daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c230abe9cf3c9b53ff487566ecc966215a2c881b
microdao-daarion/site/security/AUTH_SPEC/index.html
Apple ef3473db21 snapshot: NODE1 production state 2026-02-09 
Complete snapshot of /opt/microdao-daarion/ from NODE1 (144.76.224.179).
This represents the actual running production code that has diverged
significantly from the previous main branch.

Key changes from old main:
- Gateway (http_api.py): expanded from ~40KB to 164KB with full agent support
- Router: new /v1/agents/{id}/infer endpoint with vision + DeepSeek routing
- Behavior Policy: SOWA v2.2 (3-level: FULL/ACK/SILENT)
- Agent Registry: config/agent_registry.yml as single source of truth
- 13 agents configured (was 3)
- Memory service integration
- CrewAI teams and roles

Excluded from snapshot: venv/, .env, data/, backups, .tgz archives

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-09 08:46:46 -08:00

1177 lines
50 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<link rel="canonical" href="https://IvanTytar.github.io/microdao-daarion/security/AUTH_SPEC/">
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.18">
<title>AUTH SPEC — DAARION.city - DAARION Documentation</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.66ac8b77.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#auth-spec-daarioncity" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../.." title="DAARION Documentation" class="md-header__button md-logo" aria-label="DAARION Documentation" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
DAARION Documentation
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
AUTH SPEC — DAARION.city
</span>
</div>
</div>
</div>
<script>var media,input,key,value,palette=__md_get("__palette");if(palette&&palette.color){"(prefers-color-scheme)"===palette.color.media&&(media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']"),palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent"));for([key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../.." title="DAARION Documentation" class="md-nav__button md-logo" aria-label="DAARION Documentation" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
DAARION Documentation
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../public/" class="md-nav__link">
<span class="md-ellipsis">
Home
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../public/getting-started/" class="md-nav__link">
<span class="md-ellipsis">
Getting Started
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../public/architecture-overview/" class="md-nav__link">
<span class="md-ellipsis">
Architecture
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../public/daiS_daos_overview/" class="md-nav__link">
<span class="md-ellipsis">
DAIS & DAOS
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="">
<span class="md-ellipsis">
Internal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Internal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5_1" >
<label class="md-nav__link" for="__nav_5_1" id="__nav_5_1_label" tabindex="0">
<span class="md-ellipsis">
Infra
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_5_1_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5_1">
<span class="md-nav__icon md-icon"></span>
Infra
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../internal/infra/INFRA_AUTOMATION_PACK_V1/" class="md-nav__link">
<span class="md-ellipsis">
Infra Automation Pack v1
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../internal/infra/monitoring_overview/" class="md-nav__link">
<span class="md-ellipsis">
Monitoring Overview
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../internal/infra/nodes_registry_v0/" class="md-nav__link">
<span class="md-ellipsis">
Nodes Registry v0
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5_2" >
<label class="md-nav__link" for="__nav_5_2" id="__nav_5_2_label" tabindex="0">
<span class="md-ellipsis">
Specs
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_5_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5_2">
<span class="md-nav__icon md-icon"></span>
Specs
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../internal/specs/matrix_presence_aggregator/" class="md-nav__link">
<span class="md-ellipsis">
Matrix Presence Aggregator
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../internal/specs/city_map_spec/" class="md-nav__link">
<span class="md-ellipsis">
City Map Spec
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../internal/specs/node_join_protocol_draft/" class="md-nav__link">
<span class="md-ellipsis">
Node Join Protocol (Draft)
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#0-purpose" class="md-nav__link">
<span class="md-ellipsis">
0. PURPOSE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#1-architecture-overview" class="md-nav__link">
<span class="md-ellipsis">
1. ARCHITECTURE OVERVIEW
</span>
</a>
<nav class="md-nav" aria-label="1. ARCHITECTURE OVERVIEW">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#11-auth-service" class="md-nav__link">
<span class="md-ellipsis">
1.1. Auth Service
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#12" class="md-nav__link">
<span class="md-ellipsis">
1.2. Інші сервіси
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#2-data-model-postgresql" class="md-nav__link">
<span class="md-ellipsis">
2. DATA MODEL (PostgreSQL)
</span>
</a>
<nav class="md-nav" aria-label="2. DATA MODEL (PostgreSQL)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#21-auth_users" class="md-nav__link">
<span class="md-ellipsis">
2.1. auth_users
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#22-auth_roles" class="md-nav__link">
<span class="md-ellipsis">
2.2. auth_roles
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#23-auth_user_roles" class="md-nav__link">
<span class="md-ellipsis">
2.3. auth_user_roles
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#24-auth_sessions" class="md-nav__link">
<span class="md-ellipsis">
2.4. auth_sessions
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#3-token-model-jwt" class="md-nav__link">
<span class="md-ellipsis">
3. TOKEN MODEL (JWT)
</span>
</a>
<nav class="md-nav" aria-label="3. TOKEN MODEL (JWT)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#31-access-token" class="md-nav__link">
<span class="md-ellipsis">
3.1. Access token
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#32-refresh-token" class="md-nav__link">
<span class="md-ellipsis">
3.2. Refresh token
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#4-http-api-public" class="md-nav__link">
<span class="md-ellipsis">
4. HTTP API (PUBLIC)
</span>
</a>
<nav class="md-nav" aria-label="4. HTTP API (PUBLIC)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#41-post-apiauthregister" class="md-nav__link">
<span class="md-ellipsis">
4.1. POST /api/auth/register
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#42-post-apiauthlogin" class="md-nav__link">
<span class="md-ellipsis">
4.2. POST /api/auth/login
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#43-post-apiauthrefresh" class="md-nav__link">
<span class="md-ellipsis">
4.3. POST /api/auth/refresh
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#44-post-apiauthlogout" class="md-nav__link">
<span class="md-ellipsis">
4.4. POST /api/auth/logout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#45-get-apiauthme" class="md-nav__link">
<span class="md-ellipsis">
4.5. GET /api/auth/me
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#5-http-api-internal" class="md-nav__link">
<span class="md-ellipsis">
5. HTTP API (INTERNAL)
</span>
</a>
<nav class="md-nav" aria-label="5. HTTP API (INTERNAL)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#51-post-apiauthintrospect" class="md-nav__link">
<span class="md-ellipsis">
5.1. POST /api/auth/introspect
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#6-healthcheck" class="md-nav__link">
<span class="md-ellipsis">
6. HEALTHCHECK
</span>
</a>
<nav class="md-nav" aria-label="6. HEALTHCHECK">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#get-healthz" class="md-nav__link">
<span class="md-ellipsis">
GET /healthz
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#7-configuration-env" class="md-nav__link">
<span class="md-ellipsis">
7. CONFIGURATION (ENV)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#8-security-notes" class="md-nav__link">
<span class="md-ellipsis">
8. SECURITY NOTES
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#9-roadmap-post-mvp" class="md-nav__link">
<span class="md-ellipsis">
9. ROADMAP (POST-MVP)
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="auth-spec-daarioncity">AUTH SPEC — DAARION.city<a class="headerlink" href="#auth-spec-daarioncity" title="Permanent link">&para;</a></h1>
<p>Version: 1.0.0</p>
<hr />
<h2 id="0-purpose">0. PURPOSE<a class="headerlink" href="#0-purpose" title="Permanent link">&para;</a></h2>
<p>Цей документ описує базову систему автентифікації та авторизації для DAARION.city:</p>
<ul>
<li>єдину модель користувача (<code>user_id</code>) для:</li>
<li>фронтенду (web/PWA),</li>
<li>Matrix/chat інтеграції,</li>
<li>MicroDAO governance,</li>
<li>Agents Service,</li>
<li>SecondMe.</li>
<li>механізм логіну/логауту (JWT access + refresh tokens),</li>
<li>базову RBAC (roles/permissions),</li>
<li>інтеграцію з існуючими сервісами (agents, microdao, city, secondme).</li>
</ul>
<p>Фокус цієї версії — <strong>MVP-рівень</strong>:</p>
<ul>
<li>Password-based login (email + password) + готовність до OAuth (Google/Telegram) як наступний крок.</li>
<li>JWT токени (access + refresh).</li>
<li>Мінімальний набір ролей (<code>user</code>, <code>admin</code>, <code>agent-system</code>).</li>
<li>Захист основних API (governance, agents, secondme private).</li>
</ul>
<hr />
<h2 id="1-architecture-overview">1. ARCHITECTURE OVERVIEW<a class="headerlink" href="#1-architecture-overview" title="Permanent link">&para;</a></h2>
<h3 id="11-auth-service">1.1. Auth Service<a class="headerlink" href="#11-auth-service" title="Permanent link">&para;</a></h3>
<p>Окремий сервіс <code>auth-service</code> (порт: <strong>7020</strong>):</p>
<div class="codehilite"><pre><span></span><code>[ Web / PWA / Matrix Gateway ]
[ Auth Service (7020) ]
[ PostgreSQL (auth tables) + Redis (sessions cache) ]
[ JWT токени для інших сервісів ]
</code></pre></div>
<p>Auth Service:</p>
<ul>
<li>реєструє користувачів,</li>
<li>зберігає хеші паролів,</li>
<li>видає JWT access/refresh токени,</li>
<li>перевіряє токени (через shared secret / public key),</li>
<li>надає API для інших сервісів (<code>/auth/introspect</code>).</li>
</ul>
<h3 id="12">1.2. Інші сервіси<a class="headerlink" href="#12" title="Permanent link">&para;</a></h3>
<ul>
<li><code>Agents Service</code>, <code>MicroDAO Service</code>, <code>SecondMe</code>, <code>City Service</code>:</li>
<li>отримують JWT у <code>Authorization: Bearer &lt;token&gt;</code>,</li>
<li>валідують його (прямо або через Auth Service),</li>
