# Auth & Roles Implementation Plan (Sub-project A)

> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.

**Goal:** Put the existing flashcard app behind email+password authentication with self-service registration, admin invites, password reset, profile management, and a sysadmin role for user management.

**Architecture:** Server-side sessions in SQLite (Drizzle ORM) backed by HttpOnly cookies, with double-submit CSRF tokens for mutations. Email delivery via nodemailer over SMTP (Mailpit in dev, Amazon SES in prod) with a stub-mailer fallback that logs to console when SMTP is unreachable. New backend modules under `src/services/auth/`, `src/middleware/`, and route files for `/api/auth/*` and `/api/admin/users/*`. New React pages for login/register/verify/forgot/reset/accept-invite/profile/admin-users, gated by an `AuthBoundary` + `RoleGuard`.

**Tech Stack:** bcryptjs, nodemailer, cookie-parser, express-rate-limit, Drizzle ORM, Zod, React + Zustand, Vitest + supertest, Playwright + Mailpit HTTP API.

**Spec:** `docs/superpowers/specs/2026-05-20-auth-and-roles-design.md`

**Pre-implementation:** The current dev DB at `data/flashcard.db` will be dropped and re-migrated. No production data exists yet.

---

## File Structure

```
flashcard/
├── docker-compose.yml                                NEW (mailpit)
├── .env.example                                      NEW
├── packages/
│   ├── shared/src/
│   │   ├── types.ts                                  MODIFIED (+ User, AuthSession, Role)
│   │   └── schemas.ts                                MODIFIED (+ auth zod schemas)
│   ├── backend/src/
│   │   ├── db/
│   │   │   ├── schema.ts                             MODIFIED (+ users, sessions_auth, auth_tokens)
│   │   │   └── seed.ts                               MODIFIED (creates demo user + lessons)
│   │   ├── services/
│   │   │   ├── auth/
│   │   │   │   ├── passwords.ts                      NEW
│   │   │   │   ├── passwords.test.ts                 NEW
│   │   │   │   ├── tokens.ts                         NEW
│   │   │   │   ├── tokens.test.ts                    NEW
│   │   │   │   ├── sessions.ts                       NEW
│   │   │   │   ├── sessions.test.ts                  NEW
│   │   │   │   ├── email.ts                          NEW
│   │   │   │   └── templates.ts                      NEW
│   │   │   └── users.ts                              NEW (admin user management)
│   │   ├── middleware/
│   │   │   ├── auth.ts                               NEW (requireAuth, requireRole, currentUserOrNull)
│   │   │   ├── csrf.ts                               NEW
│   │   │   └── rate-limit.ts                         NEW
│   │   ├── lib/
│   │   │   └── cookies.ts                            NEW
│   │   ├── routes/
│   │   │   ├── auth.ts                               NEW
│   │   │   ├── admin-users.ts                        NEW
│   │   │   ├── cards.ts                              MODIFIED (no functional change beyond mounting)
│   │   │   ├── lessons.ts                            (unchanged)
│   │   │   ├── sessions.ts                           (unchanged)
│   │   │   └── stats.ts                              (unchanged)
│   │   ├── tests/
│   │   │   ├── dbHelper.ts                           MODIFIED (helper to seed a user + return session cookie)
│   │   │   ├── auth.integration.test.ts              NEW
│   │   │   └── admin-users.integration.test.ts       NEW
│   │   ├── app.ts                                    MODIFIED (mount auth, csrf, rate limit, protect all)
│   │   └── index.ts                                  MODIFIED (env validation)
│   └── frontend/src/
│       ├── api/
│       │   ├── client.ts                             MODIFIED (CSRF header + 401 handling)
│       │   ├── auth.ts                               NEW
│       │   └── admin-users.ts                        NEW
│       ├── stores/
│       │   └── authStore.ts                          NEW
│       ├── components/
│       │   ├── AuthBoundary.tsx                      NEW
│       │   ├── RoleGuard.tsx                         NEW
│       │   ├── UserMenu.tsx                          NEW
│       │   └── Layout.tsx                            MODIFIED (UserMenu + sysadmin link)
│       ├── pages/
│       │   ├── auth/
│       │   │   ├── Login.tsx                         NEW
│       │   │   ├── Register.tsx                      NEW
│       │   │   ├── VerifyEmail.tsx                   NEW
│       │   │   ├── ForgotPassword.tsx                NEW
│       │   │   ├── ResetPassword.tsx                 NEW
│       │   │   └── AcceptInvite.tsx                  NEW
│       │   ├── Profile.tsx                           NEW
│       │   └── AdminUsers.tsx                        NEW
│       └── router.tsx                                MODIFIED (auth routes + boundaries)
├── e2e/
│   ├── smoke.spec.ts                                 MODIFIED (registers + logs in first)
│   └── auth.spec.ts                                  NEW (full mailpit-based auth flow)
└── README.md                                          MODIFIED (auth setup section)
```

---

## Task 1: Database schema for auth

**Files:**
- Modify: `packages/backend/src/db/schema.ts`
- Generate: `packages/backend/drizzle/0001_*.sql`
- Modify: `packages/backend/src/db/seed.ts`

- [ ] **Step 1: Drop existing dev DB**

```bash
cd /Users/berthausmans/Documents/Development/flashcard
rm -f data/flashcard.db data/flashcard.db-* packages/backend/data/*.db packages/backend/data/*.db-*
```

- [ ] **Step 2: Append new tables to `schema.ts`**

Add to `packages/backend/src/db/schema.ts` (after the existing `attempts` table, before the type exports):

```ts
export const users = sqliteTable(
  'users',
  {
    id: integer('id').primaryKey({ autoIncrement: true }),
    email: text('email').notNull().unique(),
    displayName: text('display_name').notNull(),
    passwordHash: text('password_hash'),
    role: text('role', { enum: ['user', 'sysadmin'] }).notNull().default('user'),
    isActive: integer('is_active', { mode: 'boolean' }).notNull().default(true),
    emailVerifiedAt: integer('email_verified_at'),
    pendingEmail: text('pending_email'),
    createdAt: integer('created_at').notNull().default(sql`(unixepoch())`),
    updatedAt: integer('updated_at').notNull().default(sql`(unixepoch())`),
  },
  (t) => ({ emailIdx: index('users_email_idx').on(t.email) })
);

export const sessionsAuth = sqliteTable(
  'sessions_auth',
  {
    id: text('id').primaryKey(),
    userId: integer('user_id').notNull().references(() => users.id, { onDelete: 'cascade' }),
    createdAt: integer('created_at').notNull().default(sql`(unixepoch())`),
    expiresAt: integer('expires_at').notNull(),
    lastUsedAt: integer('last_used_at').notNull().default(sql`(unixepoch())`),
    userAgent: text('user_agent'),
    ip: text('ip'),
  },
  (t) => ({
    userIdx: index('sessions_auth_user_idx').on(t.userId),
    expIdx: index('sessions_auth_expires_idx').on(t.expiresAt),
  })
);

export const authTokens = sqliteTable(
  'auth_tokens',
  {
    id: integer('id').primaryKey({ autoIncrement: true }),
    userId: integer('user_id').notNull().references(() => users.id, { onDelete: 'cascade' }),
    tokenHash: text('token_hash').notNull(),
    purpose: text('purpose', { enum: ['verify_email', 'password_reset', 'invite', 'change_email'] }).notNull(),
    payload: text('payload'),
    expiresAt: integer('expires_at').notNull(),
    usedAt: integer('used_at'),
    createdAt: integer('created_at').notNull().default(sql`(unixepoch())`),
  },
  (t) => ({
    hashIdx: index('auth_tokens_hash_idx').on(t.tokenHash),
    userPurposeIdx: index('auth_tokens_user_purpose_idx').on(t.userId, t.purpose),
  })
);

export type UserRow = typeof users.$inferSelect;
export type SessionAuthRow = typeof sessionsAuth.$inferSelect;
export type AuthTokenRow = typeof authTokens.$inferSelect;
```

- [ ] **Step 3: Generate migration**

```bash
npm -w @flashcard/backend run db:generate
```

Expected: a new file `packages/backend/drizzle/0001_*.sql` is created.

- [ ] **Step 4: Run migrations on a fresh DB**

```bash
DB_PATH=./data/flashcard.db npm -w @flashcard/backend run db:migrate
```

Expected: `Migrations applied.` and `data/flashcard.db` exists.

- [ ] **Step 5: Update `seed.ts` to be safe with the new tables**

Replace the contents of `packages/backend/src/db/seed.ts` with:

```ts
import { createDb } from './client.js';
import { cards, lessons } from './schema.js';

const { db, sqlite } = createDb();
// Seed only demo lessons + cards. Users are created via /api/auth/register in app.
const [root] = db.insert(lessons).values({ name: 'Demo: Spaans', position: 0 }).returning().all();
const [sub] = db.insert(lessons).values({ name: 'Begroetingen', parentId: root!.id, position: 0 }).returning().all();
db.insert(cards).values([
  { lessonId: sub!.id, question: 'Hallo', answer: 'Hola', position: 0 },
  { lessonId: sub!.id, question: 'Goedemorgen', answer: 'Buenos días', position: 1 },
  { lessonId: sub!.id, question: 'Tot ziens', answer: 'Adiós', position: 2 },
]).run();
sqlite.close();
console.log('Seed inserted.');
```

(No change to logic; only confirming that seed continues to work after the new tables exist.)

- [ ] **Step 6: Typecheck and commit**

```bash
npm -w @flashcard/backend run typecheck
git add packages/backend/src/db/schema.ts packages/backend/drizzle packages/backend/src/db/seed.ts
git -c commit.gpgsign=false commit -m "feat(db): add users, sessions_auth, auth_tokens tables"
```

---

## Task 2: Shared auth types & Zod schemas

**Files:**
- Modify: `packages/shared/src/types.ts`
- Modify: `packages/shared/src/schemas.ts`

- [ ] **Step 1: Append types to `types.ts`**

Append these to `packages/shared/src/types.ts`:

```ts
export type Role = 'user' | 'sysadmin';

export interface User {
  id: number;
  email: string;
  displayName: string;
  role: Role;
  isActive: boolean;
  emailVerifiedAt: number | null;
  pendingEmail: string | null;
  createdAt: number;
  updatedAt: number;
}

export interface PublicUser {
  id: number;
  email: string;
  displayName: string;
  role: Role;
}
```

- [ ] **Step 2: Append Zod schemas to `schemas.ts`**

Append to `packages/shared/src/schemas.ts`:

```ts
export const emailSchema = z.string().email().max(320).transform((v) => v.trim().toLowerCase());

export const registerSchema = z.object({
  email: emailSchema,
  displayName: z.string().trim().min(1).max(120),
  password: z.string().min(8).max(200),
});

export const loginSchema = z.object({
  email: emailSchema,
  password: z.string().min(1).max(200),
});

export const forgotPasswordSchema = z.object({ email: emailSchema });

export const resetPasswordSchema = z.object({
  token: z.string().min(20).max(200),
  password: z.string().min(8).max(200),
});

export const verifyEmailSchema = z.object({
  token: z.string().min(20).max(200),
});

export const resendVerificationSchema = z.object({ email: emailSchema });

export const profileUpdateSchema = z.object({
  displayName: z.string().trim().min(1).max(120).optional(),
  email: emailSchema.optional(),
});

export const changePasswordSchema = z.object({
  currentPassword: z.string().min(1).max(200),
  newPassword: z.string().min(8).max(200),
});

export const acceptInviteSchema = z.object({
  token: z.string().min(20).max(200),
  displayName: z.string().trim().min(1).max(120),
  password: z.string().min(8).max(200),
});

export const inviteUserSchema = z.object({
  email: emailSchema,
  role: z.enum(['user', 'sysadmin']).default('user'),
});

export const adminUserUpdateSchema = z.object({
  displayName: z.string().trim().min(1).max(120).optional(),
  role: z.enum(['user', 'sysadmin']).optional(),
  isActive: z.boolean().optional(),
});

export type RegisterInput = z.infer<typeof registerSchema>;
export type LoginInput = z.infer<typeof loginSchema>;
export type ForgotPasswordInput = z.infer<typeof forgotPasswordSchema>;
export type ResetPasswordInput = z.infer<typeof resetPasswordSchema>;
export type VerifyEmailInput = z.infer<typeof verifyEmailSchema>;
export type ResendVerificationInput = z.infer<typeof resendVerificationSchema>;
export type ProfileUpdateInput = z.infer<typeof profileUpdateSchema>;
export type ChangePasswordInput = z.infer<typeof changePasswordSchema>;
export type AcceptInviteInput = z.infer<typeof acceptInviteSchema>;
export type InviteUserInput = z.infer<typeof inviteUserSchema>;
export type AdminUserUpdateInput = z.infer<typeof adminUserUpdateSchema>;
```

- [ ] **Step 3: Typecheck and commit**

```bash
npm -w @flashcard/shared run typecheck
git add packages/shared/src/types.ts packages/shared/src/schemas.ts
git -c commit.gpgsign=false commit -m "feat(shared): add auth types and zod schemas"
```

---

## Task 3: Password service (TDD)

**Files:**
- Create: `packages/backend/src/services/auth/passwords.ts`
- Create: `packages/backend/src/services/auth/passwords.test.ts`

- [ ] **Step 1: Install bcryptjs**

```bash
cd /Users/berthausmans/Documents/Development/flashcard
npm i -w @flashcard/backend bcryptjs
npm i -D -w @flashcard/backend @types/bcryptjs
```

- [ ] **Step 2: Write the failing tests**

Create `packages/backend/src/services/auth/passwords.test.ts`:

```ts
import { describe, it, expect } from 'vitest';
import { hashPassword, verifyPassword } from './passwords.js';

describe('passwords', () => {
  it('hashes a password and verifies it', async () => {
    const hash = await hashPassword('correcthorse');
    expect(hash).toMatch(/^\$2[aby]\$/);
    expect(await verifyPassword('correcthorse', hash)).toBe(true);
  });

  it('rejects a wrong password', async () => {
    const hash = await hashPassword('correcthorse');
    expect(await verifyPassword('wrong', hash)).toBe(false);
  });

  it('returns false on malformed hash', async () => {
    expect(await verifyPassword('x', 'not-a-bcrypt-hash')).toBe(false);
  });
});
```

- [ ] **Step 3: Run — fail**

```bash
npm -w @flashcard/backend test
```

Expected: failure (module not found).

