feat(auth): add dormant BFF SessionService (Phase 5)#218
Merged
Conversation
Adds the frontend half of the BFF Token-Handler migration without
activating it. Phase 6 wires it into the auth flow per environment.
* `SessionService` (peer to `AuthService`) bootstraps from
`GET {appApiUrl}/auth/session`, exposes `user` / `csrfToken` /
`bootstrapped` / `isAuthenticated` signals, redirects the browser to
`{appApiUrl}/auth/login` on 401, and provides `csrfHeaders()` /
`csrfHttpHeaders()` helpers for the Phase 6 CSRF interceptor to
consume.
* `BffSessionUser` / `BffSessionResponse` types match the Phase 3
`/auth/session` payload (single `name` field — kept distinct from the
Bearer-flow `User` model so Phase 6 can decide on normalization).
* `ConfigService.validateConfig` now accepts a same-origin path
beginning with `/` (e.g. `/api`) for `appApiUrl`, so a Phase 6a
`config.json` can ship the CloudFront `/api/*` form. Protocol-relative
`//host` is explicitly rejected.
The service is not registered in `app.config.ts` and no interceptor
references it; the SPA still authenticates via the existing
Cognito/Bearer/PKCE flow. Verified via `npm test:ci` (1003 passing) and
`npm run build` (clean).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 5 of the BFF Token Handler migration. Adds the frontend half of the migration without activating it — the SPA still authenticates via the existing Cognito Bearer/PKCE flow. Phase 6 wires this in per environment.
SessionService(peer toAuthService) at session.service.ts:bootstrap()→GET {appApiUrl}/auth/session, populatesuser/csrfTokensignals on 200, redirects to/auth/loginon 401, leaves state clean on transport error.redirectToLogin(returnUrl?),csrfHeaders()/csrfHttpHeaders(),logout().user,csrfToken,bootstrapped,isAuthenticated(computed).BffSessionUser/BffSessionResponsetypes matching the Phase 3/auth/sessionpayload — kept distinct from the Bearer-flowUsermodel so Phase 6 can decide on normalization.ConfigService.validateConfigrelaxed to accept either an absolute URL or a same-origin path beginning with/(e.g./api) forappApiUrl. Required so a Phase 6aconfig.jsoncan ship the CloudFront/api/*form. Protocol-relative//hostis explicitly rejected.Dormant:
SessionServiceis not registered inapp.config.ts, no interceptor calls it, and nothing references it from existing components/services. The Bearer flow is untouched.Phase 4 (PR #216) merged as
cc4ee5cfand follow-up #217 (3d92ed33) cleared the same SSE-buffering bug inconverse_routes.py.Test plan
cd frontend/ai.client && npm run test:ci— 1003 passing (16 new SessionService specs, 2 new ConfigService validator specs)npm run build— cleannpm run start— log in via the existing Cognito Bearer flow; verify chat, files, and admin views work as before. No/auth/sessionrequest should appear in the Network tab — SessionService has no consumers yet.bootstrap()— should 401 against the local app-api and navigate tohttp://localhost:8000/auth/login?return_to=…. Proves the wiring works end-to-end without changing user-visible behavior.🤖 Generated with Claude Code