<li>витягують <code>user_id</code>, <code>roles</code>, <code>scopes</code>.</li>
</ul>
<hr />
<h2 id="2-data-model-postgresql">2. DATA MODEL (PostgreSQL)<a class="headerlink" href="#2-data-model-postgresql" title="Permanent link">&para;</a></h2>
<h3 id="21-auth_users">2.1. auth_users<a class="headerlink" href="#21-auth_users" title="Permanent link">&para;</a></h3>
<div class="codehilite"><pre><span></span><code><span class="k">CREATE</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">auth_users</span><span class="w"> </span><span class="p">(</span>
<span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">UUID</span><span class="w"> </span><span class="k">PRIMARY</span><span class="w"> </span><span class="k">KEY</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="n">gen_random_uuid</span><span class="p">(),</span>
<span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="nb">TEXT</span><span class="w"> </span><span class="k">UNIQUE</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="p">,</span>
<span class="w"> </span><span class="n">password_hash</span><span class="w"> </span><span class="nb">TEXT</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="p">,</span>
<span class="w"> </span><span class="n">display_name</span><span class="w"> </span><span class="nb">TEXT</span><span class="p">,</span>
<span class="w"> </span><span class="n">avatar_url</span><span class="w"> </span><span class="nb">TEXT</span><span class="p">,</span>
<span class="w"> </span><span class="n">is_active</span><span class="w"> </span><span class="nb">BOOLEAN</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="k">TRUE</span><span class="p">,</span>
<span class="w"> </span><span class="n">is_admin</span><span class="w"> </span><span class="nb">BOOLEAN</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="k">FALSE</span><span class="p">,</span>
<span class="w"> </span><span class="n">locale</span><span class="w"> </span><span class="nb">TEXT</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="s1">&#39;uk&#39;</span><span class="p">,</span>
<span class="w"> </span><span class="n">timezone</span><span class="w"> </span><span class="nb">TEXT</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="s1">&#39;Europe/Kyiv&#39;</span><span class="p">,</span>
<span class="w"> </span><span class="n">meta</span><span class="w"> </span><span class="n">JSONB</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="s1">&#39;{}&#39;</span><span class="p">::</span><span class="n">jsonb</span><span class="p">,</span>
<span class="w"> </span><span class="n">created_at</span><span class="w"> </span><span class="n">TIMESTAMPTZ</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="n">now</span><span class="p">(),</span>
<span class="w"> </span><span class="n">updated_at</span><span class="w"> </span><span class="n">TIMESTAMPTZ</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="n">now</span><span class="p">()</span>
<span class="p">);</span>
<span class="k">CREATE</span><span class="w"> </span><span class="k">INDEX</span><span class="w"> </span><span class="n">ix_auth_users_email</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="n">auth_users</span><span class="p">(</span><span class="n">email</span><span class="p">);</span>
</code></pre></div>
<h3 id="22-auth_roles">2.2. auth_roles<a class="headerlink" href="#22-auth_roles" title="Permanent link">&para;</a></h3>
<div class="codehilite"><pre><span></span><code><span class="k">CREATE</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">auth_roles</span><span class="w"> </span><span class="p">(</span>
<span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="nb">TEXT</span><span class="w"> </span><span class="k">PRIMARY</span><span class="w"> </span><span class="k">KEY</span><span class="p">,</span><span class="w"> </span><span class="c1">-- &#39;user&#39; | &#39;admin&#39; | &#39;agent-system&#39;</span>
<span class="w"> </span><span class="n">description</span><span class="w"> </span><span class="nb">TEXT</span>
<span class="p">);</span>
<span class="k">INSERT</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">auth_roles</span><span class="w"> </span><span class="p">(</span><span class="n">id</span><span class="p">,</span><span class="w"> </span><span class="n">description</span><span class="p">)</span><span class="w"> </span><span class="k">VALUES</span>
<span class="w"> </span><span class="p">(</span><span class="s1">&#39;user&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;Regular user&#39;</span><span class="p">),</span>
<span class="w"> </span><span class="p">(</span><span class="s1">&#39;admin&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;Administrator&#39;</span><span class="p">),</span>
<span class="w"> </span><span class="p">(</span><span class="s1">&#39;agent-system&#39;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;System agent&#39;</span><span class="p">);</span>
</code></pre></div>
<h3 id="23-auth_user_roles">2.3. auth_user_roles<a class="headerlink" href="#23-auth_user_roles" title="Permanent link">&para;</a></h3>
<div class="codehilite"><pre><span></span><code><span class="k">CREATE</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">auth_user_roles</span><span class="w"> </span><span class="p">(</span>
