ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
dev
TenantAtlas/specs/064-auth-structure/data-model.md
ahmido 210cf5ce8b feat: implement auth structure system panel (#77) 
Implements 064-auth-structure (Auth Structure v1.0):

Adds platform_users + PlatformUser identity (factory + seeder) for platform operators
Introduces platform auth guard/provider in auth.php
Adds a dedicated Filament v5 System panel at system using guard platform (custom login + dashboard)
Enforces strict cross-scope isolation between /admin and system (deny-as-404)
Adds platform capability gating (platform.access_system_panel, platform.use_break_glass) + gates in AuthServiceProvider
Implements audited break-glass mode (enter/exit/expire), banner via render hook, feature flag + TTL config
Removes legacy users.is_platform_superadmin runtime usage and adds an architecture test to prevent regressions
Updates tenant membership pivot usage where needed (tenant_memberships)
Testing:

vendor/bin/sail artisan test --compact tests/Feature/Auth (28 passed)
vendor/bin/sail bin pint --dirty
Notes:

Filament v5 / Livewire v4 compatible.
Panel providers registered in providers.php.
Destructive actions use ->action(...) + ->requiresConfirmation() where applicable.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #77
2026-01-27 21:49:18 +00:00

3.5 KiB
Raw Permalink Blame History

Data Model: Auth Structure

This document defines the database schema changes for the 064-auth-structure feature.

New Tables

platform_users

This table stores the authentication and profile information for Platform Operators. These users are managed locally and are entirely separate from the tenant-facing users table.

Purpose: To provide a dedicated identity store for system administrators and operators, enabling secure access to the /system panel.

Laravel Migration Definition:

Schema::create('platform_users', function (Blueprint $table) {
    $table->id();
    $table->string('name');
    $table->string('email')->unique();
    $table->string('password');
    $table->jsonb('capabilities')->default('[]');
    $table->boolean('is_active')->default(true);
    $table->timestamp('last_login_at')->nullable();
    $table->rememberToken();
    $table->timestamps();
});

Field Definitions

Column Type Description Notes
id bigint, unsigned Primary key. Auto-incrementing.
name string The full name of the platform operator. Required.
email string The unique email address used for login. Must be unique across the table.
password string The hashed password for the user. Never stored in plain text.
capabilities jsonb A list of string identifiers for permissions (e.g., ["platform.use_break_glass"]). Defaults to an empty array ([]).
is_active boolean Flag to enable or disable the account. Inactive users cannot log in. Defaults to true.
last_login_at timestamp Records the timestamp of the user's last successful login. Nullable.
remember_token string Used by Laravel's "Remember Me" functionality. Nullable.
created_at timestamp Timestamp of when the record was created. Managed by Eloquent.
updated_at timestamp Timestamp of when the record was last updated. Managed by Eloquent.

Modified Tables

No existing tables will be modified as part of the core data model changes.

Deprecations

  • users.is_platform_superadmin: This column in the users table is now considered deprecated. No new code should rely on it for authorization. A separate, future migration will be responsible for its removal after a backfill process is complete.