38 lines
1.1 KiB
Markdown
38 lines
1.1 KiB
Markdown
---
|
|
taskmaster_id: "4.5"
|
|
status: "done"
|
|
priority: "high"
|
|
depends_on: ["2"]
|
|
parent_id: "4"
|
|
source: "taskmaster"
|
|
generated_at: "2026-05-24T07:26:29.052Z"
|
|
---
|
|
|
|
# 4.5 - Decide session, passkey, and admin step-up architecture
|
|
|
|
- [x] 4.5 - Decide session, passkey, and admin step-up architecture #taskmaster #priority/high #status/done ⏫ 🆔 tm-4-5 ⛔ tm-2
|
|
|
|
## Metadata
|
|
|
|
| Field | Value |
|
|
| --- | --- |
|
|
| Taskmaster ID | 4.5 |
|
|
| Status | done |
|
|
| Priority | high |
|
|
| Dependencies | 2 |
|
|
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
|
|
|
## Description
|
|
|
|
Choose browser session model and high-risk admin authentication requirements.
|
|
|
|
## Details
|
|
|
|
Completed. Produced `09 - Audits/Session and Authentication Architecture Decision.md`.
|
|
|
|
Decide localStorage versus httpOnly cookies, access/refresh token lifetimes, CSRF strategy, refresh rotation, WebAuthn requirements, OAuth requirements, device/session revocation, and whether payouts/role changes require step-up authentication or two-person approval.
|
|
|
|
## Verification
|
|
|
|
Decision record lists chosen model, rejected alternatives, migration cost, and required implementation tasks.
|