Skip to content

feat(auth): add dormant BFF SessionService (Phase 5)#218

Merged
philmerrell merged 1 commit into
developfrom
feature/bff-phase-5-frontend-session-service
May 2, 2026
Merged

feat(auth): add dormant BFF SessionService (Phase 5)#218
philmerrell merged 1 commit into
developfrom
feature/bff-phase-5-frontend-session-service

Conversation

@philmerrell

Copy link
Copy Markdown
Contributor

Summary

Phase 5 of the BFF Token Handler migration. Adds the frontend half of the migration without activating it — the SPA still authenticates via the existing Cognito Bearer/PKCE flow. Phase 6 wires this in per environment.

  • New SessionService (peer to AuthService) at session.service.ts:
    • bootstrap()GET {appApiUrl}/auth/session, populates user / csrfToken signals on 200, redirects to /auth/login on 401, leaves state clean on transport error.
    • redirectToLogin(returnUrl?), csrfHeaders() / csrfHttpHeaders(), logout().
    • Signals: user, csrfToken, bootstrapped, isAuthenticated (computed).
  • New BffSessionUser / BffSessionResponse types matching the Phase 3 /auth/session payload — kept distinct from the Bearer-flow User model so Phase 6 can decide on normalization.
  • ConfigService.validateConfig relaxed to accept either an absolute URL or a same-origin path beginning with / (e.g. /api) for appApiUrl. Required so a Phase 6a config.json can ship the CloudFront /api/* form. Protocol-relative //host is explicitly rejected.

Dormant: SessionService is not registered in app.config.ts, no interceptor calls it, and nothing references it from existing components/services. The Bearer flow is untouched.

Phase 4 (PR #216) merged as cc4ee5cf and follow-up #217 (3d92ed33) cleared the same SSE-buffering bug in converse_routes.py.

Test plan

  • cd frontend/ai.client && npm run test:ci — 1003 passing (16 new SessionService specs, 2 new ConfigService validator specs)
  • npm run build — clean
  • npm run start — log in via the existing Cognito Bearer flow; verify chat, files, and admin views work as before. No /auth/session request should appear in the Network tab — SessionService has no consumers yet.
  • (Optional smoke) In DevTools console after the SPA loads, manually instantiate the service and call bootstrap() — should 401 against the local app-api and navigate to http://localhost:8000/auth/login?return_to=…. Proves the wiring works end-to-end without changing user-visible behavior.

🤖 Generated with Claude Code

Adds the frontend half of the BFF Token-Handler migration without
activating it. Phase 6 wires it into the auth flow per environment.

* `SessionService` (peer to `AuthService`) bootstraps from
  `GET {appApiUrl}/auth/session`, exposes `user` / `csrfToken` /
  `bootstrapped` / `isAuthenticated` signals, redirects the browser to
  `{appApiUrl}/auth/login` on 401, and provides `csrfHeaders()` /
  `csrfHttpHeaders()` helpers for the Phase 6 CSRF interceptor to
  consume.
* `BffSessionUser` / `BffSessionResponse` types match the Phase 3
  `/auth/session` payload (single `name` field — kept distinct from the
  Bearer-flow `User` model so Phase 6 can decide on normalization).
* `ConfigService.validateConfig` now accepts a same-origin path
  beginning with `/` (e.g. `/api`) for `appApiUrl`, so a Phase 6a
  `config.json` can ship the CloudFront `/api/*` form. Protocol-relative
  `//host` is explicitly rejected.

The service is not registered in `app.config.ts` and no interceptor
references it; the SPA still authenticates via the existing
Cognito/Bearer/PKCE flow. Verified via `npm test:ci` (1003 passing) and
`npm run build` (clean).
@philmerrell philmerrell merged commit 93e5d52 into develop May 2, 2026
13 checks passed
@philmerrell philmerrell deleted the feature/bff-phase-5-frontend-session-service branch May 2, 2026 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant