Complete Replit Authentication Prompt

Create a secure user authentication system with login, registration, and password management for a customer-facing service where customers can sign up and admins can manage accounts.

Registration & Email Verification:
- Registration form with mandatory fields: first name, last name, email, and password
- Display password requirements before user starts typing
- Real-time password complexity indicator showing strength (weak/medium/strong/very strong)
- Enforce password requirements: minimum 12 characters, mix of uppercase, lowercase, numbers, and special characters
- Send email verification link that expires in 24 hours
- Require acceptance of Terms of Service and Privacy Policy
- Users cannot login until email is verified
- All customer signups automatically assigned "Customer" role
- Validate and sanitize all text inputs to prevent SQL injection and XSS attacks
- Background job to automatically delete unverified user accounts after 48 hours

Login System:
- Email and password login fields
- Password field hidden by default with show/hide toggle button (eye)
- "Remember me" option for convenience
- Implement rate limiting to prevent brute force attacks
- Redirect customers to profile/dashboard after login
- Redirect admins to admin dashboard after login

Bot Protection (CAPTCHA Alternative):
Note: Since Replit does not currently support CAPTCHA, this system uses rate limiting and exponential backoff for bot protection:
- Progressive delays after failed attempts (1 sec, 2 sec, 4 sec, 8 sec, etc.)
- IP-based rate limiting to detect automated attacks
- Account lockout after 20 failed attempts

Account Lockout Policy:
- Automatically lock account after 20 consecutive failed login attempts
- Lockout remains for 24 hours or until admin unlocks
- Send email notification when account is locked
- Lockout counter resets after successful login
- Display clear message: "Your account has been temporarily locked for security. Please try again in 24 hours or contact support."

Password Management:
- Password history: prevent reuse of last 5 passwords
- Password reset via "Forgot Password" link (reset link expires in 24 hours)
- After 8 password reset attempts, delay sending email by 5 minutes
- New password must meet complexity requirements with visual strength indicator

Customer Profile Page:
- View and edit first name and last name
- View and select timezone (auto-detected from browser, with manual override option)
- View email address (display only)
- Change email address functionality:
  * Request email change
  * Send verification link to NEW email address
  * NEW email must be verified before change takes effect
  * Send notification to OLD email about pending change
  * OLD email can cancel the change (security feature)
  * Once new email verified, update account and send confirmation to both emails
- Change password functionality
- View recent login activity (date/time displayed in user's selected timezone, device type)
- Export personal data (profile information, login history, activity logs)
- Logout button
- Delete account option (with confirmation and data purge notice)

User-Facing Messages - CRITICAL:
All customer-facing messages must:
- Use clear, plain language
- NEVER display error codes, system codes, or technical jargon
- Be helpful and actionable
- Be friendly and professional

Examples:
GOOD: "The email or password you entered is incorrect. Please try again."
GOOD: "This email address is already registered. Please try logging in."
GOOD: "Your password must include at least one uppercase letter."
GOOD: "This verification link has expired. Please request a new one."
GOOD: "Your account has been temporarily locked for security. Please try again in 24 hours."
GOOD: "Please enter the verification code we sent to your email."
BAD: "Error 4042: Database constraint violation"
BAD: "Authentication failed (ERR_AUTH_001)"

Admin Security (Enhanced):
- Admin accounts MUST have Multi-Factor Authentication (MFA) enabled (mandatory, non-optional)
- Admin MFA via email OTP code (6-digit code)
- Admin session timeout after 15 minutes of inactivity (shorter than customer sessions)
- Require password re-entry for sensitive actions:
  * Unlocking customer accounts
  * Deactivating/reactivating accounts
  * Viewing detailed customer activity logs
  * Triggering manual background jobs
- Log all admin actions with:
  * Admin user ID and name
  * Timestamp
  * IP address
  * Action performed
  * Customer affected (if applicable)
  * Justification note (for sensitive actions)
- Alert all Super Admins via email when any admin account logs in

Admin Dashboard:
- View all customers showing:
  * Full name
  * Email address
  * Account creation date
  * Account status (active/locked/deactivated)
  * Failed login attempt counter
  * Last login date
- Search and filter customers by name, email, date, or status
- View individual customer details:
  * Full profile information
  * Login history with timestamps and IP addresses
  * Active sessions
  * Failed login attempts
  * Password reset history (dates only, not actual passwords)
  * Account status
- Failed login attempts by IP Addresses grid
- Admin actions available:
  * Manually unlock locked accounts (requires password re-entry + justification note)
  * Force logout customer sessions
  * Deactivate/reactivate accounts (requires password re-entry + justification)
  * View complete activity audit trail
  * IMPORTANT - Admins CANNOT reset customer passwords or trigger password resets
- System overview dashboard:
  * Total users count
  * Active sessions count
  * Failed logins today
  * Locked accounts count
  * Recent activity log
  * Admin activity log (recent admin actions)
- Admin Management (Super Admin only):
  * View all admin accounts
  * Create new admin accounts (with automatic MFA setup)
  * Deactivate admin accounts
  * View admin login history and actions
  * Change admin roles (Admin or Super Admin)

Customer Support for Password Issues:
- If customer is locked out: Admin unlocks account → customer uses "Forgot Password" themselves
- If customer can't access their email:
  * Admin to verify customer identity through alternative means (phone verification, account details, security questions)
  * Admin unlocks account only after identity verification
  * Customer must use "Forgot Password" to regain access
- All unlock actions must include:
  * Justification note explaining reason
  * Admin password re-entry for verification
  * Automatic logging with full details
- Customer receives email notification: "Your account was unlocked by our support team. If you didn't request this, please contact us immediately and change your password."

