Skip to content

🔐 Authentication System #318

Open
Open
🔐 Authentication System#318
Labels
enhancementNew feature or request
@vasconceloscezar

Description

@vasconceloscezar
vasconceloscezar
opened on Dec 14, 2025

Summary

Implement native authentication to enable secure remote access and lay foundation for team features. Multiple feedbacks requested this for hosting Forge publicly.

Motivation

Users want to:

  • Host Forge on a server and access from anywhere
  • Not worry about security when exposing Forge publicly
  • Enable future team/multi-user features

Proposed Features

Phase 1: Basic Auth

  • Username/password authentication
  • Session management with secure tokens
  • Login/logout UI
  • Protected routes

Phase 2: Enhanced Security

  • Password hashing (bcrypt/argon2)
  • Rate limiting on login attempts
  • Session timeout configuration
  • "Remember me" option

Phase 3: Multi-User Foundation

  • User table in database
  • Per-user settings/preferences
  • User-scoped projects (optional)
  • Admin user for initial setup

Technical Considerations

Backend:

  • Auth middleware for protected routes
  • Session store (database or Redis)
  • Secure cookie handling
  • CSRF protection

Frontend:

  • Login page
  • Auth context/state
  • Protected route wrapper
  • Token refresh handling

Database:

CREATE TABLE users (
  id UUID PRIMARY KEY,
  username TEXT UNIQUE NOT NULL,
  password_hash TEXT NOT NULL,
  created_at TIMESTAMP,
  last_login TIMESTAMP
);

CREATE TABLE sessions (
  id UUID PRIMARY KEY,
  user_id UUID REFERENCES users(id),
  token TEXT UNIQUE,
  expires_at TIMESTAMP,
  created_at TIMESTAMP
);

Out of Scope (Future)

  • OAuth/SSO integration
  • Role-based permissions
  • Team/organization features
  • API key authentication

Acceptance Criteria

  • Users can register/login with username and password
  • Unauthenticated users cannot access Forge
  • Sessions persist across browser restarts
  • Logout properly invalidates session
  • Secure against common auth vulnerabilities

Team Feedback Sources

  • Feedback 3: Native auth for hosting
  • Feedback 6: Simple auth system for teams

Priority

🟡 P2 - Medium (enabler for future features, 2/6 feedbacks)

Note

This is a larger feature that could be broken into sub-issues once design is finalized.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions