Story: Login and sessions
Table of Contents
This page documents a story in Sprint 03. It captures the goal, current status, acceptance criteria, and the tasks that compose it.
Goal
Introduce the account and session domain types and wire them through the cobalt client/server runtime. This is the finish login related functionality half of the sprint mission.
Status
| Field | Value |
|---|---|
| State | DONE |
| Parent sprint | Sprint 03 |
| Now | Story closed; accounts and sessions land end-to-end. The authentication bootstrap remains POSTPONED into a successor sprint. |
| Waiting on | None. |
| Next | None. |
| Last touched | 2025-12-20 |
Continued in: Authentication bootstrap follow-up (sprint 05) — the POSTPONED bootstrap workflow lands there, along with delete-account and the feature-flags split.
Acceptance
accountdomain type with repository, JSON/XML codecs, and end-to-end tests.sessiondomain type with lifecycle (open/close/expire) and server-side persistence.- Client can authenticate against the server using an account and receive a session token.
Tasks
| Task | State | Start | End | Description |
|---|---|---|---|---|
| Add account support | DONE | 2025-12-20 | 2025-12-20 | Domain type, repository, and end-to-end import/export path for user accounts. |
| Add session support | DONE | 2025-12-20 | 2025-12-20 | Domain type and lifecycle for client sessions on top of the cobalt-based server. |
Decisions
- Sessions in Postgres
- simple and durable; we revisit if session read volume becomes a bottleneck.
- Account-record pattern follows currencies
- lets us reuse the generated repository code without account-specific exceptions.
Out of scope
- Multi-factor authentication.
- OAuth integration.
See also
- ores.iam — the IAM component that owns the account and session domain types.
- Client/server foundations (sprint 02) — predecessor story that put the socket layer in place.
- Client console and Qt integration (this sprint) — the sibling story that wires the UI to use what this story landed.