<span class="w"> </span><span class="n">user_id</span><span class="w"> </span><span class="n">UUID</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="w"> </span><span class="k">REFERENCES</span><span class="w"> </span><span class="n">auth_users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="k">DELETE</span><span class="w"> </span><span class="k">CASCADE</span><span class="p">,</span>
<span class="w"> </span><span class="n">role_id</span><span class="w"> </span><span class="nb">TEXT</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="w"> </span><span class="k">REFERENCES</span><span class="w"> </span><span class="n">auth_roles</span><span class="p">(</span><span class="n">id</span><span class="p">)</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="k">DELETE</span><span class="w"> </span><span class="k">CASCADE</span><span class="p">,</span>
<span class="w"> </span><span class="k">PRIMARY</span><span class="w"> </span><span class="k">KEY</span><span class="w"> </span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span><span class="w"> </span><span class="n">role_id</span><span class="p">)</span>
<span class="p">);</span>
</code></pre></div>
<h3 id="24-auth_sessions">2.4. auth_sessions<a class="headerlink" href="#24-auth_sessions" title="Permanent link">&para;</a></h3>
<div class="codehilite"><pre><span></span><code><span class="k">CREATE</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">auth_sessions</span><span class="w"> </span><span class="p">(</span>
<span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="n">UUID</span><span class="w"> </span><span class="k">PRIMARY</span><span class="w"> </span><span class="k">KEY</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="n">gen_random_uuid</span><span class="p">(),</span>
<span class="w"> </span><span class="n">user_id</span><span class="w"> </span><span class="n">UUID</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="w"> </span><span class="k">REFERENCES</span><span class="w"> </span><span class="n">auth_users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="k">DELETE</span><span class="w"> </span><span class="k">CASCADE</span><span class="p">,</span>
<span class="w"> </span><span class="n">user_agent</span><span class="w"> </span><span class="nb">TEXT</span><span class="p">,</span>
<span class="w"> </span><span class="n">ip_address</span><span class="w"> </span><span class="n">INET</span><span class="p">,</span>
<span class="w"> </span><span class="n">created_at</span><span class="w"> </span><span class="n">TIMESTAMPTZ</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="n">now</span><span class="p">(),</span>
<span class="w"> </span><span class="n">expires_at</span><span class="w"> </span><span class="n">TIMESTAMPTZ</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="p">,</span>
<span class="w"> </span><span class="n">revoked_at</span><span class="w"> </span><span class="n">TIMESTAMPTZ</span><span class="p">,</span>
<span class="w"> </span><span class="n">meta</span><span class="w"> </span><span class="n">JSONB</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="s1">&#39;{}&#39;</span><span class="p">::</span><span class="n">jsonb</span>
<span class="p">);</span>
<span class="k">CREATE</span><span class="w"> </span><span class="k">INDEX</span><span class="w"> </span><span class="n">ix_auth_sessions_user_id</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="n">auth_sessions</span><span class="p">(</span><span class="n">user_id</span><span class="p">);</span>
<span class="k">CREATE</span><span class="w"> </span><span class="k">INDEX</span><span class="w"> </span><span class="n">ix_auth_sessions_expires</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="n">auth_sessions</span><span class="p">(</span><span class="n">expires_at</span><span class="p">);</span>
</code></pre></div>
<hr />
<h2 id="3-token-model-jwt">3. TOKEN MODEL (JWT)<a class="headerlink" href="#3-token-model-jwt" title="Permanent link">&para;</a></h2>
<h3 id="31-access-token">3.1. Access token<a class="headerlink" href="#31-access-token" title="Permanent link">&para;</a></h3>
<ul>
<li>Формат: JWT (HS256).</li>
<li>Термін дії: 30 хвилин.</li>
<li>Payload:</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;sub&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;user_id-uuid&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;email&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;user@example.com&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Display Name&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;roles&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;user&quot;</span><span class="p">],</span>
<span class="w"> </span><span class="nt">&quot;iat&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">1732590000</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;exp&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">1732591800</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;iss&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;daarion-auth&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;access&quot;</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="32-refresh-token">3.2. Refresh token<a class="headerlink" href="#32-refresh-token" title="Permanent link">&para;</a></h3>
<ul>
<li>Формат: JWT (HS256).</li>
<li>Термін дії: 7 днів.</li>
