Veritheia Documentation

An environment for inquiry - complete documentation

View the Project on GitHub ZipThought/veritheia

Authentication System

1. Overview

The authentication system provides user identity verification and data isolation while maintaining the principle that users remain the authors of their intellectual work. The system enforces user boundaries to protect personal formation while ensuring users maintain full control over their insights.

Formation Note: Authentication serves to verify user identity and maintain data isolation, not to gate-keep system resources. Users always remain the authors of their intellectual work, regardless of authentication status. The system enforces user boundaries to protect personal formation while ensuring users maintain full control over their insights. The authentication system is designed to preserve user agency by ensuring that all formation data belongs exclusively to the authenticated user, preventing any cross-user contamination of intellectual work.

2. Core Principles

2.1 User Sovereignty

Why This Matters for Formation: User sovereignty ensures that all formation data—journeys, insights, and intellectual development—belongs exclusively to the user. This principle prevents any system component from compromising the user’s intellectual work or making decisions about their formation on their behalf.

2.2 Data Isolation

Why This Matters for Formation: Data isolation ensures that each user’s formation journey remains private and uncontaminated. This isolation preserves the integrity of the user’s intellectual development and prevents any interference from other users’ data or system-wide patterns.

2.3 Minimal Identity Requirements

Why This Matters for Formation: Minimal identity requirements reduce barriers to formation while maintaining the essential principle of user data isolation. This approach ensures that users can begin their formation journey without unnecessary authentication complexity, while still preserving the integrity of their intellectual work.

3. Authentication Patterns

3.1 Core Authentication Interface

public interface IAuthenticationProvider
{
    Task<UserIdentity> AuthenticateAsync(AuthenticationRequest request);
    Task<UserIdentity?> GetCurrentUserAsync();
    Task LogoutAsync();
    bool IsAuthenticated();
}

public class UserIdentity
{
    public Guid Id { get; set; }
    public string Identifier { get; set; } // Email, username, or external ID
    public string? DisplayName { get; set; }
    public Dictionary<string, string> Claims { get; set; }
}

public class AuthenticationRequest
{
    public string Identifier { get; set; } // Email, username, or external ID
    public Dictionary<string, object>? AdditionalData { get; set; }
}

3.2 Authentication Provider Implementations

Pattern A: Simple Identifier Authentication

Use Case: Local deployment, personal use, development Characteristics:

Pattern B: External Identity Provider

Use Case: Enterprise deployment, multi-tenant environments Characteristics:

Pattern C: Hybrid Authentication

Use Case: Mixed deployment scenarios Characteristics:

4. Session Management

4.1 Session Interface

public interface ISessionManager
{
    Task<SessionInfo> CreateSessionAsync(UserIdentity user);
    Task<SessionInfo?> GetSessionAsync(string sessionId);
    Task InvalidateSessionAsync(string sessionId);
    Task ExtendSessionAsync(string sessionId);
}

public class SessionInfo
{
    public string SessionId { get; set; }
    public Guid UserId { get; set; }
    public DateTime CreatedAt { get; set; }
    public DateTime ExpiresAt { get; set; }
    public Dictionary<string, string> Metadata { get; set; }
}

4.2 Session Patterns

Pattern B: Token-Based Sessions

Pattern C: Database Sessions

4.3 Session Storage Patterns

Use Case: Web applications, browser-based access Characteristics:

Pattern B: Token-Based Sessions

Use Case: API access, mobile applications Characteristics:

Pattern C: Database Sessions

Use Case: High-security environments, audit requirements Characteristics:

5. User Management

5.1 User Interface

public interface IUserManager
{
    Task<UserIdentity> CreateOrGetUserAsync(string identifier, string? displayName);
    Task<UserIdentity?> GetUserAsync(Guid userId);
    Task<UserIdentity?> GetUserByIdentifierAsync(string identifier);
    Task UpdateUserAsync(Guid userId, UserUpdateRequest request);
}

public class UserUpdateRequest
{
    public string? DisplayName { get; set; }
    public Dictionary<string, object>? Metadata { get; set; }
}

