete |
1-hour TTL, single-use tokens |
| Device Approval |
✅ Complete |
Email OTP with 5-min TTL |
| Suspicious Login |
✅ Complete |
Geo-IP detection + approve/deny |
| Concurrent Login |
✅ Complete |
Single-session enforcement |
| Session Management |
✅ Complete |
Idle + absolute timeout |
| CSRF Protection |
✅ Complete |
Double-submit cookie pattern |
| Rate Limiting |
✅ Complete |
Redis-backed per-IP limits |
| Virtuozzo Integration |
✅ Complete |
Owner-only session key refresh |
| Team Invitations |
✅ Complete |
Single-use, 7-day TTL |
| Ownership Transfer |
✅ Complete |
Email-based approval flow |
| TOTP (2FA) |
✅ Complete |
Setup + verify + backup codes |
| SSE Auth Gating |
✅ Complete |
events:read permission check |
Completed Features
Phase A: Foundation ✅
- Async database session management
- Settings for JWT, bcrypt, Redis
- User, Team, TeamMember, Role, Permission models
- Alembic migrations
Phase B: Core Authentication ✅
- Password hashing with bcrypt
- JWT creation/validation
- Two-step login (credentials → session exchange)
- Token refresh + logout
- AuthContextMiddleware
get_current_user dependency
Phase C: RBAC & Teams ✅
- Permission seeding
- Default roles (Owner, Manager, Developer)
- Team invitations (create + accept)
- Ownership transfer flow
- Role/permission management
Phase D: User Lifecycle ✅
- Email verification
- Password reset
- Device approval OTP
- Suspicious login detection
- Concurrent login enforcement
- Login activity API
- Trusted devices API
Phase E: Virtuozzo Integration ✅
- Team-scoped session key storage
- Owner-only refresh
- Per-team Redis locking
- Lazy refresh with safety window
Phase F: SSE Integration ✅
- Auth gating on
/api/v1/events
- Team-scoped subscriptions
- Permission checks (
events:read)
Phase G: Security Hardening ✅
- CSRF double-submit pattern
- Rate limiting (login endpoint)
- Token blacklisting
- Revocation timestamps
- Auth violation logging
- Abuse signal detection
Active Work
Current Sprint
| Task |
Status |
Assignee |
Target |
| TOTP (2FA) Rollout |
In Review |
Backend Team |
Phase H |
| Frontend Auth Integration |
In Progress |
Frontend Team |
Q1 2025 |
Upcoming Features
Near Term (Next 1-2 Months)
| Feature |
Description |
Priority |
| SSO Integration |
SAML/OAuth providers for enterprise |
High |
| Bulk User Import |
CSV import for team members |
Medium |
| Session Analytics Dashboard |
Visualize login patterns |
Medium |
| Advanced 2FA Options |
WebAuthn, hardware keys |
Medium |
Medium Term (3-6 Months)
| Feature |
Description |
Priority |
| Adaptive MFA |
Step-up auth based on risk |
High |
| Biometric Auth |
WebAuthn passkeys |
Medium |
| Session Management UI |
User can view/revoke all sessions |
High |
| Advanced RBAC |
Resource-level permissions |
Medium |
| Audit Log Export |
CSV/JSON export of activity |
Low |
Long Term (6+ Months)
| Feature |
Description |
Priority |
| Multi-Factor Auth Methods |
SMS, authenticator app, hardware keys |
Medium |
| Advanced Threat Detection |
ML-based anomaly detection |
High |
| Compliance Reporting |
SOC2, HIPAA reports |
High |
| Federated Identity |
Active Directory, LDAP integration |
Medium |
| Passwordless Auth |
Magic link authentication |
Low |
Technical Debt
Items to Address
| Area |
Issue |
Impact |
Plan |
| Testing |
E2E test coverage < 85% |
Quality risk |
Add E2E tests for all flows |
| Documentation |
API docs not auto-generated |
Maintenance |
Integrate mkdocstrings |
| Observability |
Distributed tracing incomplete |
Debugging |
Add OTEL spans to auth flows |
| Redis HA |
No Redis Sentinel/Cluster |
Availability |
Implement Redis HA |
| Database Indexes |
Some queries slow |
Performance |
Review and add indexes |
| Secret Rotation |
No automatic key rotation |
Security |
Implement key rotation |
Migration Projects
Planned Migrations
| Project |
From |
To |
Timeline |
| Session Storage |
Redis only |
Redis + Postgres backup |
Q2 2025 |
| Email Provider |
Postmark only |
Multi-provider support |
Q3 2025 |
| MFA Library |
pyotp only |
Multi-library support |
Q3 2025 |
| Token Format |
Custom JWT |
Standard JWT with kid |
Q2 2025 |
Dependencies
External Service Dependencies
| Service |
Version |
Status |
Notes |
| FastAPI |
0.115+ |
✅ Current |
Regular updates |
| python-jose |
3.3+ |
✅ Current |
JWT handling |
| bcrypt |
4.0+ |
✅ Current |
Password hashing |
| Redis |
7.0+ |
✅ Current |
Session state |
| PostgreSQL |
15+ |
✅ Current |
User data |
| Postmark |
API |
✅ Current |
Email service |
Risk Register
| Risk |
Likelihood |
Impact |
Mitigation |
| Redis failure causes login outage |
Medium |
High |
Implement Redis HA, circuit breaker |
| Secret leaked in logs |
Low |
Critical |
PII filtering, log review |
| Token brute force |
Low |
Medium |
Rate limiting, account lockout |
| Session hijacking |
Low |
High |
HttpOnly cookies, CSRF, idle timeout |
| Email provider outage |
Medium |
Medium |
Queue emails, retry logic |
| Virtuozzo API changes |
Low |
High |
Version pinning, API contracts |
Success Metrics
KPIs
| Metric |
Current |
Target |
Date |
| Login Success Rate |
98% |
> 99% |
Q2 2025 |
| Mean Time to Detect (MTTD) |
5 min |
< 2 min |
Q2 2025 |
| Mean Time to Resolve (MTTR) |
15 min |
< 10 min |
Q2 2025 |
| Test Coverage |
82% |
> 85% |
Q1 2025 |
| API Response Time (p95) |
200ms |
< 150ms |
Q2 2025 |
Change Log
| Date |
Change |
Author |
| 2025-01-22 |
Initial documentation |
Documentation Team |