|
| 1 | +# PR_26166_142-auth-status-backend-contract |
| 2 | + |
| 3 | +## Branch Validation |
| 4 | + |
| 5 | +- Current branch: `main` |
| 6 | +- Expected branch: `main` |
| 7 | +- Result: PASS |
| 8 | + |
| 9 | +## Summary |
| 10 | + |
| 11 | +Fixed the auth status/check flow so Sign In, Create Account, and Password Reset use the shared backend contract: |
| 12 | + |
| 13 | +- `GET /api/auth/status` |
| 14 | +- `POST /api/auth/sign-in` |
| 15 | +- `POST /api/auth/create-account` |
| 16 | +- `POST /api/auth/password-reset` |
| 17 | + |
| 18 | +The browser no longer calls environment-specific auth routes. The Local API router decides the configured auth adapter and returns production-safe availability text to the UI when auth is missing or unavailable. |
| 19 | + |
| 20 | +Delta ZIP: `tmp/PR_26166_142-auth-status-backend-contract_delta.zip` |
| 21 | + |
| 22 | +## Requirement Checklist |
| 23 | + |
| 24 | +| Requirement | Result | Evidence | |
| 25 | +| --- | --- | --- | |
| 26 | +| Use `main` only | PASS | `git branch --show-current` returned `main`. | |
| 27 | +| Read `docs_build/dev/PROJECT_INSTRUCTIONS.md` | PASS | Read before edits. | |
| 28 | +| Browser pages must not call environment-specific/missing API routes | PASS | `assets/theme-v2/js/login-session.js` and `assets/theme-v2/js/account-auth-actions.js` call `/api/auth/...`. | |
| 29 | +| Password Reset/Create Account must not show `Unknown API route` | PASS | Both pages now use `/api/auth/status`; Playwright validates the generic unavailable state. | |
| 30 | +| All environments call the same backend API contract | PASS | Browser calls only `/api/auth/status`, `/api/auth/sign-in`, `/api/auth/create-account`, `/api/auth/password-reset`. | |
| 31 | +| Backend/API decides auth/db adapter | PASS | `src/dev-runtime/server/local-api-router.mjs` resolves provider status in `authStatus()` and action adapters in `authAdapterForAction()`. | |
| 32 | +| Add/correct backend route handling for auth status/config availability | PASS | Added generic `/api/auth/*` route handling. | |
| 33 | +| Missing/unreachable backend shows production-safe message | PASS | UI and backend use `The site is currently unavailable. Please try again later.` | |
| 34 | +| Remove user-facing DEV wording | PASS | Account pages/auth scripts no longer contain user-facing DEV/Supabase/env wording. | |
| 35 | +| Do not activate product-table migration | PASS | No product-table migration changes. | |
| 36 | +| Do not add secrets or `.env` files | PASS | No secrets or `.env` files changed. | |
| 37 | +| No silent fallback | PASS | Missing/unavailable auth reports unavailable; no fallback auth path is triggered. | |
| 38 | +| No browser-owned auth/product data | PASS | Browser invokes backend API only; no browser-owned auth/product persistence added. | |
| 39 | + |
| 40 | +## Search Evidence |
| 41 | + |
| 42 | +- `rg -n "/api/auth/dev/supabase" account assets/theme-v2/js src/dev-runtime/server` returned no active page/script/server matches. |
| 43 | +- `rg -n "DEV|Supabase|GAMEFOUNDRY_|Unknown API route" account assets/theme-v2/js/login-session.js assets/theme-v2/js/account-auth-actions.js` returned no auth UI/script matches; the only output was unrelated `DEVICE_POLL_INTERVAL_MS` in `account/user-controls-page.js`. |
| 44 | +- `rg -n "authStatus\\(|authSignIn\\(|authCreateAccount\\(|authPasswordReset\\(" src/dev-runtime/server/local-api-router.mjs` shows generic backend auth handlers. |
| 45 | +- The generic `Unknown API route` server fallback remains for unrelated unknown API paths, but Create Account and Password Reset no longer call missing routes. |
| 46 | + |
| 47 | +## Changed Files |
| 48 | + |
| 49 | +- `account/sign-in.html` |
| 50 | +- `account/create-account.html` |
| 51 | +- `account/password-reset.html` |
| 52 | +- `assets/theme-v2/js/login-session.js` |
| 53 | +- `assets/theme-v2/js/account-auth-actions.js` |
| 54 | +- `src/dev-runtime/server/local-api-router.mjs` |
| 55 | +- `tests/dev-runtime/SupabaseProviderContractStub.test.mjs` |
| 56 | +- `tests/playwright/tools/LoginSessionMode.spec.mjs` |
| 57 | +- `tests/playwright/tools/StaticOnlyLoginApiRequired.spec.mjs` |
| 58 | +- `tests/playwright/tools/ApiStaticRouteRecovery.spec.mjs` |
| 59 | +- `docs_build/dev/reports/playwright_v8_coverage_report.txt` |
| 60 | +- `docs_build/dev/reports/coverage_changed_js_guardrail.txt` |
| 61 | +- Workspace validation reports refreshed by `npm run test:workspace-v2`. |
| 62 | + |
| 63 | +## Impacted Lanes |
| 64 | + |
| 65 | +- runtime: auth/session browser and Local API route behavior. |
| 66 | +- integration: Sign In, Create Account, Password Reset unavailable/configured states. |
| 67 | +- contract: Supabase provider adapter contract stub route checks. |
| 68 | + |
| 69 | +## Skipped Lanes |
| 70 | + |
| 71 | +- samples: SKIP. The PR only changes account auth status/API contract wiring and does not touch samples or sample runtime behavior. |
| 72 | +- full samples smoke: SKIP per request. |
| 73 | + |
| 74 | +## Validation Performed |
| 75 | + |
| 76 | +- PASS: `node --check assets/theme-v2/js/login-session.js` |
| 77 | +- PASS: `node --check assets/theme-v2/js/account-auth-actions.js` |
| 78 | +- PASS: `node --check src/dev-runtime/server/local-api-router.mjs` |
| 79 | +- PASS: `node --check tests/dev-runtime/SupabaseProviderContractStub.test.mjs` |
| 80 | +- PASS: `node --test tests/dev-runtime/SupabaseProviderContractStub.test.mjs` |
| 81 | +- PASS: `npx playwright test tests/playwright/tools/LoginSessionMode.spec.mjs tests/playwright/tools/StaticOnlyLoginApiRequired.spec.mjs tests/playwright/tools/ApiStaticRouteRecovery.spec.mjs` |
| 82 | +- PASS: `npm run test:workspace-v2` |
| 83 | +- PASS: final targeted Playwright rerun for focused V8 coverage. |
| 84 | +- PASS: `git diff --check` with line-ending warnings only. |
| 85 | + |
| 86 | +## Playwright Result |
| 87 | + |
| 88 | +- PASS: 13 targeted auth/session Playwright tests passed. |
| 89 | +- PASS: `npm run test:workspace-v2` passed 5 workspace-contract tests. |
| 90 | + |
| 91 | +## V8 Coverage |
| 92 | + |
| 93 | +- PASS/WARN: `docs_build/dev/reports/playwright_v8_coverage_report.txt` generated. |
| 94 | +- `assets/theme-v2/js/account-auth-actions.js`: 92% advisory coverage. |
| 95 | +- `assets/theme-v2/js/login-session.js`: 93% advisory coverage. |
| 96 | +- `src/dev-runtime/server/local-api-router.mjs`: WARN because browser V8 does not collect server-side Node modules; covered by Node contract test and Playwright route checks. |
| 97 | + |
| 98 | +## Manual Validation Notes |
| 99 | + |
| 100 | +1. Open `account/sign-in.html`. |
| 101 | +2. With auth unavailable, click `Sign In`; status should show `The site is currently unavailable. Please try again later.` |
| 102 | +3. Open `account/create-account.html`; status should resolve through `/api/auth/status` and must not show `Unknown API route`. |
| 103 | +4. Open `account/password-reset.html`; status should resolve through `/api/auth/status` and must not show `Unknown API route`. |
| 104 | +5. With Supabase auth env configured, Sign In/Create Account/Password Reset use the external auth adapter while product data remains Local DB. |
0 commit comments