MODULE MAP

Module: M-AUTH-01 - Dang nhap & Xac thuc (OrangeHRM) Generated: 2026-06-04 16:42:52 Input: 00-context.md Pipeline step: 01

SECTION 1: Persona & Goals

Persona ID Name Role Primary Goal Pain Points Auth States
PER-01 Anonymous User Nguoi dung chua dang nhap Truy cap login, dang nhap, khoi phuc mat khau Sai credential, quen mat khau, captcha, account locked Anonymous
PER-02 Employee User Nhan vien ESS Dang nhap va truy cap chuc nang self-service Session het han, password het han, redirect sai role Authenticated
PER-03 Supervisor User Quan ly truc tiep Dang nhap va truy cap thong tin ban than va direct reports Sai quyen sau login, session timeout Authenticated
PER-04 HR Admin Quan tri nhan su Dang nhap, quan ly user, unlock account theo quyen Account bi khoa, can xu ly ho tro user Authenticated
PER-05 Global Admin Quan tri toan he thong Dang nhap va truy cap toan bo chuc nang quan tri Can ngoai le cho lockout va password expiry Authenticated
PER-06 System Authentication service Validate credential, session, lockout, captcha, OTP Loi tich hop SMTP, captcha, authenticator app System

Persona Relationships

From To Relationship Description
PER-04 PER-02 Manages account HR Admin co the quan ly va unlock tai khoan Employee theo quyen
PER-04 PER-03 Manages account HR Admin co the quan ly tai khoan Supervisor theo quyen
PER-05 PER-04 Higher privilege Global Admin co quyen rong hon HR Admin tren toan he thong
PER-03 PER-02 Supervises Supervisor co the truy cap thong tin nhan vien cap duoi sau khi dang nhap
PER-06 PER-01 Authenticates System validate credential va dieu phoi login flow cho Anonymous User

SECTION 2: Feature List

Feature ID Feature Name Description Persona Priority Phase Complexity Estimated US Count
F-AUTH-001 Xem trang login User mo OrangeHRM va thay man hinh login co username, password, login button va forgot password link PER-01 Must 1 Low 1
F-AUTH-002 Nhap thong tin dang nhap User nhap username va password tren login form PER-01 Must 1 Low 1
F-AUTH-003 Submit login System validate username, password, account status va failed attempt PER-01/PER-06 Must 1 Medium 4
F-AUTH-004 Demo login Ho tro demo credential username admin va password admin123 cho training environment PER-01 Must 1 Low 1
F-AUTH-005 Thong bao login khong hop le Hien thi loi Invalid credentials khi username hoac password sai PER-01 Must 1 Low 1
F-AUTH-006 Dieu huong forgot password User click forgot password link tu login page sang recovery page PER-01 Should 2 Low 1
F-AUTH-007 Reset password bang email User nhap email da dang ky de nhan reset link va cap nhat password moi PER-01/PER-06 Should 2 Medium 4
F-AUTH-008 Khoa tai khoan System khoa account 30 phut sau 5 lan login that bai lien tiep PER-01/PER-06 Should 2 Medium 3
F-AUTH-009 Captcha sau login that bai System hien thi captcha o lan login tiep theo sau 5 lan that bai PER-01/PER-06 Should 2 Medium 3
F-AUTH-010 Redirect khi password het han User duoc chuyen sang change password khi password het han sau 30 ngay PER-02/PER-03/PER-04 Should 2 Medium 3
F-AUTH-011 Two-factor authentication User phai nhap OTP sau khi password hop le PER-01/PER-06 Could 3 High 6
F-AUTH-012 Logout Authenticated user ket thuc session hien tai PER-02/PER-03/PER-04/PER-05 Must 1 Low 1
F-AUTH-013 Role-based landing System redirect user sau login dua tren role duoc gan PER-02/PER-03/PER-04/PER-05/PER-06 Must 1 Medium 3
F-AUTH-014 Session timeout System ket thuc session va redirect ve login khi user khong hoat dong qua timeout cau hinh PER-02/PER-03/PER-04/PER-05/PER-06 Must 1 Medium 3

