ahmido
210cf5ce8b
Implements 064-auth-structure (Auth Structure v1.0): Adds platform_users + PlatformUser identity (factory + seeder) for platform operators Introduces platform auth guard/provider in auth.php Adds a dedicated Filament v5 System panel at system using guard platform (custom login + dashboard) Enforces strict cross-scope isolation between /admin and system (deny-as-404) Adds platform capability gating (platform.access_system_panel, platform.use_break_glass) + gates in AuthServiceProvider Implements audited break-glass mode (enter/exit/expire), banner via render hook, feature flag + TTL config Removes legacy users.is_platform_superadmin runtime usage and adds an architecture test to prevent regressions Updates tenant membership pivot usage where needed (tenant_memberships) Testing: vendor/bin/sail artisan test --compact tests/Feature/Auth (28 passed) vendor/bin/sail bin pint --dirty Notes: Filament v5 / Livewire v4 compatible. Panel providers registered in providers.php. Destructive actions use ->action(...) + ->requiresConfirmation() where applicable. Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #77
51 lines
3.5 KiB
Markdown
51 lines
3.5 KiB
Markdown
# Data Model: Auth Structure
|
|
|
|
This document defines the database schema changes for the `064-auth-structure` feature.
|
|
|
|
## New Tables
|
|
|
|
### `platform_users`
|
|
|
|
This table stores the authentication and profile information for Platform Operators. These users are managed locally and are entirely separate from the tenant-facing `users` table.
|
|
|
|
**Purpose**: To provide a dedicated identity store for system administrators and operators, enabling secure access to the `/system` panel.
|
|
|
|
**Laravel Migration Definition**:
|
|
|
|
```php
|
|
Schema::create('platform_users', function (Blueprint $table) {
|
|
$table->id();
|
|
$table->string('name');
|
|
$table->string('email')->unique();
|
|
$table->string('password');
|
|
$table->jsonb('capabilities')->default('[]');
|
|
$table->boolean('is_active')->default(true);
|
|
$table->timestamp('last_login_at')->nullable();
|
|
$table->rememberToken();
|
|
$table->timestamps();
|
|
});
|
|
```
|
|
|
|
### Field Definitions
|
|
|
|
| Column | Type | Description | Notes |
|
|
|----------------|----------------------|-----------------------------------------------------------------------------------------------------------|----------------------------------------|
|
|
| `id` | `bigint`, `unsigned` | Primary key. | Auto-incrementing. |
|
|
| `name` | `string` | The full name of the platform operator. | Required. |
|
|
| `email` | `string` | The unique email address used for login. | Must be unique across the table. |
|
|
| `password` | `string` | The hashed password for the user. | Never stored in plain text. |
|
|
| `capabilities` | `jsonb` | A list of string identifiers for permissions (e.g., `["platform.use_break_glass"]`). | Defaults to an empty array (`[]`). |
|
|
| `is_active` | `boolean` | Flag to enable or disable the account. Inactive users cannot log in. | Defaults to `true`. |
|
|
| `last_login_at`| `timestamp` | Records the timestamp of the user's last successful login. | Nullable. |
|
|
| `remember_token` | `string` | Used by Laravel's "Remember Me" functionality. | Nullable. |
|
|
| `created_at` | `timestamp` | Timestamp of when the record was created. | Managed by Eloquent. |
|
|
| `updated_at` | `timestamp` | Timestamp of when the record was last updated. | Managed by Eloquent. |
|
|
|
|
## Modified Tables
|
|
|
|
No existing tables will be modified as part of the core data model changes.
|
|
|
|
## Deprecations
|
|
|
|
- **`users.is_platform_superadmin`**: This column in the `users` table is now considered deprecated. No new code should rely on it for authorization. A separate, future migration will be responsible for its removal after a backfill process is complete.
|