Auth / Author Flow Hardening and Client Separation (#1)
All checks were successful
continuous-integration/drone/tag Build is passing
All checks were successful
continuous-integration/drone/tag Build is passing
# Merge Request: Auth / Author Flow Hardening and Client Separation ## Summary This change set improves the authentication–author lifecycle by clearly separating **Auth** and **Blog API** clients, ensuring an **Author is created at registration time**, and preventing user-controlled mutation of immutable identity fields in the UI. The result is a cleaner contract between services, fewer edge cases around missing authors, and more predictable client behavior. --- ## Key Changes ### 1. Username Made Read-Only in Profile UI - Disabled the `username` field in `Profile.tsx` - Prevents accidental or malicious mutation of identity-bound fields - Aligns UI behavior with backend ownership rules --- ### 2. Dedicated Auth vs Blog API Clients - Introduced a separate Axios client for the Auth service (`auth`) - Blog service continues to use `api` - Both clients: - Automatically attach JWT tokens - Share centralized `401` handling and token invalidation logic **Why:** Auth and Blog are separate concerns and potentially separate services. Explicit clients reduce coupling and eliminate ambiguous routing. --- ### 3. Registration Flow Now Creates Author Automatically - `register()` now: 1. Registers the user via Auth service 2. Creates a corresponding Author via Blog API This guarantees: - Every authenticated user has an Author record - No race condition or implicit author creation later --- ### 4. Correct Endpoint Usage for “Current User” - `/auth/me` is now correctly called via the Auth client - `/authors/me` replaces ID-based lookup for the current author - Eliminates dependency on user ID leaking across service boundaries --- ### 5. Centralized Token & Auth Error Handling - Shared request interceptor to attach JWT tokens - Shared response interceptor to handle `401` consistently - Token invalidation is now uniform across services --- ### 6. Environment Configuration Updated - Added `VITE_AUTH_BASE_URL` to support separate Auth service routing - Explicit environment contract avoids accidental misconfiguration --- ## Impact - Cleaner service boundaries - Deterministic user → author lifecycle - Reduced client-side complexity and edge cases - More secure handling of identity fields --- ## Notes / Follow-ups - Optional auto-login after registration is scaffolded but commented - Logout or redirect handling on `401` can be wired later via an event bus or global handler --- **Risk Level:** Low **Behavioral Change:** Yes (author auto-created on registration) **Backward Compatibility:** Requires Auth + Blog services to be reachable separately Reviewed-on: #1 Co-authored-by: Vishesh 'ironeagle' Bangotra <aetoskia@gmail.com> Co-committed-by: Vishesh 'ironeagle' Bangotra <aetoskia@gmail.com>
This commit is contained in:
@@ -66,6 +66,8 @@ steps:
|
||||
environment:
|
||||
API_BASE_URL:
|
||||
from_secret: API_BASE_URL
|
||||
AUTH_BASE_URL:
|
||||
from_secret: AUTH_BASE_URL
|
||||
volumes:
|
||||
- name: dockersock
|
||||
path: /var/run/docker.sock
|
||||
@@ -76,6 +78,7 @@ steps:
|
||||
- |
|
||||
docker build --network=host \
|
||||
--build-arg VITE_API_BASE_URL="$API_BASE_URL" \
|
||||
--build-arg VITE_AUTH_BASE_URL="$AUTH_BASE_URL" \
|
||||
-t apps/blog:$IMAGE_TAG \
|
||||
-t apps/blog:latest \
|
||||
/drone/src
|
||||
|
||||
Reference in New Issue
Block a user