<li>Payload:</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;sub&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;user_id-uuid&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;session_id&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;session-uuid&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;iat&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">1732590000</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;exp&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">1733194800</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;iss&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;daarion-auth&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;refresh&quot;</span>
<span class="p">}</span>
</code></pre></div>
<hr />
<h2 id="4-http-api-public">4. HTTP API (PUBLIC)<a class="headerlink" href="#4-http-api-public" title="Permanent link">&para;</a></h2>
<p>Базовий шлях: <code>/api/auth/...</code>.</p>
<h3 id="41-post-apiauthregister">4.1. <code>POST /api/auth/register</code><a class="headerlink" href="#41-post-apiauthregister" title="Permanent link">&para;</a></h3>
<p><strong>Request:</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;email&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;user@example.com&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;password&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;StrongPassword123&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;display_name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Alex&quot;</span>
<span class="p">}</span>
</code></pre></div>
<p><strong>Response (201):</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;user_id&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;uuid&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;email&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;user@example.com&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;display_name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Alex&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;roles&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;user&quot;</span><span class="p">]</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="42-post-apiauthlogin">4.2. <code>POST /api/auth/login</code><a class="headerlink" href="#42-post-apiauthlogin" title="Permanent link">&para;</a></h3>
<p><strong>Request:</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;email&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;user@example.com&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;password&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;StrongPassword123&quot;</span>
<span class="p">}</span>
</code></pre></div>
<p><strong>Response (200):</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;access_token&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;&lt;JWT_ACCESS&gt;&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;refresh_token&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;&lt;JWT_REFRESH&gt;&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;token_type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Bearer&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;expires_in&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">1800</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;user&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;id&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;uuid&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;email&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;user@example.com&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;display_name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Alex&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;roles&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;user&quot;</span><span class="p">]</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="43-post-apiauthrefresh">4.3. <code>POST /api/auth/refresh</code><a class="headerlink" href="#43-post-apiauthrefresh" title="Permanent link">&para;</a></h3>
<p><strong>Request:</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;refresh_token&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;&lt;JWT_REFRESH&gt;&quot;</span>
<span class="p">}</span>
</code></pre></div>
<p><strong>Response (200):</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;access_token&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;&lt;NEW_JWT_ACCESS&gt;&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;refresh_token&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;&lt;NEW_JWT_REFRESH&gt;&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;token_type&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Bearer&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;expires_in&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">1800</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="44-post-apiauthlogout">4.4. <code>POST /api/auth/logout</code><a class="headerlink" href="#44-post-apiauthlogout" title="Permanent link">&para;</a></h3>
<p><strong>Request:</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;refresh_token&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;&lt;JWT_REFRESH&gt;&quot;</span>
<span class="p">}</span>
</code></pre></div>
<p><strong>Response:</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;status&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;ok&quot;</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="45-get-apiauthme">4.5. <code>GET /api/auth/me</code><a class="headerlink" href="#45-get-apiauthme" title="Permanent link">&para;</a></h3>
<p><strong>Headers:</strong> <code>Authorization: Bearer &lt;access_token&gt;</code></p>
