# Data Model: Authentication (SP-01)

**Feature**: Admin authentication with Bearer tokens
**Completed**: 2026-06-01

---

## Entity: Admin

### Description
The single system user (Admin). Pre-seeded via environment variables, not self-registered.

### Fields

| Field | Type | Constraints | Notes |
|-------|------|-------------|-------|
| id | BIGINT UNSIGNED | PK, AUTO_INCREMENT | Standard ID |
| name | VARCHAR(100) | NOT NULL | Admin's display name |
| email | VARCHAR(150) | UNIQUE, NOT NULL | Login identifier |
| password | VARCHAR(255) | NOT NULL | bcrypt hashed |
| created_at | TIMESTAMP | | Laravel timestamps |
| updated_at | TIMESTAMP | | Laravel timestamps |

### Relationships
- Admin has many Personal Access Tokens (Sanctum relationship via HasApiTokens trait)

### Validation Rules
- email: required, valid email format, unique in admins table
- password: required, string, minimum 6 characters (Laravel default)
- name: required, string, max 100 characters

---

## Entity: Personal Access Token (Sanctum-managed)

### Description
This table is **automatically managed by Laravel Sanctum**. No custom modifications or tasks are needed for this entity. Sanctum handles token creation, hashing, and deletion.

### Fields

| Field | Type | Constraints | Notes |
|-------|------|-------------|-------|
| id | BIGINT UNSIGNED | PK, AUTO_INCREMENT | |
| tokenable_type | VARCHAR(255) | NOT NULL | Morph key (App\Models\Admin) |
| tokenable_id | BIGINT UNSIGNED | NOT NULL | FK to admin |
| name | VARCHAR(255) | NOT NULL | Token name (e.g., "auth-token") |
| token | VARCHAR(64) | UNIQUE, NOT NULL | SHA-256 hash |
| abilities | TEXT | NULLABLE | JSON array of abilities |
| last_used_at | TIMESTAMP | NULLABLE | Last token usage |
| expires_at | TIMESTAMP | NULLABLE | Optional expiration |

### Note
This table is managed by Laravel Sanctum. No custom modifications needed. Token storage is automatically hashed via SHA-256, satisfying FR-008.

---

## Migration Sequence

1. `create_admins_table` — Creates admins table
2. Sanctum's `create_personal_access_tokens_table` — Creates tokens table (automatic with Sanctum install)

---

## State Transitions

### Admin Login Flow
```
1. Admin submits email + password
2. System validates credentials against admins table
3. On success: Sanctum creates token, returns Bearer token
4. On failure: Return 401
```

### Admin Logout Flow
```
1. Authenticated Admin calls DELETE /logout with Bearer token
2. System validates token
3. Token deleted from personal_access_tokens table
4. Returns 200
```

---

## Data Constraints

- No soft deletes on admins (Constitution rule)
- No deletion of admin record (Constitution rule)
- Token hashed via SHA-256 (Sanctum default)
- Email unique constraint enforced at database level