🔐 Authentication System #318
Description
Summary
Implement native authentication to enable secure remote access and lay foundation for team features. Multiple feedbacks requested this for hosting Forge publicly.
Motivation
Users want to:
- Host Forge on a server and access from anywhere
- Not worry about security when exposing Forge publicly
- Enable future team/multi-user features
Proposed Features
Phase 1: Basic Auth
- Username/password authentication
- Session management with secure tokens
- Login/logout UI
- Protected routes
Phase 2: Enhanced Security
- Password hashing (bcrypt/argon2)
- Rate limiting on login attempts
- Session timeout configuration
- "Remember me" option
Phase 3: Multi-User Foundation
- User table in database
- Per-user settings/preferences
- User-scoped projects (optional)
- Admin user for initial setup
Technical Considerations
Backend:
- Auth middleware for protected routes
- Session store (database or Redis)
- Secure cookie handling
- CSRF protection
Frontend:
- Login page
- Auth context/state
- Protected route wrapper
- Token refresh handling
Database:
CREATE TABLE users (
id UUID PRIMARY KEY,
username TEXT UNIQUE NOT NULL,
password_hash TEXT NOT NULL,
created_at TIMESTAMP,
last_login TIMESTAMP
);
CREATE TABLE sessions (
id UUID PRIMARY KEY,
user_id UUID REFERENCES users(id),
token TEXT UNIQUE,
expires_at TIMESTAMP,
created_at TIMESTAMP
);Out of Scope (Future)
- OAuth/SSO integration
- Role-based permissions
- Team/organization features
- API key authentication
Acceptance Criteria
- Users can register/login with username and password
- Unauthenticated users cannot access Forge
- Sessions persist across browser restarts
- Logout properly invalidates session
- Secure against common auth vulnerabilities
Team Feedback Sources
- Feedback 3: Native auth for hosting
- Feedback 6: Simple auth system for teams
Priority
🟡 P2 - Medium (enabler for future features, 2/6 feedbacks)
Note
This is a larger feature that could be broken into sub-issues once design is finalized.