---
phase: 03-features
plan: 01
type: execute
wave: 1
depends_on: []
files_modified: [src/models/user.ts, src/api/users.ts]
autonomous: true
requirements: [AUTH-01, AUTH-02]
must_haves:
truths:
- "User can create account with email/password"
- "User session persists across browser refresh"
artifacts:
- path: "src/models/user.ts"
provides: "User model and types"
min_lines: 20
- path: "src/api/users.ts"
provides: "User CRUD endpoints"
exports: ["GET", "POST"]
key_links:
- from: "src/api/users.ts"
to: "src/models/user.ts"
via: "imports User type"
pattern: "import.*User.*from.*models/user"
---
<objective>
Create user authentication system with signup and login.
Purpose: Enable users to create accounts and authenticate.
Output: User model, signup/login endpoints, session management.
</objective>
<execution_context>
@~/.claude/get-shit-done/workflows/execute-plan.md
@~/.claude/get-shit-done/templates/summary.md
</execution_context>
<context>
@.planning/PROJECT.md
@.planning/ROADMAP.md
@.planning/STATE.md
</context>
<tasks>
<task type="auto">
<name>Create User model</name>
<files>src/models/user.ts</files>
<action>
Define User type with id, email, password (hashed), createdAt.
Use jose for JWT (not jsonwebtoken - CommonJS issues).
Export TypeScript interface and Zod schema for validation.
</action>
<verify>tsc --noEmit passes without errors</verify>
<done>User type exported and usable</done>
</task>
<task type="auto">
<name>Create signup endpoint</name>
<files>src/app/api/auth/signup/route.ts</files>
<action>
POST endpoint that:
1. Validates email format and password strength
2. Hashes password with bcrypt (cost factor 12)
3. Creates user in database
4. Returns JWT token in httpOnly cookie
Error handling:
- 400 if validation fails
- 409 if email already exists
- 500 for database errors
</action>
<verify>curl -X POST localhost:3000/api/auth/signup -d '{"email":"test@example.com","password":"Test123!"}' returns 201 + Set-Cookie</verify>
<done>Signup works with valid input, rejects invalid input</done>
</task>
<task type="auto">
<name>Create login endpoint</name>
<files>src/app/api/auth/login/route.ts</files>
<action>
POST endpoint that:
1. Validates credentials against users table
2. Compares password with bcrypt.compare
3. Returns JWT token in httpOnly cookie on success
4. Returns 401 on invalid credentials
Avoid timing attacks: use constant-time comparison.
</action>
<verify>curl -X POST localhost:3000/api/auth/login returns 200 + Set-Cookie with valid creds, 401 with invalid</verify>
<done>Valid credentials return cookie, invalid return 401</done>
</task>
</tasks>
<verification>
Before declaring plan complete:
- [ ] npm run build succeeds
- [ ] All endpoints respond correctly
- [ ] TypeScript types are properly exported
- [ ] No console errors or warnings
</verification>
<success_criteria>
- All tasks completed
- All verification checks pass
- No errors or warnings introduced
- JWT authentication working end-to-end
</success_criteria>
<output>
After completion, create `.planning/phases/03-features/03-01-SUMMARY.md`
</output>