Priority Definitions

Complexity Definitions

SECTION 3: Module Breakdown

Module: M-AUTH-01 - Dang nhap & Xac thuc

Module Overview

Attribute Value
Module ID M-AUTH-01
Module Name Dang nhap & Xac thuc
Module Type INTERNAL_TOOL
Primary Persona PER-01
Business Domain Quan tri nhan su - Authentication
Total Features 14
Total Estimated US 35

Sub-module: M-AUTH-01.1 - Login & Credential Validation

Overview

Attribute Value
Sub-module ID M-AUTH-01.1
Name Login & Credential Validation
Objective Cho phep Anonymous User truy cap login page, nhap credential, submit va nhan ket qua validation. Sub-module nay cung xu ly demo login va role-based landing sau login thanh cong.
Primary Actor PER-01
Complexity Medium

Features trong Sub-module

Feature ID Feature Name Priority
F-AUTH-001 Xem trang login Must
F-AUTH-002 Nhap thong tin dang nhap Must
F-AUTH-003 Submit login Must
F-AUTH-004 Demo login Must
F-AUTH-005 Thong bao login khong hop le Must
F-AUTH-013 Role-based landing Must

Business Rules lien quan

Rule ID Rule Name Description
BR-AUTH-001 Username bat buoc Neu username trong, hien thi Required
BR-AUTH-002 Password bat buoc Neu password trong, hien thi Required
BR-AUTH-003 Demo credential Username admin va password admin123 duoc phep login trong training demo
BR-AUTH-004 Username khong phan biet hoa thuong Username duoc normalize theo D-01
BR-AUTH-005 Xu ly credential sai Hien thi Invalid credentials theo D-02
BR-AUTH-014 Role redirect Admin toi Admin module, ESS toi My Info, khong co role toi Dashboard theo D-10

User Stories du kien

US ID User Story Name Priority Complexity
US-AUTH-001 Xem login page Must S
US-AUTH-002 Nhap username va password Must S
US-AUTH-003 Validate required fields Must S
US-AUTH-004 Validate username case-insensitive Must M
US-AUTH-005 Validate credential dung Must M
US-AUTH-006 Validate credential sai Must S
US-AUTH-007 Login bang demo credential Must S
US-AUTH-008 Hien thi invalid credentials message Must S
US-AUTH-009 Redirect Admin sau login Must M
US-AUTH-010 Redirect ESS sau login Must M
US-AUTH-011 Redirect Dashboard khi khong co role Must S

API Endpoints du kien

Method Endpoint Description Auth Required
GET /web/index.php/auth/login Hien thi login page No
POST /web/index.php/auth/validate Validate username va password No
GET /web/index.php/auth/currentUser Lay user context va role hien tai sau login Yes

Database Entities

Entity Key Fields Relationships
UserAccount id, username, email, password_hash, status, failed_login_count N-1 with Employee; 1-N with LoginAttempt; 1-N with AuthSession
Employee id, employee_number, employment_status, work_email 1-N with UserAccount
UserRole id, role_code, role_name, role_type 1-N with UserRoleAssignment
UserRoleAssignment id, user_account_id, user_role_id N-1 with UserAccount; N-1 with UserRole
LoginAttempt id, user_account_id, username_submitted, result, attempted_at N-1 with UserAccount

UI Screens du kien

Screen Description Key Components
Login Public login screen OrangeHRM logo, username input, password input, login button, forgot password link
Invalid Credentials State Login page with validation error Error banner or field-level message Invalid credentials
Role Landing Post-login redirect target Admin module, My Info, Dashboard

Sub-module: M-AUTH-01.2 - Password Recovery & Reset

Overview

Attribute Value
Sub-module ID M-AUTH-01.2
Name Password Recovery & Reset
Objective Cho phep Anonymous User yeu cau reset password bang email va cap nhat password moi bang token hop le.
Primary Actor PER-01
Complexity Medium

