Auth / Author Flow Hardening and Client Separation (#1)

# Merge Request: Auth / Author Flow Hardening and Client Separation ## Summary This change set improves the authentication–author lifecycle by clearly separating **Auth** and **Blog API** clients, ensuring an **Author is created at registration time**, and preventing user-controlled mutation of immutable identity fields in the UI. The result is a cleaner contract between services, fewer edge cases around missing authors, and more predictable client behavior. --- ## Key Changes ### 1. Username Made Read-Only in Profile UI - Disabled the `username` field in `Profile.tsx` - Prevents accidental or malicious mutation of identity-bound fields - Aligns UI behavior with backend ownership rules --- ### 2. Dedicated Auth vs Blog API Clients - Introduced a separate Axios client for the Auth service (`auth`) - Blog service continues to use `api` - Both clients: - Automatically attach JWT tokens - Share centralized `401` handling and token invalidation logic **Why:** Auth and Blog are separate concerns and potentially separate services. Explicit clients reduce coupling and eliminate ambiguous routing. --- ### 3. Registration Flow Now Creates Author Automatically - `register()` now: 1. Registers the user via Auth service 2. Creates a corresponding Author via Blog API This guarantees: - Every authenticated user has an Author record - No race condition or implicit author creation later --- ### 4. Correct Endpoint Usage for “Current User” - `/auth/me` is now correctly called via the Auth client - `/authors/me` replaces ID-based lookup for the current author - Eliminates dependency on user ID leaking across service boundaries --- ### 5. Centralized Token & Auth Error Handling - Shared request interceptor to attach JWT tokens - Shared response interceptor to handle `401` consistently - Token invalidation is now uniform across services --- ### 6. Environment Configuration Updated - Added `VITE_AUTH_BASE_URL` to support separate Auth service routing - Explicit environment contract avoids accidental misconfiguration --- ## Impact - Cleaner service boundaries - Deterministic user → author lifecycle - Reduced client-side complexity and edge cases - More secure handling of identity fields --- ## Notes / Follow-ups - Optional auto-login after registration is scaffolded but commented - Logout or redirect handling on `401` can be wired later via an event bus or global handler --- **Risk Level:** Low **Behavioral Change:** Yes (author auto-created on registration) **Backward Compatibility:** Requires Auth + Blog services to be reachable separately Reviewed-on: #1 Co-authored-by: Vishesh 'ironeagle' Bangotra <aetoskia@gmail.com> Co-committed-by: Vishesh 'ironeagle' Bangotra <aetoskia@gmail.com>
2025-12-13 13:15:20 +00:00
parent a7987ab922
commit 8f398c35df
7 changed files with 59 additions and 27 deletions
--- a/src/blog/providers/Author.tsx
+++ b/src/blog/providers/Author.tsx
@@ -1,5 +1,5 @@
 import React, { createContext, useState, useEffect, useContext } from 'react';
-import { api } from '../utils/api';
+import { api, auth } from '../utils/api';
 import { AuthorModel } from '../types/models';
 import { AuthContextModel } from '../types/contexts';

@@ -18,7 +18,14 @@ export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children
      setLoading(true);
      setError(null);

-      const res = await api.post('/auth/register', { username, password });
+      const res = await auth.post('/register', { username, password });
+
+      // auto-login
+      // await login(username, password);
+
+      // now create author
+      await api.post('/authors', { name: null, avatar: null });
+
      return res.data;
    } catch (err: any) {
      console.error('Registration failed:', err);
@@ -34,7 +41,7 @@ export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children
      setLoading(true);
      setError(null);

-      const res = await api.post('/auth/login', { username, password });
+      const res = await auth.post('/login', { username, password });
      const { access_token, user } = res.data;

      if (access_token) {
@@ -99,9 +106,9 @@ export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children
  const fetchCurrentUser = async () => {
    if (!token) return;
    try {
-      const me = await api.get<{ _id: string; username: string; email: string }>('/auth/me');
+      const me = await auth.get('/me');

-      const author = await api.get<AuthorModel>(`/authors/${me.data._id}`);
+      const author = await api.get<AuthorModel>(`/authors/me`);

      const fullUser = { ...me.data, ...author.data };