We’re building a PHP/MySQL web app and need a production-ready authentication system plus a reusable “gate” (guard) that enforces session, status, and access rules across protected pages. Deliver clean, documented code that fits an existing /inc structure. Tech Stack & Environment Backend: PHP 8.2+ (PSR-12), Composer (autoload), PDO/mysqli with prepared statements DB: MySQL 8+ / InnoDB / utf8mb4_unicode_ci Server: Apache or Nginx on Linux Version control: Git Front end: Plain PHP templates (no heavy framework required) Objectives Implement secure login/logout, registration, email verification, and password reset. Create a centralized Gate that checks $_SESSION['USERID'] and user state (active/paid/verified) before loading protected pages. Finalize acct and acct_profile schema (with logging/audit tables). Replace any ad-hoc test shortcuts with proper, auditable flows. Ship tests, documentation, and a clean handoff. Scope & Deliverables A) /inc Folder (new or updated) inc/config.php – env config loader (.env.example, no secrets in repo) inc/db.php – DB connection (PDO preferred), error handling inc/session.php – secure session start (HttpOnly, SameSite, regeneration) inc/csrf.php – CSRF token helpers (forms + headers) inc/auth.php – register/login/logout/reset/verify; Argon2id; rate-limit hooks inc/gate.php – guard: asserts logged-in + state machine (active/paid/verified), redirects otherwise inc/roles.php – role/permission helpers (admin, member) inc/track.php – request/login audit hooks inc/bootstrap.php – common bootstrap: require config, db, session, csrf, auth, roles, track B) Page Integrations Protected pages include at top: require __DIR__.'/inc/bootstrap.php'; Gate::require('member'); Replace temporary confirmation/quick-login stubs with signed verification/reset flows. C) Database (DDL + Migrations + Seeds) acct table: id (BINARY(16)/UUID), email (unique), pass_hash, pass_algo, status, created_at, last_login_at, email_verified_at, pass_changed_at. acct_profile table: profile fields incl. dob DATE; booleans like active/paid/verified per final design. Logs: login_log, password_history, recovery_log, optional change_log. Triggers for password history and insert audit entries. Up/down SQL migrations + seed (dummy user). Collation utf8mb4_unicode_ci, Engine InnoDB. D) Security & Reliability Argon2id hashing; timing-safe compares. CSRF on all state-changing routes; optional origin checks. Prepared statements only; strict input validation. Session hardening (regenerate on login/privilege change). Optional device/IP fingerprint in login_log. Basic brute-force throttling; optional reCAPTCHA. E) Documentation & Tests README with setup, env vars, and deploy notes. Route list + Postman collection. PHPUnit (or integration tests) for auth and Gate rules. Small “runbook” for resets, verifications, session revocation. Acceptance Criteria Visiting a protected page while not logged in → 302 to the login page. Logged-in but unverified users see a friendly block + “Resend verification” action. Verified, active, paid users can access protected pages. Password reset uses signed, expiring, one-time tokens. Email verification uses signed links (HMAC) or codes with expiry & single use. All SQL is parameterized; CSRF covered; no XSS on tested forms. Tests pass locally; a new dev can run the project from README alone. Nice-to-Haves (quote separately) 2FA (TOTP) Minimal admin for user states & logs Rate-limit middleware Simple RBAC matrix What We’ll Provide Existing code snippets for /inc and sample protected pages. Any existing DDL for acct/acct_profile to refine. Staging DB + sanitized sample data. Email provider credentials or local mail catcher settings. What You’ll Deliver Working code in a Git repo (feature branches + PRs). SQL migrations + seeds + rollback scripts. .env.example with all required keys. README + Postman collection + test suite. Short architecture overview. Milestones (suggested) Schema & Migrations Core Auth (register/login/verify/reset + logs) Gate Integration (state machine + UX) QA & Handover (tests, docs, deployment notes) Timeline & Budget Timeline: [e.g., 2–4 weeks, negotiable] Budget: [fixed price or hourly] with milestone breakdown. Required Experience PHP 8+ and MySQL 8 (security-first). Argon2id, CSRF, and secure session implementation. Writing clean DDL/migrations and PHPUnit tests. Application Instructions Include: How you’d structure Gate::require() and the user state machine. 1–2 relevant auth projects (links or code). Proposed milestones, estimate, and start date. Questions/assumptions.