Features trong Sub-module

Feature ID Feature Name Priority
F-AUTH-006 Dieu huong forgot password Should
F-AUTH-007 Reset password bang email Should

Business Rules lien quan

Rule ID Rule Name Description
BR-AUTH-006 Do dai password toi thieu New password toi thieu 6 ky tu theo D-06
BR-AUTH-011 Forgot password identifier User nhap email da dang ky; email khong ton tai hien thi Account not found theo D-07
BR-AUTH-012 Password reset token Token hop le, active va chua dung thi cho phep cap nhat password

User Stories du kien

US ID User Story Name Priority Complexity
US-AUTH-012 Dieu huong toi forgot password Should S
US-AUTH-013 Submit email reset password Should M
US-AUTH-014 Hien thi account not found Should S
US-AUTH-015 Mo reset password bang token hop le Should M
US-AUTH-016 Luu password moi va confirm password Should M

API Endpoints du kien

Method Endpoint Description Auth Required
GET /web/index.php/auth/requestPasswordResetCode Hien thi forgot password page No
POST /web/index.php/auth/sendPasswordReset Gui reset password email hoac account not found No
GET /web/index.php/auth/resetPassword/:token Hien thi reset password page No
POST /web/index.php/auth/resetPassword/:token Luu password moi No

Database Entities

Entity Key Fields Relationships
UserAccount id, email, password_hash, password_changed_at, password_expires_at 1-N with PasswordResetToken
PasswordResetToken id, user_account_id, token_hash, status, expires_at, used_at N-1 with UserAccount
Employee id, work_email, employment_status 1-N with UserAccount

UI Screens du kien

Screen Description Key Components
Forgot Password Recovery request screen Email field, reset button, cancel link
Reset Password New password screen New password, confirm password, save button
Reset Sent State Recovery feedback Reset email sent message or account not found message

Sub-module: M-AUTH-01.3 - Lockout, Captcha & Password Expiry

Overview

Attribute Value
Sub-module ID M-AUTH-01.3
Name Lockout, Captcha & Password Expiry
Objective Giam rui ro brute-force va ep user doi password khi password het han theo security policy cua training build.
Primary Actor PER-06
Complexity Medium

Features trong Sub-module

Feature ID Feature Name Priority
F-AUTH-008 Khoa tai khoan Should
F-AUTH-009 Captcha sau login that bai Should
F-AUTH-010 Redirect khi password het han Should

Business Rules lien quan

Rule ID Rule Name Description
BR-AUTH-007 Password expiry Password het han sau 30 ngay; Global Admin duoc loai tru theo D-05
BR-AUTH-008 Account lockout 5 lan login sai lien tiep thi khoa account 30 phut; Global Admin duoc loai tru theo D-03
BR-AUTH-009 Captcha threshold 5 lan login sai thi hien captcha o lan tiep theo theo D-04
BR-AUTH-010 Disabled account Account Disabled hoac Employee terminated bi deny login theo D-12

User Stories du kien

US ID User Story Name Priority Complexity
US-AUTH-017 Dem failed login lien tiep Should M
US-AUTH-018 Khoa account sau threshold Should M
US-AUTH-019 Cho phep login lai sau lockout duration Should M
US-AUTH-020 Hien captcha sau threshold Should M
US-AUTH-021 Validate captcha bat buoc Should M
US-AUTH-022 Xu ly captcha service unavailable Should M
US-AUTH-023 Phat hien password expired Should M
US-AUTH-024 Redirect sang change password Should M
US-AUTH-025 Xu ly ngoai le Global Admin cho expiry Should S

API Endpoints du kien

Method Endpoint Description Auth Required
POST /web/index.php/auth/validate Cap nhat failed count, lockout, captcha va expiry decision No
POST /web/index.php/auth/admin/unlockUser HR Admin hoac Global Admin unlock user account Yes
GET [TBC - Tech Lead] Hien thi change password page khi password expired Yes

