441c828a17
Task: Replace Clerk (Replit-managed) with a standalone JWT/cookie-based auth system. ## What changed ### Backend (api-server) - Added `admin_users` table (lib/db/src/schema/adminUsers.ts) with id, email (unique), password_hash, created_at; pushed to DB with drizzle-kit push - Replaced `resolveAuth`/`requireAdmin` in auth.ts middleware: now reads a signed HS256 JWT from the `session` httpOnly cookie (via `jose`) instead of Clerk tokens - Added `POST /api/auth/login` (bcrypt password check → sets httpOnly cookie), `POST /api/auth/logout` (clears cookie), `GET /api/me` (unchanged contract) - Added `seedAdminUser()` in lib/seedAdmin.ts: on startup, if no admin exists, creates one from ADMIN_EMAIL + ADMIN_PASSWORD env vars (bcrypt-hashed) - Removed all Clerk imports from app.ts: clerkMiddleware, publishableKeyFromHost, clerkProxyMiddleware deleted - Deleted clerkProxyMiddleware.ts entirely - Added cookie-parser middleware to app.ts - Removed @clerk/express, @clerk/shared from package.json; added jose, bcryptjs, @types/bcryptjs ### Frontend (skillguard) - Removed ClerkProvider, SignIn, SignUp, ClerkQueryClientCacheInvalidator from App.tsx; replaced with plain wouter routes - Replaced /sign-in and /sign-up routes with a single /sign-in route pointing to new LoginPage - New LoginPage (src/pages/login.tsx): email+password form using shadcn Input/Button/Card, calls POST /api/auth/login, redirects to /admin on success - layout.tsx: replaced useClerk/useUser with useGetMe() + fetch POST /api/auth/logout - require-admin.tsx: unchanged logic (already used useGetMe()), updated comment - Removed @clerk/react, @clerk/localizations, @clerk/themes from package.json - Added signInButton + loginError i18n keys to all 3 locales (de/en/es) ## New secrets required - SESSION_SECRET (already existed) - ADMIN_EMAIL (new — first admin email) - ADMIN_PASSWORD (new — first admin password, stored as bcrypt hash) ## Removed env vars - CLERK_SECRET_KEY, CLERK_PUBLISHABLE_KEY, VITE_CLERK_PUBLISHABLE_KEY, VITE_CLERK_PROXY_URL (can be deleted from secrets) ## Test results All 79 tests pass. Replit-Task-Id: 41d32d48-8f20-44bc-b665-a2becb83e503
9 lines
1.7 KiB
Markdown
9 lines
1.7 KiB
Markdown
- [lucide-react icon name collisions](lucide-icon-name-collisions.md) — `Badge`/`Activity` from lucide collide with shadcn/ui Badge and React 19 Activity; import Badge from ui, Activity from lucide.
|
|
- [OpenAI gpt-5 temperature](openai-temperature-gpt5.md) — gpt-5* reject `temperature != 1`; omit temperature in OpenAI-compatible clients or AI analysis silently fails.
|
|
- [NDJSON streaming on Replit](ndjson-streaming-express-replit.md) — use `res.on("close")`+`writableFinished` (NOT `req.on("close")`); persist on disconnect; proxy doesn't buffer; gate fallback to avoid dup rows.
|
|
- [Skill fingerprint & relation matching](skill-fingerprint-matching.md) — don't put display name in fingerprint path; match modified by file-path Jaccard (hash-Jaccard misses single-file edits), report content-aware similarity.
|
|
- [Testing api-server from shell](api-server-local-curl.md) — external `$REPLIT_DEV_DOMAIN/api` curl returns HTTP 000; curl `http://localhost:<PORT>/api` instead (port from workflow log).
|
|
- [Stale codegen & unapplied migrations](skillguard-stale-codegen-and-migrations.md) — "field already in API" tasks: dev/test DB + lib `dist/*.d.ts` lag; run drizzle push + `tsc -b` the lib.
|
|
- [Mocking fetch in api-server route tests](api-server-fetch-mocking-in-tests.md) — route tests run app in-process; delegate localhost requests to real fetch, only synthesize upstream; filter spy calls by URL.
|
|
- [Custom JWT cookie auth](custom-jwt-auth.md) — auth uses jose HS256 JWT in httpOnly `session` cookie; SESSION_SECRET required; admin seeded once from ADMIN_EMAIL+ADMIN_PASSWORD env vars.
|
|
- [/api/rules localization](rules-endpoint-localization.md) — list-rules endpoint must localize by `lang` query (not just scan findings) or German leaks into EN/ES catalog/admin.
|