84 lines
2.5 KiB
Markdown
84 lines
2.5 KiB
Markdown
# App Dev Plan
|
|
|
|
## Current focus
|
|
Auth (register/login/logout) with DB-backed sessions and HttpOnly cookies.
|
|
|
|
## Goals
|
|
- Custom email/password auth using the existing `users` + `sessions` tables.
|
|
- Server-side session validation only (no client-side RBAC trust).
|
|
- Minimal, secure cookies with expiration based on `SESSION_TTL_DAYS`.
|
|
- Keep UI simple and mobile-first.
|
|
- Add/adjust unit tests for auth flows.
|
|
|
|
## Proposed implementation
|
|
### Server routes (Next.js App Router)
|
|
Create API routes:
|
|
- `POST /api/auth/register`
|
|
- Body: `{ email, password, displayName? }`
|
|
- Validations: email format, password length >= 8
|
|
- Hash password, create user, create session, set HttpOnly cookie
|
|
- `POST /api/auth/login`
|
|
- Body: `{ email, password }`
|
|
- Verify password, create session, set HttpOnly cookie
|
|
- `POST /api/auth/logout`
|
|
- Clears cookie and deletes session from DB
|
|
|
|
### Server helpers
|
|
Add helpers for:
|
|
- Password hashing/verification (bcrypt)
|
|
- Session token generation and SHA-256 hashing for storage
|
|
- Session cookie settings (name + ttl from env)
|
|
- Shared DB pool (pg)
|
|
|
|
### UI pages
|
|
Update:
|
|
- `app/login/page.tsx`: basic form, error handling, POST to `/api/auth/login`
|
|
- `app/register/page.tsx`: basic form, error handling, POST to `/api/auth/register`
|
|
|
|
### Tests
|
|
Add unit tests covering:
|
|
- Registration creates user + session
|
|
- Login rejects invalid credentials
|
|
- Logout removes session
|
|
|
|
## Files to be created/modified
|
|
- `apps/web/app/api/auth/register/route.ts`
|
|
- `apps/web/app/api/auth/login/route.ts`
|
|
- `apps/web/app/api/auth/logout/route.ts`
|
|
- `apps/web/lib/auth.ts`
|
|
- `apps/web/lib/db.ts`
|
|
- `apps/web/app/login/page.tsx`
|
|
- `apps/web/app/register/page.tsx`
|
|
- `apps/web/package.json` (deps + test runner)
|
|
|
|
## Env usage
|
|
Required:
|
|
- `DATABASE_URL`
|
|
- `DATABASE_SSL` (true/false)
|
|
- `SESSION_COOKIE_NAME`
|
|
- `SESSION_TTL_DAYS`
|
|
|
|
## Notes
|
|
- All session checks will be server-side only.
|
|
- No receipt bytes will ever be returned in list endpoints (future scope).
|
|
|
|
## Status
|
|
### Implemented
|
|
- API routes:
|
|
- `POST /api/auth/register`
|
|
- `POST /api/auth/login`
|
|
- `POST /api/auth/logout`
|
|
- Helpers:
|
|
- `apps/web/lib/auth.ts`
|
|
- `apps/web/lib/db.ts`
|
|
- UI:
|
|
- `apps/web/app/login/page.tsx`
|
|
- `apps/web/app/register/page.tsx`
|
|
- Tests:
|
|
- `apps/web/__tests__/auth.test.ts`
|
|
- Dependencies added in `apps/web/package.json`.
|
|
|
|
### Test output
|
|
Initial run: 0 tests discovered. Updated test script to `node --test --import tsx/register __tests__/auth.test.ts`.
|
|
This failed due to `ERR_PACKAGE_PATH_NOT_EXPORTED` from `tsx/register`. Switched to `tsx __tests__/auth.test.ts`.
|