5.2 User Creation Patterns

Pattern A: Automatic User Creation

Pattern B: Administered User Creation

Pattern C: Invitation-Based Creation

6. Security Considerations

6.1 Data Protection

6.2 Session Security

6.3 Privacy Compliance

7. Extension Points

7.1 Authentication Provider Extension

public interface IAuthenticationProviderFactory
{
    IAuthenticationProvider CreateProvider(AuthenticationProviderType type, AuthenticationProviderConfig config);
}

public enum AuthenticationProviderType
{
    SimpleIdentifier,
    OAuth,
    SAML,
    Custom
}

7.2 Session Manager Extension

public interface ISessionManagerFactory
{
    ISessionManager CreateManager(SessionManagerType type, SessionManagerConfig config);
}

public enum SessionManagerType
{
    Cookie,
    Token,
    Database,
    Hybrid
}

7.3 User Manager Extension

public interface IUserManagerFactory
{
    IUserManager CreateManager(UserManagerType type, UserManagerConfig config);
}

public enum UserManagerType
{
    Automatic,
    Administered,
    InvitationBased,
    Hybrid
}

8. Configuration Schema

8.1 Authentication Configuration

{
  "authentication": {
    "provider": {
      "type": "SimpleIdentifier|OAuth|SAML|Custom",
      "config": {
        "identifierField": "email|username|custom",
        "requireDisplayName": false,
        "autoCreateUsers": true
      }
    },
    "session": {
      "type": "Cookie|Token|Database|Hybrid",
      "config": {
        "expirationDays": 30,
        "secureCookies": true,
        "httpOnly": true
      }
    },
    "userManagement": {
      "type": "Automatic|Administered|InvitationBased|Hybrid",
      "config": {
        "defaultPersonas": ["Researcher", "Student", "Entrepreneur"],
        "requireApproval": false
      }
    }
  }
}

9. Integration Requirements

9.1 Required Interfaces

9.2 Optional Extensions

9.3 Data Requirements

10. Testing Patterns

10.1 Authentication Testing

10.2 Security Testing

10.3 Integration Testing

5. System Integration Patterns

The authentication system integrates across the composable architectural pattern through well-defined interfaces and context propagation mechanisms.

Why This Matters for Formation: The authentication system’s integration patterns ensure that user identity and data isolation are maintained consistently across all system components. This consistency preserves user agency and intellectual sovereignty regardless of how users interact with the system—whether through the web interface, external APIs, or AI agents.

5.1 Authentication Flow

Authentication occurs within the Web component, which handles user interaction and session management. The Web component imports the ApiService component and calls its programming interface directly. User context flows from the Web component to the ApiService component through method parameters and shared interfaces.

Why This Matters for Formation: The authentication flow ensures that user identity is established at the interface level and propagated to the business logic layer. This flow maintains user agency by ensuring that all formation operations are performed in the context of the authenticated user, preserving the principle that users remain the authors of their intellectual work.

5.2 User Context Propagation

The Web component maintains user authentication state through session management patterns. When calling ApiService component methods, the Web component passes user context through the method interface. The ApiService component receives user context as parameters and enforces user boundaries at the data access level.

Why This Matters for Formation: User context propagation ensures that all formation data operations respect user boundaries and data isolation. This propagation maintains the integrity of the user’s intellectual work by ensuring that every database operation is performed within the correct user context, preventing any cross-user data contamination.

5.3 Extension Integration

The ApiGateway component will integrate with the authentication system by importing the same ApiService component. The ApiGateway component will handle HTTP authentication protocols while delegating business logic operations to the ApiService component. User context will flow from HTTP authentication to the ApiService component through the same interface patterns.

Why This Matters for Formation: Extension integration ensures that external systems can access formation data while maintaining the same user boundaries and data isolation. This integration preserves user agency by ensuring that external access respects the same authentication and authorization patterns, preventing any compromise of user intellectual sovereignty.

5.4 Security Boundaries

The authentication system maintains security boundaries through architectural separation. The Web component handles user authentication and session management. The ApiService component enforces user data isolation through database-level constraints. The ApiGateway component will handle external authentication protocols while maintaining the same security boundaries.

Why This Matters for Formation: Security boundaries ensure that user formation data remains protected and isolated across all system components. These boundaries preserve user agency by preventing unauthorized access to intellectual work while maintaining the flexibility needed for different deployment scenarios and integration patterns.