chore: add document for auth #34
Conversation
|
Functional requirements should be in the PRD (product requirements document) and not be focused on UI, e.g. trigger descriptions "user clicked x". Instead, focus on user user journey and benefits - what is the user's semantic intent? Write requirements in "Given $situation, should $expectedBehavior, so that $benefit". RDD refers to this part: Separately, API documentation should be focused on interfaces, which in SudoLang look a LOT like TypeScript Schemas. (TypeScript types for complex types). This part should read like technical documentation teaching users how to use the API. It doesn't need to be crazy thorough, just the minimum to document the API surface. In other words, if there is a schema/interface, that goes in RDD. If there are requirements, that goes in the requirements doc. (Product Requirements Document PRD), etc. |
| - Ensure seamless onboarding for new users | ||
| - Support cross-device authentication scenarios | ||
|
|
||
| ### Success Metrics |
There was a problem hiding this comment.
Can we get rid of these success metrics? These are just fantasies until we get some baseline measurements.
| @@ -0,0 +1,406 @@ | |||
| # Requirements Definition Document: Authentication Strategy | |||
There was a problem hiding this comment.
RDD does not stand for "Requirements Definition Document" 🤣
| - **Attestation**: None required (for broader compatibility) | ||
|
|
||
| #### Magic Link Security | ||
| - **Expiration**: 15 minutes maximum |
There was a problem hiding this comment.
Magic links can take more than 10-15 minutes to be delivered. This should be hours, not minutes.
| #### User Profile Schema | ||
| ```json | ||
| { | ||
| "userId": "uuid", |
| ### 3.2 Data Storage Requirements | ||
|
|
||
| #### User Profile Schema | ||
| ```json |
There was a problem hiding this comment.
This should be in sudolang format:
Passkey {
userId: string // user PK, also use as user handle bytes. Index on this so we can easily query all passkeys for a specific user.
credentialId: string // base64url
publicKeyCose: string // base64url COSE key
signCount: number // last known counter
}
Passkeys: Passkey[] // This gets its own table in the db
UserProfile {
userId: string // cuid
email: string
createdAt: number // epoch time Date.now()
// passkeys not needed here because we discover the user from the passkeys table, not vice verse
}
| { | ||
| "userId": "uuid", | ||
| "email": "string", | ||
| "emailVerified": "boolean", |
There was a problem hiding this comment.
Not needed. User accounts should not be created until a successful email auth happens, which means all user records should have verified emails because there's no other way to create an account.
|
Closed in favor of #44 |
closes #27