Background Jobs Monitor (Admin View):
- Display all scheduled background jobs:
  * Job name/type
  * Last run date/time
  * Status (Success/Failure)
  * Records processed
  * Error messages (if failed)
  * Next scheduled run time
- Job history log with filtering
- Visual status indicators (green/red/yellow)
- Alert notifications when jobs fail
- Manual trigger option for each job (requires admin password re-entry)

Background Jobs:
- Clean up unverified accounts older than 48 hours
- Clean up expired password reset tokens
- Clean up expired email verification tokens
- Clean up expired MFA codes (admin MFA)
- Archive old logs based on retention policy
- Monitor email deliverability issues
- Optional: Auto-unlock accounts after 24 hours
- Clean up expired admin sessions

Security Requirements:
- Use bcrypt or Argon2 for password hashing
- Use TLS 1.2+ for all data transmission
- Generate cryptographically secure random tokens
- Implement secure session management with httpOnly and secure cookies
- Add CSRF protection on all forms
- Protect against account enumeration (same message for valid/invalid emails)
- Automatic session timeout: 30 minutes for customers, 15 minutes for admins
- Rate limiting on all authentication endpoints
- Separate rate limiting for admin login attempts (stricter than customer limits)
- Admin MFA codes expire after 10 minutes
- Log all failed admin login attempts with alerts after 5 failures
- Create necessary database indexes for efficient lookups:
  * Index on users.email (for login lookups)
  * Index on users.id (primary key)
  * Index on login_attempts.user_id (for attempt tracking)
  * Index on password_reset_tokens.token (for reset lookups)
  * Index on email_verification_tokens.token (for verification lookups)
  * Index on sessions.user_id (for session management)
  * Index on admin_logs.admin_id and admin_logs.timestamp (for audit queries)

Privacy & Data Handling:
- All timestamps stored in UTC timezone in database
- Timezone auto-detected from user's browser on first visit
- User can manually override timezone in profile settings
- All timestamps displayed in UI converted to user's selected timezone
- IP addresses logged for security purposes and retained for 90 days
- Include IP logging disclosure in Privacy Policy
- Complete account deletion includes purging all user data after retention period

Admin Account Creation:
- Admin accounts created through secure backend process (not public registration)
- Role types: Super Admin and Admin
- All new admin accounts automatically require MFA setup on first login
- Super Admins can create/manage other admin accounts
- Initial Super Admin account created during system setup

Additional Features:
- User-friendly error messages (no technical jargon for customers)
- Detailed error logging for admin troubleshooting
- Visual feedback for form validations
- Loading states for all operations
- Responsive, professional UI design
- Toast notifications for important events
- Audit trail viewer in admin dashboard (searchable and filterable)
- Admin activity dashboard showing recent admin actions

Email Integration:
Prompt me for email service credentials (SMTP settings or API keys) during setup.

Email Templates Needed:
- Email verification (customers)
- Welcome email after verification (customers)
- Password reset (customers)
- Account locked notification (customers)
- Account unlocked by admin notification (customers) - includes security warning
- Password changed confirmation (customers)
- Email change request verification (to NEW email)
- Email change notification (to OLD email with cancel option)
- Email changed confirmation (to both OLD and NEW emails)
- Account deletion confirmation (customers)
- Admin MFA code delivery
- Admin login alert (to all Super Admins)
- Account unlocked by admin alert (to customer with security notice)
- Background job failure alerts (to admins)
- Suspicious admin activity alert (to Super Admins)
- Multiple failed admin login attempts alert (to Super Admins)

Audit Logging:
All admin actions must be logged with:
- Admin user ID and full name
- Timestamp (date and time)
- IP address
- Action type (unlock account, force logout, deactivate account, etc.)
- Customer affected (User ID, name, email)
- Justification/reason provided
- Result (success/failure)
- Session ID

Initial Setup:
- Instructions for creating the first Super Admin account securely
- First Super Admin must set up MFA during initial setup
- Configuration for admin email addresses
- Configuration for Super Admin alert emails
- Configure account lockout settings (20 attempts, 24-hour lockout)
- Configure password complexity requirements
- Configure session timeout settings (customers: 30 min, admins: 15 min)
- Configure admin MFA settings (code expiration, delivery method)

Build a complete, production-ready authentication system with clear security implementations and setup instructions. Keep the implementation simple and straightforward while maintaining good security practices. Take future scaling into consideration.

CRITICAL SECURITY PRINCIPLES:
1. Customers always control their own password resets - admins can only unlock accounts
2. Admins must use MFA for all logins (mandatory, non-optional)
3. Sensitive admin actions require password re-entry
4. All admin actions are logged with full audit trail
5. Customer-facing messages are clear and friendly with no technical jargon
6. Admin dashboard can show technical details for troubleshooting