apps/blog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Auth / Author Flow Hardening and Client Separation #1

Merged
aetos merged 4 commits from jwt into main 2025-12-13 13:15:21 +00:00
Conversation 0 Commits 4 Files Changed 7 +59 -27
aetos commented 2025-12-13 12:42:30 +00:00
Owner
Copy Link

Merge Request: Auth / Author Flow Hardening and Client Separation

Summary

This change set improves the authentication–author lifecycle by clearly separating Auth and Blog API clients, ensuring an Author is created at registration time, and preventing user-controlled mutation of immutable identity fields in the UI.

The result is a cleaner contract between services, fewer edge cases around missing authors, and more predictable client behavior.

Key Changes

1. Username Made Read-Only in Profile UI

  • Disabled the username field in Profile.tsx
  • Prevents accidental or malicious mutation of identity-bound fields
  • Aligns UI behavior with backend ownership rules

2. Dedicated Auth vs Blog API Clients

  • Introduced a separate Axios client for the Auth service (auth)
  • Blog service continues to use api
  • Both clients:
    • Automatically attach JWT tokens
    • Share centralized 401 handling and token invalidation logic

Why:
Auth and Blog are separate concerns and potentially separate services. Explicit clients reduce coupling and eliminate ambiguous routing.

3. Registration Flow Now Creates Author Automatically

  • register() now:
    1. Registers the user via Auth service
    2. Creates a corresponding Author via Blog API

This guarantees:

  • Every authenticated user has an Author record
  • No race condition or implicit author creation later

4. Correct Endpoint Usage for “Current User”

  • /auth/me is now correctly called via the Auth client
  • /authors/me replaces ID-based lookup for the current author
  • Eliminates dependency on user ID leaking across service boundaries

5. Centralized Token & Auth Error Handling

  • Shared request interceptor to attach JWT tokens
  • Shared response interceptor to handle 401 consistently
  • Token invalidation is now uniform across services

6. Environment Configuration Updated

  • Added VITE_AUTH_BASE_URL to support separate Auth service routing
  • Explicit environment contract avoids accidental misconfiguration

Impact

  • Cleaner service boundaries
  • Deterministic user → author lifecycle
  • Reduced client-side complexity and edge cases
  • More secure handling of identity fields

Notes / Follow-ups

  • Optional auto-login after registration is scaffolded but commented
  • Logout or redirect handling on 401 can be wired later via an event bus or global handler

Risk Level: Low
Behavioral Change: Yes (author auto-created on registration)
Backward Compatibility: Requires Auth + Blog services to be reachable separately

# Merge Request: Auth / Author Flow Hardening and Client Separation ## Summary This change set improves the authentication–author lifecycle by clearly separating **Auth** and **Blog API** clients, ensuring an **Author is created at registration time**, and preventing user-controlled mutation of immutable identity fields in the UI. The result is a cleaner contract between services, fewer edge cases around missing authors, and more predictable client behavior. --- ## Key Changes ### 1. Username Made Read-Only in Profile UI - Disabled the `username` field in `Profile.tsx` - Prevents accidental or malicious mutation of identity-bound fields - Aligns UI behavior with backend ownership rules --- ### 2. Dedicated Auth vs Blog API Clients - Introduced a separate Axios client for the Auth service (`auth`) - Blog service continues to use `api` - Both clients: - Automatically attach JWT tokens - Share centralized `401` handling and token invalidation logic **Why:** Auth and Blog are separate concerns and potentially separate services. Explicit clients reduce coupling and eliminate ambiguous routing. --- ### 3. Registration Flow Now Creates Author Automatically - `register()` now: 1. Registers the user via Auth service 2. Creates a corresponding Author via Blog API This guarantees: - Every authenticated user has an Author record - No race condition or implicit author creation later --- ### 4. Correct Endpoint Usage for “Current User” - `/auth/me` is now correctly called via the Auth client - `/authors/me` replaces ID-based lookup for the current author - Eliminates dependency on user ID leaking across service boundaries --- ### 5. Centralized Token & Auth Error Handling - Shared request interceptor to attach JWT tokens - Shared response interceptor to handle `401` consistently - Token invalidation is now uniform across services --- ### 6. Environment Configuration Updated - Added `VITE_AUTH_BASE_URL` to support separate Auth service routing - Explicit environment contract avoids accidental misconfiguration --- ## Impact - Cleaner service boundaries - Deterministic user → author lifecycle - Reduced client-side complexity and edge cases - More secure handling of identity fields --- ## Notes / Follow-ups - Optional auto-login after registration is scaffolded but commented - Logout or redirect handling on `401` can be wired later via an event bus or global handler --- **Risk Level:** Low **Behavioral Change:** Yes (author auto-created on registration) **Backward Compatibility:** Requires Auth + Blog services to be reachable separately
aetos added 2 commits 2025-12-13 12:42:31 +00:00
feat(auth): separate auth and blog API clients and integrate author auto-creation c23145f338 
## Summary
Refactored the authentication flow to correctly separate traffic between the
Auth service and Blog service. Added post-registration author creation and
switched all `/auth/*` calls to the dedicated `auth` Axios client.

## Changes
### AuthProvider
- Replaced `api.post('/auth/register')` with `auth.post('/register')`
- Replaced `api.post('/auth/login')` with `auth.post('/login')`
- Added automatic author creation after user registration (`POST /authors`)
- Switched user identity lookup from `api.get('/auth/me')` to `auth.get('/me')`
- Replaced `/authors/{id}` lookup with `/authors/me`
- Updated imports to use `{ api, auth }`

### Axios Client Layer
- Introduced a new `auth` Axios instance using `VITE_AUTH_BASE_URL`
- Added shared token attachment and 401 handling logic
- Applied interceptors to both `auth` and `api` clients
- Removed inline auth logic from `api.ts`

### Types
- Added `VITE_AUTH_BASE_URL` to `vite-env.d.ts`

## Impact
- Correctly routes authentication traffic to the Auth microservice
- Ensures an Author document is created automatically after registration
- Simplifies identity loading via `/authors/me`
- Improves token handling consistency across both services
disabled changing username 8fe75b161b
aetos changed title from jwt to Auth / Author Flow Hardening and Client Separation 2025-12-13 12:54:23 +00:00
aetos added 1 commit 2025-12-13 13:08:47 +00:00
added AUTH_BASE_URL in .drone.yml 80992f89ad
aetos added 1 commit 2025-12-13 13:13:56 +00:00
bumped up version to 0.3.0 d61415236a
aetos merged commit 8f398c35df into main 2025-12-13 13:15:21 +00:00
aetos deleted branch jwt 2025-12-13 13:15:21 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
aetos
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: apps/blog#1
No description provided.
Delete Branch "jwt"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?