ADR 0001 — Authentication model#
Status: Accepted (Phase 0, 2026-07-03)
Context#
The legacy Cube 1.x uses ASP.NET Forms cookie authentication backed by AspnetUsers / AspnetMembership (classic ASP.NET Membership schema). We need a token-based scheme that works for browser SPAs, desktop clients, and service-to-service calls, and that can coexist with the legacy system during the migration.
Decision#
- Issue JWT access tokens signed with HS256 for development and lower environments; RS256 upgrade path via
Jwt:SigningKeyswap when a KMS-backed key is available. - One central Auth API endpoint set under
/api/v1/auth/(login,me,permissions). - Passwords are verified through
IPasswordHasher:$2*prefix → BCrypt (new users, cost factor 11).- Any other stored hash → treated as a legacy format;
PasswordHasher.NeedsRehashreturnstrueand the caller records a “rehash on next login” intent. Legacy verification is gated onFeatureFlags:UseLegacyPasswordHashso we can force cutover.
- Claims carried in the token:
sub,unique_name,jti(standard),role(mapped fromAspMnxGroup),perm(module-level permissions).
Consequences#
- Refresh tokens are not in scope for Phase 0. Access token lifetime defaults to 60 min.
- Legacy password hash verification is a placeholder — the actual scheme (SHA1 base64, salted?) must be confirmed by inspecting an existing
AspnetMembershiprow in staging before Phase 1. - Role / permission population is stubbed to empty arrays in Phase 0; Phase 1 wires the real group → role / claim mapping.