# Phase 2: Authentication & Authorization

## Overview
Implement JWT authentication, create identity management (User CRUD), build role and permission system, add authorization middleware, and implement audit logging.

## Tasks

### 2.1 Authentication (JWT)
- [2.1.1 - Install JWT Library](./2.1.1-install-githubcomgolang-jwtjwtv5.md)
- [2.1.2 - Create Auth Interfaces](./2.1.2-create-pkgauthauthgo-interfaces.md)
- [2.1.3 - Implement JWT Auth](./2.1.3-implement-internalauthjwt_authgo.md)
- [2.1.4 - Create Auth Middleware](./2.1.4-create-internalauthmiddlewarego.md)
- [2.1.5 - Add Login Endpoint](./2.1.5-add-login-endpoint-post-apiv1authlogin.md)
- [2.1.6 - Add Refresh Endpoint](./2.1.6-add-refresh-endpoint-post-apiv1authrefresh.md)

### 2.2 Identity Management
- [2.2.1 - Create Identity Interfaces](./2.2.1-create-pkgidentityidentitygo-interfaces.md)
- [2.2.2 - Implement User Repository](./2.2.2-implement-internalidentityuser_repogo-using-ent.md)
- [2.2.3 - Implement User Service](./2.2.3-implement-internalidentityuser_servicego.md)
- [2.2.4 - Add Endpoints](./2.2.4-add-endpoints.md)

### 2.3 Roles & Permissions
- [2.3.1 - Create Permission Types](./2.3.1-create-pkgpermpermgo.md)
- [2.3.2 - Create Permission Resolver Interface](./2.3.2-create-pkgpermresolvergo-interface.md)
- [2.3.3 - Implement In-Memory Resolver](./2.3.3-implement-internalpermin_memory_resolvergo.md)
- [2.3.4 - Create Authorization Interface](./2.3.4-create-pkgauthauthzgo-interface.md)
- [2.3.5 - Implement RBAC Authorizer](./2.3.5-implement-internalauthrbac_authorizergo.md)
- [2.3.6 - Create Authorization Middleware](./2.3.6-create-authorization-middleware.md)

### 2.4 Role Management
- [2.4.1 - Create Role Repository](./2.4.1-create-internalidentityrole_repogo.md)
- [2.4.2 - Add Endpoints](./2.4.2-add-endpoints.md)

### 2.5 Audit Logging
- [2.5.1 - Create Audit Interface](./2.5.1-create-pkgauditauditgo-interface.md)
- [2.5.2 - Implement Ent Auditor](./2.5.2-implement-internalauditent_auditorgo.md)
- [2.5.3 - Add Audit Middleware](./2.5.3-add-audit-middleware.md)
- [2.5.4 - Integrate with Auth Endpoints](./2.5.4-integrate-with-auth-endpoints.md)

### 2.6 Database Seeding
- [2.6.1 - Create Seed Script](./2.6.1-create-internalseedseedgo.md)

## Deliverables Checklist
- [ ] JWT authentication working (access + refresh tokens)
- [ ] User registration and management endpoints
- [ ] Role and permission system implemented
- [ ] Authorization middleware protecting endpoints
- [ ] Audit logging captures all auth actions
- [ ] Database seeding for initial admin user

## Acceptance Criteria
- `POST /api/v1/auth/login` returns JWT tokens
- `POST /api/v1/auth/refresh` issues new access token
- Protected endpoints require valid JWT
- Authorization middleware checks permissions
- All auth actions are logged to audit table
- Admin user can be created via seed script