<p><strong>Response (200):</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;id&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;uuid&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;email&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;user@example.com&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;display_name&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Alex&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;avatar_url&quot;</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;roles&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;user&quot;</span><span class="p">],</span>
<span class="w"> </span><span class="nt">&quot;created_at&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2025-11-26T10:00:00Z&quot;</span>
<span class="p">}</span>
</code></pre></div>
<hr />
<h2 id="5-http-api-internal">5. HTTP API (INTERNAL)<a class="headerlink" href="#5-http-api-internal" title="Permanent link">&para;</a></h2>
<h3 id="51-post-apiauthintrospect">5.1. <code>POST /api/auth/introspect</code><a class="headerlink" href="#51-post-apiauthintrospect" title="Permanent link">&para;</a></h3>
<p><strong>Request:</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;token&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;&lt;JWT_ACCESS&gt;&quot;</span>
<span class="p">}</span>
</code></pre></div>
<p><strong>Response (200, valid):</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;active&quot;</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;sub&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;user_id-uuid&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;email&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;user@example.com&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;roles&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;user&quot;</span><span class="p">],</span>
<span class="w"> </span><span class="nt">&quot;exp&quot;</span><span class="p">:</span><span class="w"> </span><span class="mi">1732591800</span>
<span class="p">}</span>
</code></pre></div>
<p><strong>Response (200, invalid):</strong></p>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;active&quot;</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span>
<span class="p">}</span>
</code></pre></div>
<hr />
<h2 id="6-healthcheck">6. HEALTHCHECK<a class="headerlink" href="#6-healthcheck" title="Permanent link">&para;</a></h2>
<h3 id="get-healthz"><code>GET /healthz</code><a class="headerlink" href="#get-healthz" title="Permanent link">&para;</a></h3>
<div class="codehilite"><pre><span></span><code><span class="p">{</span>
<span class="w"> </span><span class="nt">&quot;status&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;ok&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;service&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;auth-service&quot;</span><span class="p">,</span>
<span class="w"> </span><span class="nt">&quot;version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;1.0.0&quot;</span>
<span class="p">}</span>
</code></pre></div>
<hr />
<h2 id="7-configuration-env">7. CONFIGURATION (ENV)<a class="headerlink" href="#7-configuration-env" title="Permanent link">&para;</a></h2>
<div class="codehilite"><pre><span></span><code><span class="n">AUTH_SERVICE_PORT</span><span class="o">=</span><span class="mi">7020</span>
<span class="n">AUTH_DB_DSN</span><span class="o">=</span><span class="nl">postgresql</span><span class="p">:</span><span class="o">//</span><span class="k">user</span><span class="err">:</span><span class="n">pass</span><span class="nv">@postgres</span><span class="err">:</span><span class="mi">5432</span><span class="o">/</span><span class="n">daarion</span>
<span class="n">AUTH_JWT_SECRET</span><span class="o">=</span><span class="n">your</span><span class="o">-</span><span class="n">very</span><span class="o">-</span><span class="n">long</span><span class="o">-</span><span class="n">secret</span><span class="o">-</span><span class="k">key</span><span class="o">-</span><span class="n">here</span>
<span class="n">AUTH_ACCESS_TOKEN_TTL</span><span class="o">=</span><span class="mi">1800</span>
<span class="n">AUTH_REFRESH_TOKEN_TTL</span><span class="o">=</span><span class="mi">604800</span>
<span class="n">AUTH_BCRYPT_ROUNDS</span><span class="o">=</span><span class="mi">12</span>
</code></pre></div>
<hr />
<h2 id="8-security-notes">8. SECURITY NOTES<a class="headerlink" href="#8-security-notes" title="Permanent link">&para;</a></h2>
<ul>
<li>Паролі зберігати тільки як <code>bcrypt</code> hash.</li>
<li>JWT secret — довгий (мінімум 32 символи), збережений у <code>.env</code>.</li>
<li>Rate limiting для <code>/auth/login</code> (захист від brute force).</li>
<li>Логи не повинні писати паролі / токени.</li>
<li>HTTPS обов'язковий у production.</li>
</ul>
<hr />
<h2 id="9-roadmap-post-mvp">9. ROADMAP (POST-MVP)<a class="headerlink" href="#9-roadmap-post-mvp" title="Permanent link">&para;</a></h2>
<ul>
<li>OAuth2 / OIDC (Google, GitHub, Telegram).</li>
<li>WebAuthn / passkeys.</li>
<li>Device-level identity (звʼязок із Matrix devices).</li>
<li>On-chain identity (wallet + DID).</li>
<li>Email verification.</li>
<li>Password reset flow.</li>
</ul>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../..", "features": ["navigation.sections", "navigation.instant", "content.code.copy"], "search": "../../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../../assets/javascripts/bundle.3220b9d7.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink