Spec — auth (new capability)
Arova Nexus

ADDED Requirements

Requirement: 首次安裝 bootstrap 流程

Summary: 平台首次啟動 MUST 自動導向 /bootstrap,收集第一個 Admin 帳號(username / 顯示名稱 / email / 密碼),完成後自動登入並 SHALL 標記不可重入。

The system MUST present a one-time /bootstrap flow on first launch that captures the inaugural Admin account (username, display name, email, password), creates the account, marks bootstrap_completed = true, auto-logs the user in, and writes an audit record. The flow MUST NOT be reachable after completion.

Scenario: 首次安裝 cold start 自動進 bootstrap

Scenario: 成功建立第一個 Admin 並自動登入

Scenario: Bootstrap 完成後再訪問 `/bootstrap` 被拒

Scenario: Bootstrap 過程中設定弱密碼被拒

Edge Cases


Requirement: 密碼強度策略可調且有產品下限

Summary: Admin 可在 Settings 調整密碼策略(最少字數 / 必須包含類型),但系統 MUST 強制下限為 8 字 + 含數字,SHALL NOT 低於此線。

The system MUST enforce a password strength policy with two layers: a hard product floor (minimum 8 characters AND at least one digit) that cannot be lowered, and a configurable customer policy that can only be more strict than the floor. Default policy on fresh install SHALL be 12 characters + uppercase + lowercase + digit + symbol.

Scenario: Admin 可將策略調嚴

Scenario: Admin 無法把策略調到低於產品下限

Scenario: 改密時策略即時生效

Edge Cases


Requirement: 連續失敗鎖定 + Admin 緊急解鎖

Summary: 同帳號連續 5 次登入失敗 MUST 鎖定 15 分鐘(全 IP 鎖);15 分鐘後 SHALL 自動解鎖;Admin 可在 User Management 手動緊急解鎖。

The system MUST track consecutive failed login attempts per account (not per IP). After 5 consecutive failures within a sliding window, the account MUST be locked for 15 minutes. During lockout, even correct passwords MUST be rejected. Locks MUST auto-release after the timeout; Admins MUST have an emergency unlock action. All lock/unlock events MUST be audited.

Scenario: 連續 5 次失敗觸發鎖定

Scenario: 鎖定期間正確密碼也被拒

Scenario: 15 分鐘後自動解鎖

Scenario: Admin 緊急手動解鎖

Scenario: 鎖定為帳號層級非 IP 層級

Edge Cases


Requirement: 密碼到期 + 強制改密

Summary: 密碼 MUST 預設 90 天到期;到期前 7 天於登入後 SHALL 顯示提示;到期則 MUST 強制進改密流程;Admin 可手動標記任何 user 為「下次登入強制改密」。

The system MUST enforce a configurable password expiration period (default 90 days). Within 7 days of expiration, users SHALL see a non-blocking warning. Upon expiration, login MUST be intercepted by a forced password-change flow before the user can access any other page. Admins MUST be able to manually flag any user account for force_change_on_next_login = true.

Scenario: 密碼到期前 7 天顯示警告

Scenario: 密碼到期當天強制改密

Scenario: Admin 手動標記強制改密

Scenario: 完成強制改密後可正常使用

Edge Cases


Requirement: 密碼以 hash 存儲且全程 HTTPS

Summary: 密碼僅以 Argon2id(或同等強度 KDF)hash 儲存;所有身分相關 endpoint MUST 強制 HTTPS;失敗訊息 MUST NOT 洩漏 username 是否存在。

The system MUST store passwords only as Argon2id (or equivalent memory-hard KDF) hashes. Plaintext passwords MUST NOT be logged, persisted, or returned via API. All authentication-related endpoints (bootstrap, login, change-password) MUST require HTTPS; HTTP requests SHALL be rejected or auto-upgraded. Authentication failure messages MUST NOT reveal whether a username exists.

Scenario: 密碼不以明文儲存

Scenario: HTTP 請求被拒或升級

Scenario: 失敗訊息不洩漏 username 是否存在

Edge Cases


Requirement: a11y / i18n / 效能基線

Summary: Bootstrap、登入、改密、解鎖頁面 MUST 通過鍵盤導航 + ARIA + 螢幕閱讀器;UI 文字全走 i18n(zh-TW / en);P95 < 500ms(登入)/ < 1s(bootstrap)/ < 50ms(強度檢查)。

All authentication-related UI flows (bootstrap / login / change-password / locked / security-policy) MUST meet WCAG AA accessibility: keyboard navigable, ARIA labels on all interactive elements, screen-reader-friendly error announcements, focus management on modals. All user-facing text MUST be i18n-tokenized (zh-TW + en at minimum). Performance budgets MUST hold: login response P95 < 500ms, bootstrap page initial load < 1s, password strength check < 50ms per keystroke.

Scenario: 鍵盤可走完整 bootstrap 流程

Scenario: 語系切換立即生效

Scenario: 登入回應達效能基線

Edge Cases