Database Entities

Entity Key Fields Relationships
UserAccount id, failed_login_count, locked_until, password_expires_at, status 1-N with LoginAttempt
LoginAttempt id, user_account_id, result, failure_reason, attempted_at N-1 with UserAccount
Employee id, employment_status 1-N with UserAccount
UserRoleAssignment user_account_id, user_role_id N-1 with UserAccount; N-1 with UserRole

UI Screens du kien

Screen Description Key Components
Login with Captcha Login screen after failed threshold Username, password, captcha field, login button
Account Locked Locked account state Lockout message, contact admin guidance
Change Password Password expiry redirect screen New password, confirm password, save button

Sub-module: M-AUTH-01.4 - Two-Factor Authentication

Overview

Attribute Value
Sub-module ID M-AUTH-01.4
Name Two-Factor Authentication
Objective Yeu cau OTP cho tat ca user sau khi password hop le truoc khi hoan tat login session.
Primary Actor PER-01
Complexity High

Features trong Sub-module

Feature ID Feature Name Priority
F-AUTH-011 Two-factor authentication Could

Business Rules lien quan

Rule ID Rule Name Description
BR-AUTH-013 2FA bat buoc Sau khi password hop le, tat ca user phai nhap OTP theo D-08

User Stories du kien

US ID User Story Name Priority Complexity
US-AUTH-026 Chuyen sang OTP Required sau password hop le Could M
US-AUTH-027 Nhap OTP code Could S
US-AUTH-028 Validate OTP hop le Could L
US-AUTH-029 Xu ly OTP sai hoac het han Could M
US-AUTH-030 Resend OTP hoac yeu cau ma moi Could M
US-AUTH-031 Ghi nhan OTP verified vao session Could M

API Endpoints du kien

Method Endpoint Description Auth Required
POST [TBC - Tech Lead] Validate OTP code sau khi password hop le No
POST [TBC - Tech Lead] Resend hoac refresh OTP challenge No

Database Entities

Entity Key Fields Relationships
TwoFactorAuthDevice id, user_account_id, secret_key, status, last_verified_at N-1 with UserAccount
UserAccount id, username, status 1-N with TwoFactorAuthDevice
AuthSession id, user_account_id, status N-1 with UserAccount

UI Screens du kien

Screen Description Key Components
OTP Verification Second-factor verification screen OTP code field, verify button, resend code
OTP Error State OTP validation failure OTP error message, retry action

Sub-module: M-AUTH-01.5 - Session & Logout

Overview

Attribute Value
Sub-module ID M-AUTH-01.5
Name Session & Logout
Objective Quan ly active session, timeout khi user khong hoat dong va logout session hien tai.
Primary Actor PER-02
Complexity Medium

Features trong Sub-module

Feature ID Feature Name Priority
F-AUTH-012 Logout Must
F-AUTH-014 Session timeout Must

Business Rules lien quan

Rule ID Rule Name Description
BR-AUTH-015 Session timeout Session het han neu user khong hoat dong qua thoi gian cau hinh theo D-09
BR-AUTH-016 Logout own session Authenticated user chi logout session cua minh, tru khi HR Admin hoac Global Admin co quyen admin session theo ABAC

User Stories du kien

US ID User Story Name Priority Complexity
US-AUTH-032 Logout active session Must S
US-AUTH-033 Expire session after inactivity Must M
US-AUTH-034 Redirect ve login khi session expired Must S
US-AUTH-035 Cap nhat last activity cua session Must M

API Endpoints du kien

Method Endpoint Description Auth Required
POST /web/index.php/auth/logout Logout user hien tai Yes
GET /web/index.php/auth/currentUser Lay thong tin session va user context hien tai Yes
N/A N/A Session timeout duoc xu ly server-side theo last_activity_at va expires_at Yes

Database Entities

Entity Key Fields Relationships
AuthSession id, user_account_id, session_id, status, last_activity_at, expires_at N-1 with UserAccount
UserAccount id, last_login_at, status 1-N with AuthSession
LoginAttempt id, user_account_id, result N-1 with UserAccount

UI Screens du kien

Screen Description Key Components
Session Expired User bi redirect khi timeout Message, login again CTA
Logout Action Authenticated user logout User menu, logout action
Login After Logout Login page sau logout Login form, logged out state if supported

SECTION 4: Dependency Map

Internal Dependencies

Module Depends On Dependency Type Required for Phase Notes
M-AUTH-01 HR Administration Hard 1 Can user account, user status va unlock account capability
M-AUTH-01 Employee Management Hard 1 UserAccount lien ket Employee va employment_status
M-AUTH-01 User Role Management Hard 1 Can role assignment de role-based redirect va permission
M-AUTH-01 Dashboard Hard 1 Landing page sau login thanh cong
M-AUTH-01 Email Notification Hard 2 Can SMTP/email flow cho password reset
M-AUTH-01 Security Configuration Hard 2 Can policy cho lockout, captcha, password expiry va session timeout

Dependency Types:

External Dependencies

Module External Service Purpose Required Fallback
M-AUTH-01 SMTP Server Gui reset password email Yes HR Admin reset password thu cong [TBC - PO]
M-AUTH-01 Captcha Service Chong bot sau nhieu lan login sai No Disable captcha va chi dung lockout policy [TBC - Security Lead]
M-AUTH-01 Authenticator App Tao va verify OTP cho 2FA Yes Tam thoi tat F-AUTH-011 neu Phase 3 chua bat 2FA [TBC - Security Lead]
M-AUTH-01 SSO Identity Provider Enterprise identity login No Out of scope OS-05

Dependency Diagram (Text Format)

M-AUTH-01 (Dang nhap & Xac thuc)
  |
  +---> HR Administration (user account, status, unlock)
  |
  +---> Employee Management (employee record, employment status)
  |
  +---> User Role Management (role assignment, role redirect)
  |
  +---> Dashboard (post-login landing)
  |
  +---> Email Notification (password reset email)
  |
  +---> Security Configuration (lockout, captcha, expiry, timeout)
          |
          +---> SMTP Server
          +---> Captcha Service
          +---> Authenticator App

SECTION 5: Phase Deployment Plan

Phase Overview

Phase Name Features Success Criteria Timeline
1 MVP F-AUTH-001, F-AUTH-002, F-AUTH-003, F-AUTH-004, F-AUTH-005, F-AUTH-012, F-AUTH-013, F-AUTH-014 User active co the login, logout, nhan loi credential dung chuan, redirect dung role va session timeout hoat dong Sprint 1-2 [TBC - PO]
2 Recovery and Security F-AUTH-006, F-AUTH-007, F-AUTH-008, F-AUTH-009, F-AUTH-010 Forgot password, lockout, captcha va password expiry hoat dong theo Decision Registry Sprint 3-4 [TBC - PO]
3 Advanced Auth F-AUTH-011 OTP bat buoc sau password hop le va co fallback khi service khong kha dung Sprint 5-6 [TBC - PO]

Phase 1 (MVP) Detail

Included Features:

Feature ID Feature Name Reason for MVP
F-AUTH-001 Xem trang login Entry point bat buoc cho tat ca Anonymous User
F-AUTH-002 Nhap thong tin dang nhap Core input cho authentication
F-AUTH-003 Submit login Core validation va session creation
F-AUTH-004 Demo login Can cho training environment va classroom testing
F-AUTH-005 Thong bao login khong hop le Can cho basic error handling va security UX
F-AUTH-012 Logout Can de ket thuc session an toan
F-AUTH-013 Role-based landing Can de user vao dung module sau login
F-AUTH-014 Session timeout Can de kiem soat active session va inactivity risk

Excluded from MVP:

Feature ID Feature Name Reason for Exclusion Target Phase
F-AUTH-006 Dieu huong forgot password Recovery flow quan trong nhung khong chan login MVP 2
F-AUTH-007 Reset password bang email Phu thuoc Email Notification va SMTP 2
F-AUTH-008 Khoa tai khoan Security enhancement can Security Configuration 2
F-AUTH-009 Captcha sau login that bai Phu thuoc Captcha Service neu bat 2
F-AUTH-010 Redirect khi password het han Can password policy va change password flow 2
F-AUTH-011 Two-factor authentication Advanced auth co nhieu integration va setting can confirm 3

MVP Exit Criteria:

SECTION 6: Risks & Assumptions

Risks

Risk ID Description Impact Probability Mitigation
R-001 Context co training defect seed khac OrangeHRM public demo policy High Medium Confirm policy voi Instructor va Security Lead truoc lop
R-002 Forgot password hien thi Account not found co rui ro user enumeration High High Ghi ro day la defect seed theo D-07 va yeu cau hoc vien log bug
R-003 2FA bat buoc cho tat ca user co the khong duoc OrangeHRM demo ho tro High Medium Confirm system setting theo OQ-07 truoc khi test Phase 3
R-004 Captcha threshold va lockout threshold co the mismatch tai lieu OrangeHRM chuan Medium High Dung Decision Registry D-03 va D-04 cho training build, log mismatch neu so sanh public demo
R-005 SMTP hoac Captcha Service khong kha dung trong moi truong test Medium Medium Chuan bi fallback manual hoac mock service [TBC - Tech Lead]

Assumptions

Assumption ID Description Risk if Wrong Validation Method
A-001 Login identifier la username va khong phan biet hoa thuong Test case login casing co the fail Verify public demo va confirm PO theo D-01
A-002 Demo credential admin / admin123 ap dung cho training environment Hoc vien khong login duoc demo Verify truoc buoi hoc theo D-11
A-003 Lockout sau 5 failed attempts trong 30 phut Security test mismatch policy that Confirm Security Lead theo D-03
A-004 Captcha hien thi sau 5 failed attempts UI test mismatch threshold Confirm Security Lead theo D-04
A-005 Password expiry sau 30 ngay Expiry flow co the khong xuat hien tren demo Confirm Security Lead theo D-05
A-006 2FA bat buoc cho tat ca user trong Phase 3 Flow co the khong khop OrangeHRM instance Confirm System Admin theo D-08
A-007 Session timeout duration la configurable Khong test duoc timeout neu thieu setting Confirm PO/Tech Lead theo D-09

SECTION 7: Open Questions

Question ID Question Category Owner Due Date Status
OQ-001 Hoc vien se test tren public OrangeHRM demo hay local installation? Technical Instructor [TBC - Instructor] Open
OQ-002 Username login co phan biet hoa thuong khong trong moi truong test? Business PO [TBC - PO] Open
OQ-003 Forgot password nen dung username hay email trong training build? Business PO [TBC - PO] Open
OQ-004 Password minimum length chinh xac cho training build la 6 hay theo policy OrangeHRM chuan? Technical Security Lead [TBC - Security Lead] Open
OQ-005 Lockout threshold chinh xac cho training build la 5 hay theo policy OrangeHRM chuan? Technical Security Lead [TBC - Security Lead] Open
OQ-006 Captcha nen xuat hien sau 5 attempts hay theo threshold cau hinh khac? Technical Security Lead [TBC - Security Lead] Open
OQ-007 2FA co duoc bat trong moi truong OrangeHRM dang test khong? Technical System Admin [TBC - System Admin] Open
OQ-008 Cac role nao can co trong test data cua lop hoc? Business Instructor [TBC - Instructor] Open
OQ-009 Account recovery co nen tiet lo account ton tai hay khong? Business Security Lead [TBC - Security Lead] Open
OQ-010 Hoc vien can log requirement defect, UI bug hay ca hai? Business Instructor [TBC - Instructor] Open

SELF-CHECK (Global Rules)