Login & Registration User Story - COS301-SE-2025/CRISP GitHub Wiki

User Story: User Authentication (Login and Registration)

Overview

As a CRISP platform user (admin, organization representative, or organization member),
I want to be able to securely access the platform through role-based authentication
So that I can access shared threat intelligence, manage my institution's data, and utilize platform features according to my assigned role and permissions.

User Roles

  • Admin: Platform administrators with system-wide permissions
  • Organization: Organization representatives who can manage their institution's users
  • User: Organization members who can access platform features as permitted by their organization

Narrative

The CRISP platform requires a secure, role-based authentication system ensuring only authorized individuals from participating institutions can access sensitive cyber threat intelligence. Users cannot self-register; instead, they must be registered by their organization representatives. Organizations manage their members' access, while admins oversee the platform. The system must protect credentials and manage sessions effectively across all user types.

Acceptance Criteria

1. User Registration (Organization-Managed)

AC1.1 - Organization User Creation (Functional)

  • As an organization representative, I can access a user management interface
  • I can register new users for my organization

AC1.2 - User Registration Form (Functional)

  • I can fill out a user registration form with the following fields:
    • First Name (required)
    • Last Name (required)
    • Email (required, must be unique)
    • Temporary Password (system-generated or organization-set)
    • Job Title/Role (optional, for context)
    • User Permissions (based on organization's available permissions)

AC1.3 - Registration Restrictions (Functional)

  • Individual users cannot self-register on the platform
  • User registration is only available through organization representatives
  • Users attempting to access registration directly are redirected to login or contact information

AC1.4 - Form Validation (Functional)

  • The system validates all form fields
  • Clear error messages are shown for invalid input:
    • Email format validation
    • Duplicate email detection
    • Missing required fields identification

AC1.5 - User Creation Process (Functional)

  • Upon successful submission, the new user account is created
  • The user is automatically associated with the registering organization
  • Default user role is assigned based on organization settings

AC1.6 - User Notification (Functional)

  • New users receive an email with:
    • Account creation notification
    • Temporary login credentials
    • Instructions to change password on first login
    • Platform access guidelines

AC1.7 - Password Security (Non-Functional - Security)

  • All passwords (temporary and user-set) are securely hashed before storage
  • Implementation using Django's default password hashing is recommended

AC1.8 - User Experience (UI)

  • The user registration interface is accessible only to organization representatives
  • The interface clearly shows which organization the user will be associated with

2. Login

AC2.1 - Navigation (Functional)

  • As a registered user, I can navigate to a login page

AC2.2 - Authentication Input (Functional)

  • I can enter my registered email and password

AC2.3 - Successful Authentication (Functional)

  • Upon successful authentication:
    • I am redirected to the main dashboard or my intended page
    • A secure session (e.g., JWT-based) is established

AC2.4 - Authentication Failure (Functional)

  • If authentication fails (incorrect email/password, inactive account):
    • I receive a clear error message
    • The message does not reveal whether the username or password was incorrect specifically (prevents user enumeration)

AC2.5 - Password Recovery (Functional)

  • A "Forgot Password" link/functionality is present
  • Note: Detailed implementation can be a separate user story, but the link should be present for Demo 1

AC2.6 - Login Security (Non-Functional - Security)

  • The login process is protected against common vulnerabilities
  • Rate limiting to prevent brute-force attacks (advanced feature for future consideration)

AC2.7 - First-Time Login (Functional)

  • New users with temporary passwords are prompted to change their password on first login
  • Password change requirements are clearly displayed:
    • Minimum 8 characters
    • At least one uppercase letter
    • At least one lowercase letter
    • At least one number
    • At least one symbol

AC2.8 - User Experience (UI)

  • The login page is clear and straightforward
  • Role-based dashboard redirection after successful login

3. Logout

AC3.1 - Logout Access (Functional)

  • As a logged-in user, I can find and click a "Logout" button/link

AC3.2 - Session Termination (Functional)

  • Upon clicking "Logout":
    • My session is terminated
    • I am redirected to the login page or a public landing page

Assumptions & Pre-conditions

  • Organizations have designated representatives with user management permissions
  • Organization representatives are already registered and authenticated in the system
  • The list of participating organizations is managed by platform administrators
  • Basic email sending capabilities are available for user notification
  • Organizations have defined permission structures for their users

Open Questions for Team Discussion

Organization Setup

  • How are organization representatives initially registered? (Admin-managed process?)
  • What permissions do organizations have by default?
  • Can organizations customize user roles and permissions?

User Management

  • Can organizations deactivate/reactivate their users?
  • Should there be bulk user import functionality for large organizations?
  • What happens to users if their organization is removed from the platform?

Security & Permissions

  • Detailed password complexity rules for user-set passwords
  • Session timeout policies by user role
  • Default permission sets for new organization users
  • Multi-factor authentication requirements by role?

Admin Capabilities

  • How do admins manage organization representatives?
  • System-wide user management and oversight capabilities
  • Audit logging for user creation and management activities