Create agnet md for .net developer with ASP.Net on forontend
Given I am an unauthenticated visitor when I open the registration form then I can choose whether to register as a buyer or as a seller.
Given I am on the registration form when I provide required data and a valid password and accept terms then my account is created in status 'unverified'.
Given my account is created when the system sends a verification email then I see an information message that I must verify my email before full access.
Given I submit the registration form with missing or invalid data when I try to submit then I see clear validation errors and my data is not persisted.
Registration must capture minimum required personal and legal data for later KYC and invoicing.
Passwords must follow security policy (length, complexity, no common passwords).
Email address must be unique across all users.
IAM-02
Authenticate buyers and sellers with email and password
As a registered user I want to log in with my email and password so that I can securely access buyer or seller features.
Given I am a registered user with a verified email when I enter correct email and password then I am successfully logged in and redirected to the appropriate dashboard for my role.
Given I am a registered user when I enter an incorrect email or password then I see a generic error message and I am not logged in.
Given I am a seller with an unverified email when I attempt to log in then I see a clear message that I must verify my email and I receive a link to resend the verification email.
Given I am logged in when I close the browser and reopen it within the configured session lifetime then my session is still valid and I remain authenticated unless I explicitly logged out before.
Use secure password hashing and never store plain text passwords.
Login must be rate limited and monitored to reduce brute-force risk.
Future 2FA must be pluggable into this login flow without breaking existing contracts.
IAM-03
Support social login for buyers
As a buyer I want to log in or register using my Google or Facebook account so that I can quickly access Mercato without creating a new password.
Given I am an unauthenticated visitor when I open the login/registration page then I see options to continue with Google and Facebook.
Given I choose to continue with Google or Facebook and successfully authorize Mercato when my email is not yet used on the platform then a buyer account is created and I am logged in.
Given I choose to continue with Google or Facebook and successfully authorize Mercato when my email already exists as a buyer on the platform then I am logged in to that existing account.
Given a social login attempt fails due to provider error or denied consent when I return to Mercato then I see a clear error message and remain unauthenticated.
Social login is available only for buyers in the initial scope.
Implementation must follow providers' latest OAuth/OIDC guidelines.
Apple login should be supported later without redesigning the current SSO abstraction.
IAM-04
Verify seller email and support optional KYC
As a seller I want my email to be verified and optionally complete KYC so that buyers and the platform can trust my identity.
Given I register as a seller when my account is created then the system generates a unique, time-limited email verification link and sends it to my email address.
Given I receive a verification email when I click the link within its validity period then my email status is updated to 'verified' and I can access the seller panel.
Given my verification link expired or was already used when I click it then I see an error and an option to request a new verification email.
Given KYC is required when I log in as a seller without completed KYC then I am guided through a KYC flow and my access to certain features is restricted until KYC is approved.
KYC provider integration details defined later.
Email verification required for sellers.
Store verification and KYC audit data.
IAM-05
Reset and change password securely
As a user I want to reset a forgotten password and change my password so that I can maintain secure access to my account.
Given I forgot my password when I request a reset then the system sends a time-limited password reset link without revealing whether the email exists.
Given I receive a valid reset link when I provide a new password then my password is updated and all active sessions are invalidated.
Given a reset link is expired or invalid when I try to open it then I see an error and a way to request a new link.
Given I am logged in when I provide my current and new password then my password is updated.
Reset tokens must be single-use.
Do not leak whether email exists.
Keep design flexible for password policy updates.
IAM-06
Manage user sessions with secure tokens
As the system I want to manage user sessions with secure tokens so that authenticated access is controlled.
Given a user logs in when a session is created then the system issues a secure token.
Given a session token exists when requests are made then the system validates it.
Given session lifetime is exceeded when user performs an action then re-authentication is required.
Given a user logs out when logout is processed then the session is invalidated.
Protect tokens from XSS and CSRF.
Session store must support horizontal scaling.
Future 2FA must fit the design.
IAM-07
Role-based access control
As the platform owner I want buyer, seller and admin roles enforced so that each user can access only allowed features.
Buyers access only buyer features.
Sellers access only their seller panel.
Admins access admin panel only.
Unauthorized access attempts return a clear error.
Role model must be extensible.
Central authorization checks required.
Authorization failures logged.
IAM-08
Account security baseline with 2FA readiness
As the platform owner I want an account security baseline with 2FA readiness and login history so that the platform can improve security later.