Authentication — Spec

Overview

Multi-user login with admin-approval flow. New accounts are inactive until an admin approves them.

Password Storage

• Passwords hashed with bcrypt; no plaintext stored

Sessions

• Persistent sessions: a UserSession token is stored in the DB and set as a browser cookie (mp_session) on login
• Cookie: httponly; samesite=lax; 30-day TTL
• Subsequent page loads restore the session without requiring re-login
• Sign Out deletes the DB session row and clears the browser cookie

User Roles

• Regular user: can view all data, upload portfolio
• Admin: can approve new users, add/remove tickers, trigger pipeline runs

Registration Flow

1. User registers — account created with is_active=False
2. Admin sets is_active=True to approve
3. Login returns 403 with "Account pending approval" for inactive users

Constraints

• Session tokens: secrets.token_urlsafe(32)
• Expired sessions deleted on first access
• One UserSession row per active session; cascade-deleted when user is deleted