WAGERBABE DOCS
All Stories
4-2-login-signup-endpointsDoneEpic 4.2

Story 4.2: Login & Signup Endpoints

Status: done

Tasks

  • Task 1: Verify Existing Login Endpoint (AC: 1, 8, 9)
    • 1.1 Review `server/app/api/v1/endpoints/auth/auth.py` login implementation
    • 1.2 Confirm JWT token generation includes: sub (UUID), user_type, user_id, is_agent
    • 1.3 Confirm Redis session caching on login success
    • 1.4 Verify 401 response on invalid credentials (no credential leakage)
    • 1.5 Write/verify integration test: successful login flow
  • Task 2: Verify Existing Signup Endpoint (AC: 2, 4, 9)
    • 2.1 Review signup implementation in auth.py
    • 2.2 Confirm bcrypt password hashing via SupabaseService.create_user()
    • 2.3 Confirm 409 Conflict on duplicate user_id
    • 2.4 Confirm immediate JWT token issuance after signup
    • 2.5 Write/verify integration test: successful signup flow
    • 2.6 Write/verify integration test: duplicate user rejection
  • Task 3: Verify bcrypt Configuration (AC: 3)
    • 3.1 Check passlib bcrypt cost factor in SupabaseService
    • 3.2 If cost != 12, update configuration (UPDATED: bcrypt.gensalt(rounds=12))
    • 3.3 Document bcrypt configuration in auth module docstring
  • Task 4: Install and Configure Rate Limiting (AC: 5, 6, 7)
    • 4.1 Add slowapi to requirements.txt: `slowapi>=0.1.9`
    • 4.2 Create `server/app/middleware/rate_limiting.py` with Limiter configuration
    • 4.3 Define rate limit exceeded handler returning 429 with retry_after
    • 4.4 Configure IP-based key extraction (not user-based to prevent bypass)
  • Task 5: Apply Rate Limits to Auth Endpoints (AC: 5, 6)
    • 5.1 Apply `@limiter.limit("5/minute")` decorator to login endpoint
    • 5.2 Apply `@limiter.limit("10/minute")` decorator to signup endpoint
    • 5.3 Inject Request parameter for IP extraction
    • 5.4 Register limiter in FastAPI app state (main.py)
    • 5.5 Add rate limit exception handler to app
  • Task 6: Password Validation (AC: 3)
    • 6.1 Add password length validation to SignupRequest Pydantic model (min_length=8)
    • 6.2 Return 422 Unprocessable Entity with clear message for invalid password
    • 6.3 Document password requirements in API docs (via docstrings)
  • Task 7: Testing (AC: 1-10)
    • 7.1 Unit test: login with valid credentials returns tokens
    • 7.2 Unit test: login with invalid credentials returns 401
    • 7.3 Unit test: signup creates user and returns tokens
    • 7.4 Unit test: signup with duplicate user_id returns 409
    • 7.5 Unit test: signup with short password returns 400/422
    • 7.6 Integration test: login rate limit enforced after 5 requests
    • 7.7 Integration test: signup rate limit enforced after 10 requests
    • 7.8 Integration test: rate limit response includes retry_after
    • 7.9 Load test: verify rate limits under 100 concurrent requests
  • Task 8: Documentation (AC: 5, 6, 7)
    • 8.1 Update API docs with rate limit information (via docstrings)
    • 8.2 Add rate limiting section to auth endpoint docstrings
    • 8.3 Document rate limit headers in OpenAPI schema (via rate_limiting.py)

Progress

Tasks8/8
Acceptance Criteria0
Total Tasks8

Navigation

View Epic 4.2All Stories