marcel/mealprep
1
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity
308 Commits 2 Branches 0 Tags
c40b0fe09515146de7a1cd55b62fc3602f0201c1
Commit Graph

8 Commits

Author SHA1 Message Date
Marcel Raddatz
5b8d336d21 fix(planner): map backend role 'planner' to 'planer' and enlarge nav buttons to 40px touch targets 
- hooks.server.ts: replace type-cast with actual mapping so isPlanner works
- planner page: set min-h/min-w 40px on prev/next/heute week buttons

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-09 09:51:32 +02:00
Marcel Raddatz
0aa65214fc fix(auth): resolve broken signup/login flow end-to-end 
Three root causes fixed:

1. CSRF blocked all backend POSTs — Spring Security's CSRF filter ran
   before permitAll() authorization, returning 401 for signup and login.
   Disabled CSRF since SvelteKit is the only client (never the browser
   directly) and handles its own CSRF via Origin header checks.

2. Login/signup didn't establish Spring Security authentication — they
   stored email in the HTTP session manually but never set the
   SecurityContext, so Principal in /v1/auth/me was always null and
   hooks.server.ts redirected every authenticated request to /login.
   Fixed with authenticateInSession() helper that sets and persists
   the SecurityContext under SPRING_SECURITY_CONTEXT_KEY. Login also
   now invalidates the old session before creating a new one to prevent
   session fixation.

3. redirect() missing throw in hooks.server.ts, signup action, and
   login action — SvelteKit never saw the redirect, so pages silently
   reloaded with no navigation. Also forward JSESSIONID from backend
   response to browser explicitly, since SvelteKit does not
   auto-forward Set-Cookie for cross-origin server-side fetches.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-02 17:31:29 +02:00
Marcel Raddatz
56fc7e6052 feat(auth): add /signup to public routes 
Allow unauthenticated access to the signup page.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-02 14:39:17 +02:00
Marcel Raddatz
aeaca76534 fix(auth): handle users without household — fallback to 'Kein Haushalt' 
Removes non-null assertions on householdId/householdName. Users who
haven't joined a household get a fallback name in the sidebar.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-02 13:58:37 +02:00
Marcel Raddatz
32550377aa fix(auth): read JSESSIONID cookie to match Spring Security default 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-02 13:57:34 +02:00
Marcel Raddatz
92c7d8f92e feat(auth): preserve redirect URL when redirecting to /login 
Appends ?redirect= with the original pathname so the login page
can redirect back after successful authentication.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-02 13:56:49 +02:00
Marcel Raddatz
2bdb1010f8 fix(auth): bypass auth guard for static assets and favicon 
Prevents redirect loop when backend is down — login page CSS/JS
would otherwise be redirected to /login.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-02 13:55:03 +02:00
Marcel Raddatz
7a17873046 feat(auth): add auth guard in hooks.server.ts with session validation 
Validates session cookie via GET /v1/auth/me, populates event.locals
with benutzer and haushalt, redirects to /login if unauthenticated.
Public routes (/login, /register, /invite) bypass auth.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-02 13:19:40 +02:00