- [ ] **Step 4: Implement `passwords.ts`**

```ts
import bcrypt from 'bcryptjs';

const COST = 12;

export async function hashPassword(plain: string): Promise<string> {
  return bcrypt.hash(plain, COST);
}

export async function verifyPassword(plain: string, hash: string): Promise<boolean> {
  try {
    return await bcrypt.compare(plain, hash);
  } catch {
    return false;
  }
}
```

- [ ] **Step 5: Run — pass**

```bash
npm -w @flashcard/backend test
```

Expected: 3 password tests pass.

- [ ] **Step 6: Commit**

```bash
git add packages/backend/package.json package-lock.json packages/backend/src/services/auth/
git -c commit.gpgsign=false commit -m "feat(auth): password hashing service"
```

---

## Task 4: Token service (TDD)

**Files:**
- Create: `packages/backend/src/services/auth/tokens.ts`
- Create: `packages/backend/src/services/auth/tokens.test.ts`

- [ ] **Step 1: Write failing tests**

```ts
import { describe, it, expect, beforeEach } from 'vitest';
import { makeTestDb } from '../../tests/dbHelper.js';
import { createUserDirect } from '../../tests/dbHelper.js';
import { generateToken, createAuthToken, consumeAuthToken, findValidAuthToken } from './tokens.js';

let env: ReturnType<typeof makeTestDb>;
beforeEach(() => { env = makeTestDb(); });

describe('tokens', () => {
  it('generates a URL-safe random token of the expected length', () => {
    const t = generateToken();
    expect(t).toMatch(/^[A-Za-z0-9_-]+$/);
    expect(t.length).toBeGreaterThanOrEqual(32);
  });

  it('stores a hashed token and finds it by plaintext', async () => {
    const user = await createUserDirect(env.db, { email: 'a@example.com' });
    const { plaintext } = await createAuthToken(env.db, user.id, 'verify_email', 3600);
    const found = await findValidAuthToken(env.db, plaintext, 'verify_email');
    expect(found?.userId).toBe(user.id);
  });

  it('rejects an expired token', async () => {
    const user = await createUserDirect(env.db, { email: 'b@example.com' });
    const { plaintext } = await createAuthToken(env.db, user.id, 'verify_email', -1);
    expect(await findValidAuthToken(env.db, plaintext, 'verify_email')).toBeNull();
  });

  it('rejects a wrong purpose', async () => {
    const user = await createUserDirect(env.db, { email: 'c@example.com' });
    const { plaintext } = await createAuthToken(env.db, user.id, 'verify_email', 3600);
    expect(await findValidAuthToken(env.db, plaintext, 'password_reset')).toBeNull();
  });

  it('consumes a token once', async () => {
    const user = await createUserDirect(env.db, { email: 'd@example.com' });
    const { plaintext } = await createAuthToken(env.db, user.id, 'verify_email', 3600);
    const first = await consumeAuthToken(env.db, plaintext, 'verify_email');
    expect(first?.userId).toBe(user.id);
    const second = await consumeAuthToken(env.db, plaintext, 'verify_email');
    expect(second).toBeNull();
  });

  it('stores and returns the payload', async () => {
    const user = await createUserDirect(env.db, { email: 'e@example.com' });
    const { plaintext } = await createAuthToken(env.db, user.id, 'change_email', 3600, 'new@example.com');
    const found = await findValidAuthToken(env.db, plaintext, 'change_email');
    expect(found?.payload).toBe('new@example.com');
  });
});
```

- [ ] **Step 2: Add helper to dbHelper.ts**

Modify `packages/backend/src/tests/dbHelper.ts` to also export `createUserDirect`:

```ts
import { migrate } from 'drizzle-orm/better-sqlite3/migrator';
import { resolve } from 'node:path';
import { createDb, type Db } from '../db/client.js';
import { users } from '../db/schema.js';
import type { UserRow } from '../db/schema.js';

export function makeTestDb(): { db: Db; close: () => void } {
  const { db, sqlite } = createDb(':memory:');
  migrate(db, { migrationsFolder: resolve(import.meta.dirname, '../../drizzle') });
  return { db, close: () => sqlite.close() };
}

export async function createUserDirect(
  db: Db,
  init: { email: string; displayName?: string; role?: 'user' | 'sysadmin'; passwordHash?: string | null; emailVerifiedAt?: number | null; isActive?: boolean }
): Promise<UserRow> {
  const [row] = db.insert(users).values({
    email: init.email,
    displayName: init.displayName ?? 'Test User',
    role: init.role ?? 'user',
    passwordHash: init.passwordHash ?? null,
    emailVerifiedAt: init.emailVerifiedAt ?? null,
    isActive: init.isActive ?? true,
  }).returning().all();
  return row!;
}
```

- [ ] **Step 3: Run — fail**

```bash
npm -w @flashcard/backend test
```

Expected: tokens module not found.

- [ ] **Step 4: Implement `tokens.ts`**

```ts
import { randomBytes, createHash } from 'node:crypto';
import { and, eq, isNull, sql } from 'drizzle-orm';
import type { Db } from '../../db/client.js';
import { authTokens } from '../../db/schema.js';

const TOKEN_BYTES = 32;
export type Purpose = 'verify_email' | 'password_reset' | 'invite' | 'change_email';

export function generateToken(): string {
  return randomBytes(TOKEN_BYTES).toString('base64url');
}

function hashToken(plaintext: string): string {
  return createHash('sha256').update(plaintext).digest('hex');
}

export interface CreatedToken {
  plaintext: string;
  hash: string;
  expiresAt: number;
}

export async function createAuthToken(
  db: Db,
  userId: number,
  purpose: Purpose,
  ttlSeconds: number,
  payload?: string | null
): Promise<CreatedToken> {
  const plaintext = generateToken();
  const hash = hashToken(plaintext);
  const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
  db.insert(authTokens).values({
    userId,
    tokenHash: hash,
    purpose,
    payload: payload ?? null,
    expiresAt,
  }).run();
  return { plaintext, hash, expiresAt };
}

export async function findValidAuthToken(
  db: Db,
  plaintext: string,
  purpose: Purpose
): Promise<{ id: number; userId: number; payload: string | null } | null> {
  const now = Math.floor(Date.now() / 1000);
  const hash = hashToken(plaintext);
  const row = db.select().from(authTokens).where(
    and(
      eq(authTokens.tokenHash, hash),
      eq(authTokens.purpose, purpose),
      isNull(authTokens.usedAt),
      sql`${authTokens.expiresAt} > ${now}`
    )
  ).get();
  if (!row) return null;
  return { id: row.id, userId: row.userId, payload: row.payload ?? null };
}

export async function consumeAuthToken(
  db: Db,
  plaintext: string,
  purpose: Purpose
): Promise<{ userId: number; payload: string | null } | null> {
  const now = Math.floor(Date.now() / 1000);
  const row = await findValidAuthToken(db, plaintext, purpose);
  if (!row) return null;
  const r = db.update(authTokens).set({ usedAt: now })
    .where(and(eq(authTokens.id, row.id), isNull(authTokens.usedAt)))
    .run();
  if (r.changes === 0) return null;
  return { userId: row.userId, payload: row.payload };
}

export async function invalidateTokensForUser(db: Db, userId: number, purpose: Purpose): Promise<void> {
  const now = Math.floor(Date.now() / 1000);
  db.update(authTokens).set({ usedAt: now })
    .where(and(eq(authTokens.userId, userId), eq(authTokens.purpose, purpose), isNull(authTokens.usedAt)))
    .run();
}
```

- [ ] **Step 5: Run — pass**

```bash
npm -w @flashcard/backend test
```

Expected: 6 token tests pass.

- [ ] **Step 6: Commit**

```bash
git add packages/backend/src/services/auth/tokens.ts packages/backend/src/services/auth/tokens.test.ts packages/backend/src/tests/dbHelper.ts
git -c commit.gpgsign=false commit -m "feat(auth): token service with single-use, hashed storage"
```

---

## Task 5: Auth session service (TDD)

**Files:**
- Create: `packages/backend/src/services/auth/sessions.ts`
- Create: `packages/backend/src/services/auth/sessions.test.ts`

Note: this file is for **auth sessions**, not the existing practice sessions. Filename `sessions.ts` inside `services/auth/` keeps them disambiguated.

- [ ] **Step 1: Write failing tests**

```ts
import { describe, it, expect, beforeEach } from 'vitest';
import { makeTestDb, createUserDirect } from '../../tests/dbHelper.js';
import { createAuthSession, validateAuthSession, invalidateAuthSession, invalidateAllForUser } from './sessions.js';

let env: ReturnType<typeof makeTestDb>;
beforeEach(() => { env = makeTestDb(); });

describe('auth sessions', () => {
  it('creates a session and validates it', async () => {
    const u = await createUserDirect(env.db, { email: 'a@example.com' });
    const s = await createAuthSession(env.db, u.id, { userAgent: 'jest', ip: '127.0.0.1' });
    const v = await validateAuthSession(env.db, s.id);
    expect(v?.userId).toBe(u.id);
  });

  it('rejects an unknown session id', async () => {
    expect(await validateAuthSession(env.db, 'nope')).toBeNull();
  });

  it('rejects an expired session', async () => {
    const u = await createUserDirect(env.db, { email: 'b@example.com' });
    const s = await createAuthSession(env.db, u.id, { ttlSeconds: -1 });
    expect(await validateAuthSession(env.db, s.id)).toBeNull();
  });

  it('invalidates one session', async () => {
    const u = await createUserDirect(env.db, { email: 'c@example.com' });
    const s = await createAuthSession(env.db, u.id);
    await invalidateAuthSession(env.db, s.id);
    expect(await validateAuthSession(env.db, s.id)).toBeNull();
  });

  it('invalidates all sessions for a user', async () => {
    const u = await createUserDirect(env.db, { email: 'd@example.com' });
    const a = await createAuthSession(env.db, u.id);
    const b = await createAuthSession(env.db, u.id);
    await invalidateAllForUser(env.db, u.id);
    expect(await validateAuthSession(env.db, a.id)).toBeNull();
    expect(await validateAuthSession(env.db, b.id)).toBeNull();
  });

  it('supports excluding one session when invalidating (for change-password keep-current)', async () => {
    const u = await createUserDirect(env.db, { email: 'e@example.com' });
    const a = await createAuthSession(env.db, u.id);
    const b = await createAuthSession(env.db, u.id);
    await invalidateAllForUser(env.db, u.id, { except: b.id });
    expect(await validateAuthSession(env.db, a.id)).toBeNull();
    expect(await validateAuthSession(env.db, b.id)?.then?.((v) => v?.userId)).resolves !== undefined; // structural; assertion below
    const v = await validateAuthSession(env.db, b.id);
    expect(v?.userId).toBe(u.id);
  });
});
```

- [ ] **Step 2: Run — fail**

```bash
npm -w @flashcard/backend test
```

- [ ] **Step 3: Implement `sessions.ts`**

```ts
import { randomBytes } from 'node:crypto';
import { and, eq, ne, sql } from 'drizzle-orm';
import type { Db } from '../../db/client.js';
import { sessionsAuth } from '../../db/schema.js';

const DEFAULT_TTL = 30 * 24 * 60 * 60;          // 30 days
const REFRESH_THRESHOLD = 24 * 60 * 60;         // refresh expires_at when within 1 day of expiry

function nowSec() { return Math.floor(Date.now() / 1000); }
function genId(): string { return randomBytes(32).toString('hex'); }

export interface CreatedSession {
  id: string;
  expiresAt: number;
}

export async function createAuthSession(
  db: Db,
  userId: number,
  opts: { ttlSeconds?: number; userAgent?: string; ip?: string } = {}
): Promise<CreatedSession> {
  const id = genId();
  const ttl = opts.ttlSeconds ?? DEFAULT_TTL;
  const expiresAt = nowSec() + ttl;
  db.insert(sessionsAuth).values({
    id, userId, expiresAt, lastUsedAt: nowSec(),
    userAgent: opts.userAgent ?? null, ip: opts.ip ?? null,
  }).run();
  return { id, expiresAt };
}

export async function validateAuthSession(
  db: Db,
  id: string
): Promise<{ userId: number; expiresAt: number } | null> {
  const row = db.select().from(sessionsAuth).where(eq(sessionsAuth.id, id)).get();
  if (!row) return null;
  const now = nowSec();
  if (row.expiresAt <= now) return null;
  // rolling refresh
  if (row.expiresAt - now < REFRESH_THRESHOLD) {
    db.update(sessionsAuth)
      .set({ expiresAt: now + DEFAULT_TTL, lastUsedAt: now })
      .where(eq(sessionsAuth.id, id))
      .run();
  } else {
    db.update(sessionsAuth).set({ lastUsedAt: now }).where(eq(sessionsAuth.id, id)).run();
  }
  return { userId: row.userId, expiresAt: row.expiresAt };
}

export async function invalidateAuthSession(db: Db, id: string): Promise<void> {
  db.delete(sessionsAuth).where(eq(sessionsAuth.id, id)).run();
}

export async function invalidateAllForUser(
  db: Db,
  userId: number,
  opts: { except?: string } = {}
): Promise<void> {
  if (opts.except) {
    db.delete(sessionsAuth).where(and(eq(sessionsAuth.userId, userId), ne(sessionsAuth.id, opts.except))).run();
  } else {
    db.delete(sessionsAuth).where(eq(sessionsAuth.userId, userId)).run();
  }
}

export async function purgeExpiredSessions(db: Db): Promise<void> {
  const now = nowSec();
  db.delete(sessionsAuth).where(sql`${sessionsAuth.expiresAt} <= ${now}`).run();
}
```

- [ ] **Step 4: Run — pass**

```bash
npm -w @flashcard/backend test
```

Expected: 6 session tests pass.

- [ ] **Step 5: Commit**

```bash
git add packages/backend/src/services/auth/sessions.ts packages/backend/src/services/auth/sessions.test.ts
git -c commit.gpgsign=false commit -m "feat(auth): server-side auth sessions with rolling expiry"
```

---

## Task 6: Email service + templates

**Files:**
- Create: `packages/backend/src/services/auth/templates.ts`
- Create: `packages/backend/src/services/auth/email.ts`

- [ ] **Step 1: Install nodemailer**

```bash
npm i -w @flashcard/backend nodemailer
npm i -D -w @flashcard/backend @types/nodemailer
```

- [ ] **Step 2: Create `templates.ts`**

```ts
function layout(title: string, body: string): { html: string; text: string } {
  const html = `<!doctype html>
<html><body style="font-family: -apple-system, Segoe UI, sans-serif; background:#FAF5FF; padding:24px;">
  <div style="max-width:520px; margin:0 auto; background:white; border-radius:24px; padding:32px; box-shadow:0 8px 32px rgba(124,58,237,0.12);">
    <h1 style="margin:0 0 16px; font-size:22px; color:#6D28D9;">${title}</h1>
    ${body}
    <hr style="border:none; border-top:1px solid #EFE7FC; margin:24px 0;" />
    <p style="font-size:12px; color:#94A3B8;">Flashcard — leer slimmer met spaced repetition</p>
  </div>
</body></html>`;
  return { html, text: stripHtml(body) };
}

function stripHtml(s: string): string {
  return s.replace(/<[^>]+>/g, ' ').replace(/\s+/g, ' ').trim();
}

export function verifyEmailTemplate(appUrl: string, token: string, displayName: string) {
  const link = `${appUrl}/verify-email?token=${encodeURIComponent(token)}`;
  return {
    subject: 'Bevestig je e-mailadres',
    ...layout('Welkom bij Flashcard 👋', `
      <p>Hi ${escapeHtml(displayName)},</p>
      <p>Klik op de knop hieronder om je e-mailadres te bevestigen. De link is 24 uur geldig.</p>
      <p style="margin:24px 0;"><a href="${link}" style="background:#7C3AED; color:white; padding:12px 20px; border-radius:14px; text-decoration:none; font-weight:600;">Bevestig e-mail</a></p>
      <p style="font-size:13px; color:#64748B;">Werkt de knop niet? Kopieer deze link in je browser:<br/><span style="word-break:break-all;">${link}</span></p>
    `),
  };
}

export function passwordResetTemplate(appUrl: string, token: string, displayName: string) {
  const link = `${appUrl}/reset-password?token=${encodeURIComponent(token)}`;
  return {
    subject: 'Reset je wachtwoord',
    ...layout('Wachtwoord resetten', `
      <p>Hi ${escapeHtml(displayName)},</p>
      <p>Iemand vroeg een wachtwoord-reset aan voor je account. Was jij dat niet? Negeer dan deze e-mail.</p>
      <p>De link is 1 uur geldig.</p>
      <p style="margin:24px 0;"><a href="${link}" style="background:#7C3AED; color:white; padding:12px 20px; border-radius:14px; text-decoration:none; font-weight:600;">Reset wachtwoord</a></p>
      <p style="font-size:13px; color:#64748B; word-break:break-all;">${link}</p>
    `),
  };
}

export function inviteTemplate(appUrl: string, token: string, inviterName: string) {
  const link = `${appUrl}/accept-invite?token=${encodeURIComponent(token)}`;
  return {
    subject: 'Je bent uitgenodigd voor Flashcard',
    ...layout('Je bent uitgenodigd ✨', `
      <p>${escapeHtml(inviterName)} heeft je uitgenodigd voor Flashcard.</p>
      <p>Maak je account aan via onderstaande knop. De link is 24 uur geldig.</p>
      <p style="margin:24px 0;"><a href="${link}" style="background:#7C3AED; color:white; padding:12px 20px; border-radius:14px; text-decoration:none; font-weight:600;">Account aanmaken</a></p>
      <p style="font-size:13px; color:#64748B; word-break:break-all;">${link}</p>
    `),
  };
}

export function changeEmailTemplate(appUrl: string, token: string, displayName: string, newEmail: string) {
  const link = `${appUrl}/verify-email?token=${encodeURIComponent(token)}`;
  return {
    subject: 'Bevestig je nieuwe e-mailadres',
    ...layout('Nieuw e-mailadres bevestigen', `
      <p>Hi ${escapeHtml(displayName)},</p>
      <p>Bevestig <strong>${escapeHtml(newEmail)}</strong> als je nieuwe e-mailadres.</p>
      <p style="margin:24px 0;"><a href="${link}" style="background:#7C3AED; color:white; padding:12px 20px; border-radius:14px; text-decoration:none; font-weight:600;">Bevestig adres</a></p>
      <p style="font-size:13px; color:#64748B; word-break:break-all;">${link}</p>
    `),
  };
}

function escapeHtml(s: string): string {
  return s.replace(/[&<>"']/g, (c) => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' }[c]!));
}
```

- [ ] **Step 3: Create `email.ts`**

```ts
import nodemailer, { type Transporter } from 'nodemailer';

export interface Mailer {
  send(to: string, msg: { subject: string; html: string; text: string }): Promise<void>;
}

class SmtpMailer implements Mailer {
  constructor(private transporter: Transporter, private from: string) {}
  async send(to: string, msg: { subject: string; html: string; text: string }): Promise<void> {
    await this.transporter.sendMail({ from: this.from, to, ...msg });
  }
}

class StubMailer implements Mailer {
  async send(to: string, msg: { subject: string; html: string; text: string }): Promise<void> {
    console.log('\n=== EMAIL (stub) ===');
    console.log(`TO: ${to}`);
    console.log(`SUBJECT: ${msg.subject}`);
    console.log('---');
    console.log(msg.text);
    console.log('====================\n');
  }
}

let cached: Mailer | null = null;

export function getMailer(): Mailer {
  if (cached) return cached;
  const host = process.env.SMTP_HOST;
  const from = process.env.SMTP_FROM ?? 'Flashcard <noreply@example.com>';
  if (!host) {
    cached = new StubMailer();
    return cached;
  }
  const transporter = nodemailer.createTransport({
    host,
    port: Number(process.env.SMTP_PORT ?? 587),
    secure: process.env.SMTP_SECURE === 'true',
    auth: process.env.SMTP_USER ? { user: process.env.SMTP_USER, pass: process.env.SMTP_PASS ?? '' } : undefined,
  });
  cached = new SmtpMailer(transporter, from);
  return cached;
}

export function setMailerForTests(m: Mailer | null): void {
  cached = m;
}
```

- [ ] **Step 4: Typecheck and commit**

```bash
npm -w @flashcard/backend run typecheck
git add packages/backend/package.json package-lock.json packages/backend/src/services/auth/templates.ts packages/backend/src/services/auth/email.ts
git -c commit.gpgsign=false commit -m "feat(auth): email service with stub fallback + html templates"
```

---

## Task 7: Cookies & CSRF middleware

**Files:**
- Create: `packages/backend/src/lib/cookies.ts`
- Create: `packages/backend/src/middleware/csrf.ts`

- [ ] **Step 1: Install cookie-parser**

```bash
npm i -w @flashcard/backend cookie-parser
npm i -D -w @flashcard/backend @types/cookie-parser
```

- [ ] **Step 2: Create `lib/cookies.ts`**

```ts
import type { CookieOptions } from 'express';

export const SID_COOKIE = 'flashcard_sid';
export const CSRF_COOKIE = 'flashcard_csrf';
export const CSRF_HEADER = 'x-csrf-token';

export function sidCookieOptions(expiresAtSec: number): CookieOptions {
  return {
    httpOnly: true,
    sameSite: 'lax',
    secure: process.env.COOKIE_SECURE === 'true',
    path: '/',
    expires: new Date(expiresAtSec * 1000),
  };
}

export function csrfCookieOptions(expiresAtSec: number): CookieOptions {
  return {
    httpOnly: false,
    sameSite: 'lax',
    secure: process.env.COOKIE_SECURE === 'true',
    path: '/',
    expires: new Date(expiresAtSec * 1000),
  };
}

export function clearCookieOptions(): CookieOptions {
  return {
    httpOnly: true,
    sameSite: 'lax',
    secure: process.env.COOKIE_SECURE === 'true',
    path: '/',
  };
}
```

- [ ] **Step 3: Create `middleware/csrf.ts`**

```ts
import { randomBytes } from 'node:crypto';
import type { Request, Response, NextFunction } from 'express';
import { CSRF_COOKIE, CSRF_HEADER, csrfCookieOptions } from '../lib/cookies.js';
import { ApiError } from '../lib/errors.js';

const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);

export function ensureCsrfToken(req: Request, res: Response, next: NextFunction): void {
  if (!req.cookies?.[CSRF_COOKIE]) {
    const token = randomBytes(24).toString('base64url');
    const expires = Math.floor(Date.now() / 1000) + 30 * 24 * 60 * 60;
    res.cookie(CSRF_COOKIE, token, csrfCookieOptions(expires));
  }
  next();
}

export function verifyCsrf(req: Request, _res: Response, next: NextFunction): void {
  if (SAFE_METHODS.has(req.method)) return next();
  const cookieToken = req.cookies?.[CSRF_COOKIE];
  const headerToken = req.headers[CSRF_HEADER];
  if (!cookieToken || !headerToken || cookieToken !== headerToken) {
    return next(new ApiError(403, 'CSRF_MISMATCH', 'CSRF token mismatch'));
  }
  next();
}
```

- [ ] **Step 4: Typecheck and commit**

```bash
npm -w @flashcard/backend run typecheck
git add packages/backend/package.json package-lock.json packages/backend/src/lib/cookies.ts packages/backend/src/middleware/
git -c commit.gpgsign=false commit -m "feat(auth): cookies helpers and CSRF middleware"
```

---

## Task 8: Rate limit middleware

**Files:**
- Create: `packages/backend/src/middleware/rate-limit.ts`

- [ ] **Step 1: Install express-rate-limit**

```bash
npm i -w @flashcard/backend express-rate-limit
```

- [ ] **Step 2: Create `rate-limit.ts`**

```ts
import rateLimit from 'express-rate-limit';

const fifteenMin = 15 * 60 * 1000;

function makeLimiter(max: number, codeMessage = 'Too many attempts, please try again later') {
  return rateLimit({
    windowMs: fifteenMin,
    limit: max,
    standardHeaders: 'draft-7',
    legacyHeaders: false,
    skip: () => process.env.NODE_ENV === 'test',
    handler: (_req, res) => {
      res.status(429).json({ error: { code: 'RATE_LIMITED', message: codeMessage } });
    },
  });
}

export const loginLimiter = makeLimiter(10);
export const registerLimiter = makeLimiter(5);
export const forgotPasswordLimiter = makeLimiter(5);
export const tokenLimiter = makeLimiter(20);
```

- [ ] **Step 3: Commit**

```bash
git add packages/backend/package.json package-lock.json packages/backend/src/middleware/rate-limit.ts
git -c commit.gpgsign=false commit -m "feat(auth): named rate limiters (skip in tests)"
```

---

## Task 9: Auth middleware

**Files:**
- Create: `packages/backend/src/middleware/auth.ts`

- [ ] **Step 1: Create `auth.ts`**

```ts
import type { Request, Response, NextFunction } from 'express';
import { eq } from 'drizzle-orm';
import type { Db } from '../db/client.js';
import { users } from '../db/schema.js';
import { validateAuthSession } from '../services/auth/sessions.js';
import { ApiError } from '../lib/errors.js';
import { SID_COOKIE } from '../lib/cookies.js';
import type { Role, User } from '@flashcard/shared';

declare module 'express-serve-static-core' {
  interface Request {
    user?: User;
    sessionId?: string;
  }
}

function rowToUser(r: typeof users.$inferSelect): User {
  return {
    id: r.id,
    email: r.email,
    displayName: r.displayName,
    role: r.role,
    isActive: r.isActive,
    emailVerifiedAt: r.emailVerifiedAt ?? null,
    pendingEmail: r.pendingEmail ?? null,
    createdAt: r.createdAt,
    updatedAt: r.updatedAt,
  };
}

export function currentUserOrNull(db: Db) {
  return async (req: Request, _res: Response, next: NextFunction) => {
    const sid = req.cookies?.[SID_COOKIE];
    if (!sid) return next();
    const session = await validateAuthSession(db, sid);
    if (!session) return next();
    const row = db.select().from(users).where(eq(users.id, session.userId)).get();
    if (!row || !row.isActive) return next();
    req.user = rowToUser(row);
    req.sessionId = sid;
    next();
  };
}

export function requireAuth(req: Request, _res: Response, next: NextFunction): void {
  if (!req.user) return next(new ApiError(401, 'UNAUTHENTICATED', 'Authentication required'));
  next();
}

export function requireRole(role: Role) {
  return (req: Request, _res: Response, next: NextFunction): void => {
    if (!req.user) return next(new ApiError(401, 'UNAUTHENTICATED', 'Authentication required'));
    if (req.user.role !== role) return next(new ApiError(403, 'FORBIDDEN', 'Insufficient role'));
    next();
  };
}
```

- [ ] **Step 2: Typecheck**

```bash
npm -w @flashcard/backend run typecheck
```

Expected: passes.

- [ ] **Step 3: Commit**

```bash
git add packages/backend/src/middleware/auth.ts
git -c commit.gpgsign=false commit -m "feat(auth): currentUser, requireAuth, requireRole middleware"
```

---

## Task 10: Auth routes — register, login, logout, me

**Files:**
- Create: `packages/backend/src/routes/auth.ts`
- Create: `packages/backend/src/tests/auth.integration.test.ts`
- Modify: `packages/backend/src/tests/dbHelper.ts` (add `makeTestApp`)

- [ ] **Step 1: Extend `tests/dbHelper.ts` with `makeTestApp` helper**

Append to `packages/backend/src/tests/dbHelper.ts`:

```ts
import type { Express } from 'express';
export interface TestApp {
  app: Express;
  db: Db;
  close: () => void;
}
```

(Actual `makeTestApp` is added once `createApp(db)` is wired in Task 14. For now, expose `makeTestDb` and `createUserDirect` only.)

- [ ] **Step 2: Write integration tests covering register → verify → login → me → logout**

Create `packages/backend/src/tests/auth.integration.test.ts`:

```ts
import { describe, it, expect, beforeEach } from 'vitest';
import request from 'supertest';
import { createApp } from '../app.js';
import { makeTestDb, createUserDirect } from './dbHelper.js';
import { setMailerForTests, type Mailer } from '../services/auth/email.js';

class CaptureMailer implements Mailer {
  sent: { to: string; subject: string; text: string; html: string }[] = [];
  async send(to: string, m: { subject: string; html: string; text: string }) {
    this.sent.push({ to, ...m });
  }
}

let env: ReturnType<typeof makeTestDb>;
let mailer: CaptureMailer;
let app: ReturnType<typeof createApp>;

beforeEach(() => {
  env = makeTestDb();
  mailer = new CaptureMailer();
  setMailerForTests(mailer);
  app = createApp(env.db);
});

function tokenFromMail(text: string): string {
  const m = text.match(/token=([^\s&"]+)/);
  if (!m) throw new Error('no token in mail');
  return decodeURIComponent(m[1]!);
}

describe('auth: register → verify → login → me → logout', () => {
  it('registers, blocks unverified login, verifies, logs in, returns me, logs out', async () => {
    // 1. Register
    const reg = await request(app).post('/api/auth/register').send({
      email: 'alice@example.com', displayName: 'Alice', password: 'secretpass',
    });
    expect(reg.status).toBe(201);
    expect(mailer.sent).toHaveLength(1);
    const verifyToken = tokenFromMail(mailer.sent[0]!.text);

    // 2. Login unverified -> 403
    const bad = await request(app).post('/api/auth/login').send({ email: 'alice@example.com', password: 'secretpass' });
    expect(bad.status).toBe(403);
    expect(bad.body.error.code).toBe('EMAIL_NOT_VERIFIED');

    // 3. Verify
    const ver = await request(app).post('/api/auth/verify-email').send({ token: verifyToken });
    expect(ver.status).toBe(200);

    // 4. Login -> 200 + cookies
    const ok = await request(app).post('/api/auth/login').send({ email: 'alice@example.com', password: 'secretpass' });
    expect(ok.status).toBe(200);
    const cookies = ok.headers['set-cookie'] as unknown as string[];
    expect(cookies.find((c) => c.startsWith('flashcard_sid='))).toBeDefined();
    expect(cookies.find((c) => c.startsWith('flashcard_csrf='))).toBeDefined();

    // 5. /me works
    const me = await request(app).get('/api/auth/me').set('Cookie', cookies);
    expect(me.status).toBe(200);
    expect(me.body.email).toBe('alice@example.com');

    // 6. Logout
    const logout = await request(app).post('/api/auth/logout').set('Cookie', cookies)
      .set('x-csrf-token', extractCookieValue(cookies, 'flashcard_csrf'));
    expect(logout.status).toBe(204);

    // 7. /me unauth after logout
    const me2 = await request(app).get('/api/auth/me').set('Cookie', cookies);
    expect(me2.status).toBe(401);
  });

  it('marks first registered user as sysadmin', async () => {
    const r = await request(app).post('/api/auth/register').send({
      email: 'first@example.com', displayName: 'First', password: 'secretpass',
    });
    expect(r.status).toBe(201);
    const token = tokenFromMail(mailer.sent[0]!.text);
    await request(app).post('/api/auth/verify-email').send({ token });

    const login = await request(app).post('/api/auth/login').send({ email: 'first@example.com', password: 'secretpass' });
    const cookies = login.headers['set-cookie'] as unknown as string[];
    const me = await request(app).get('/api/auth/me').set('Cookie', cookies);
    expect(me.body.role).toBe('sysadmin');
  });

  it('rejects duplicate email', async () => {
    await request(app).post('/api/auth/register').send({ email: 'a@example.com', displayName: 'A', password: 'secretpass' });
    const dup = await request(app).post('/api/auth/register').send({ email: 'A@example.com', displayName: 'A2', password: 'secretpass' });
    expect(dup.status).toBe(409);
    expect(dup.body.error.code).toBe('EMAIL_TAKEN');
  });
});

function extractCookieValue(cookies: string[], name: string): string {
  for (const c of cookies) {
    if (c.startsWith(`${name}=`)) {
      const v = c.split(';')[0]!.slice(name.length + 1);
      return decodeURIComponent(v);
    }
  }
  throw new Error(`cookie ${name} not found`);
}
```

- [ ] **Step 3: Run — tests fail (routes not implemented)**

```bash
npm -w @flashcard/backend test
```

Expected: tests fail.

- [ ] **Step 4: Implement `routes/auth.ts` (first slice — register/verify/login/logout/me)**

```ts
import { Router } from 'express';
import { eq, sql } from 'drizzle-orm';
import {
  registerSchema, loginSchema, verifyEmailSchema, resendVerificationSchema,
  forgotPasswordSchema, resetPasswordSchema, profileUpdateSchema, changePasswordSchema,
  acceptInviteSchema, type PublicUser,
} from '@flashcard/shared';
import type { Db } from '../db/client.js';
import { users } from '../db/schema.js';
import { hashPassword, verifyPassword } from '../services/auth/passwords.js';
import { createAuthToken, consumeAuthToken, invalidateTokensForUser } from '../services/auth/tokens.js';
import { createAuthSession, invalidateAuthSession, invalidateAllForUser } from '../services/auth/sessions.js';
import { getMailer } from '../services/auth/email.js';
import {
  verifyEmailTemplate, passwordResetTemplate, inviteTemplate, changeEmailTemplate,
} from '../services/auth/templates.js';
import { SID_COOKIE, CSRF_COOKIE, sidCookieOptions, csrfCookieOptions, clearCookieOptions } from '../lib/cookies.js';
import { ApiError } from '../lib/errors.js';
import { requireAuth } from '../middleware/auth.js';
import { loginLimiter, registerLimiter, forgotPasswordLimiter, tokenLimiter } from '../middleware/rate-limit.js';
import { randomBytes } from 'node:crypto';

const VERIFY_TTL = 24 * 60 * 60;
const INVITE_TTL = 24 * 60 * 60;
const RESET_TTL = 60 * 60;
const CHANGE_EMAIL_TTL = 24 * 60 * 60;

function nowSec() { return Math.floor(Date.now() / 1000); }
function appUrl() { return process.env.APP_URL ?? 'http://localhost:5173'; }

function toPublicUser(r: typeof users.$inferSelect): PublicUser {
  return { id: r.id, email: r.email, displayName: r.displayName, role: r.role };
}

export function authRouter(db: Db): Router {
  const r = Router();

  r.get('/me', (req, res) => {
    if (!req.user) {
      res.status(401).json({ error: { code: 'UNAUTHENTICATED', message: 'Not signed in' } });
      return;
    }
    res.json(req.user);
  });

  r.post('/register', registerLimiter, async (req, res, next) => {
    try {
      const input = registerSchema.parse(req.body);
      const existing = db.select().from(users).where(eq(users.email, input.email)).get();
      if (existing) throw new ApiError(409, 'EMAIL_TAKEN', 'Email already in use');

      const totalUsers = db.select({ c: sql<number>`count(*)`.as('c') }).from(users).get()?.c ?? 0;
      const role: 'user' | 'sysadmin' = Number(totalUsers) === 0 ? 'sysadmin' : 'user';
      const passwordHash = await hashPassword(input.password);
      const [user] = db.insert(users).values({
        email: input.email,
        displayName: input.displayName,
        passwordHash,
        role,
      }).returning().all();

      const { plaintext } = await createAuthToken(db, user!.id, 'verify_email', VERIFY_TTL);
      const tpl = verifyEmailTemplate(appUrl(), plaintext, user!.displayName);
      await getMailer().send(user!.email, tpl);

      res.status(201).json({ id: user!.id, email: user!.email, displayName: user!.displayName, role: user!.role });
    } catch (e) { next(e); }
  });

  r.post('/verify-email', tokenLimiter, async (req, res, next) => {
    try {
      const { token } = verifyEmailSchema.parse(req.body);
      // Try verify_email first; if not found, try change_email
      let consumed = await consumeAuthToken(db, token, 'verify_email');
      let purpose: 'verify_email' | 'change_email' = 'verify_email';
      if (!consumed) {
        consumed = await consumeAuthToken(db, token, 'change_email');
        purpose = 'change_email';
      }
      if (!consumed) throw new ApiError(400, 'INVALID_TOKEN', 'Invalid or expired token');

      if (purpose === 'verify_email') {
        db.update(users).set({ emailVerifiedAt: nowSec(), updatedAt: nowSec() })
          .where(eq(users.id, consumed.userId)).run();
      } else {
        const newEmail = consumed.payload;
        if (!newEmail) throw new ApiError(400, 'INVALID_TOKEN', 'Invalid token payload');
        const taken = db.select().from(users).where(eq(users.email, newEmail)).get();
        if (taken && taken.id !== consumed.userId) {
          throw new ApiError(409, 'EMAIL_TAKEN', 'Email already in use');
        }
        db.update(users).set({ email: newEmail, pendingEmail: null, updatedAt: nowSec() })
          .where(eq(users.id, consumed.userId)).run();
      }
      res.status(200).json({ ok: true });
    } catch (e) { next(e); }
  });

  r.post('/resend-verification', tokenLimiter, async (req, res, next) => {
    try {
      const { email } = resendVerificationSchema.parse(req.body);
      const u = db.select().from(users).where(eq(users.email, email)).get();
      // Generic 200 response (no enumeration)
      if (u && !u.emailVerifiedAt && u.isActive) {
        await invalidateTokensForUser(db, u.id, 'verify_email');
        const { plaintext } = await createAuthToken(db, u.id, 'verify_email', VERIFY_TTL);
        const tpl = verifyEmailTemplate(appUrl(), plaintext, u.displayName);
        await getMailer().send(u.email, tpl);
      }
      res.status(200).json({ ok: true });
    } catch (e) { next(e); }
  });

  r.post('/login', loginLimiter, async (req, res, next) => {
    try {
      const input = loginSchema.parse(req.body);
      const u = db.select().from(users).where(eq(users.email, input.email)).get();
      if (!u || !u.passwordHash || !(await verifyPassword(input.password, u.passwordHash))) {
        throw new ApiError(401, 'INVALID_CREDENTIALS', 'Invalid email or password');
      }
      if (!u.isActive) throw new ApiError(403, 'ACCOUNT_DISABLED', 'Account is disabled');
      if (!u.emailVerifiedAt) throw new ApiError(403, 'EMAIL_NOT_VERIFIED', 'Email not verified');

      const s = await createAuthSession(db, u.id, {
        userAgent: req.headers['user-agent'] ?? null,
        ip: req.ip ?? null,
      });
      const csrf = randomBytes(24).toString('base64url');
      res.cookie(SID_COOKIE, s.id, sidCookieOptions(s.expiresAt));
      res.cookie(CSRF_COOKIE, csrf, csrfCookieOptions(s.expiresAt));
      res.json(toPublicUser(u));
    } catch (e) { next(e); }
  });

  r.post('/logout', requireAuth, async (req, res, next) => {
    try {
      if (req.sessionId) await invalidateAuthSession(db, req.sessionId);
      res.clearCookie(SID_COOKIE, clearCookieOptions());
      res.clearCookie(CSRF_COOKIE, { ...clearCookieOptions(), httpOnly: false });
      res.status(204).end();
    } catch (e) { next(e); }
  });

  r.post('/forgot-password', forgotPasswordLimiter, async (req, res, next) => {
    try {
      const { email } = forgotPasswordSchema.parse(req.body);
      const u = db.select().from(users).where(eq(users.email, email)).get();
      if (u && u.isActive && u.emailVerifiedAt) {
        await invalidateTokensForUser(db, u.id, 'password_reset');
        const { plaintext } = await createAuthToken(db, u.id, 'password_reset', RESET_TTL);
        const tpl = passwordResetTemplate(appUrl(), plaintext, u.displayName);
        await getMailer().send(u.email, tpl);
      }
      res.status(200).json({ ok: true });
    } catch (e) { next(e); }
  });

  r.post('/reset-password', tokenLimiter, async (req, res, next) => {
    try {
      const { token, password } = resetPasswordSchema.parse(req.body);
      const consumed = await consumeAuthToken(db, token, 'password_reset');
      if (!consumed) throw new ApiError(400, 'INVALID_TOKEN', 'Invalid or expired token');
      const passwordHash = await hashPassword(password);
      db.update(users).set({ passwordHash, updatedAt: nowSec() })
        .where(eq(users.id, consumed.userId)).run();
      await invalidateAllForUser(db, consumed.userId);
      res.status(200).json({ ok: true });
    } catch (e) { next(e); }
  });

  r.post('/accept-invite', tokenLimiter, async (req, res, next) => {
    try {
      const input = acceptInviteSchema.parse(req.body);
      const consumed = await consumeAuthToken(db, input.token, 'invite');
      if (!consumed) throw new ApiError(400, 'INVALID_TOKEN', 'Invalid or expired token');
      const passwordHash = await hashPassword(input.password);
      const [updated] = db.update(users).set({
        passwordHash, displayName: input.displayName,
        emailVerifiedAt: nowSec(), updatedAt: nowSec(),
      }).where(eq(users.id, consumed.userId)).returning().all();
      if (!updated) throw new ApiError(400, 'INVALID_TOKEN', 'Invalid invitation');
      const s = await createAuthSession(db, updated.id, {
        userAgent: req.headers['user-agent'] ?? null, ip: req.ip ?? null,
      });
      const csrf = randomBytes(24).toString('base64url');
      res.cookie(SID_COOKIE, s.id, sidCookieOptions(s.expiresAt));
      res.cookie(CSRF_COOKIE, csrf, csrfCookieOptions(s.expiresAt));
      res.status(200).json(toPublicUser(updated));
    } catch (e) { next(e); }
  });

  r.patch('/profile', requireAuth, async (req, res, next) => {
    try {
      const input = profileUpdateSchema.parse(req.body);
      const user = req.user!;
      const updates: Record<string, unknown> = { updatedAt: nowSec() };
      if (input.displayName !== undefined) updates.displayName = input.displayName;
      let sendEmailChange: string | null = null;
      if (input.email !== undefined && input.email !== user.email) {
        const taken = db.select().from(users).where(eq(users.email, input.email)).get();
        if (taken) throw new ApiError(409, 'EMAIL_TAKEN', 'Email already in use');
        updates.pendingEmail = input.email;
        sendEmailChange = input.email;
      }
      const [updated] = db.update(users).set(updates).where(eq(users.id, user.id)).returning().all();
      if (sendEmailChange && updated) {
        const { plaintext } = await createAuthToken(db, updated.id, 'change_email', CHANGE_EMAIL_TTL, sendEmailChange);
        const tpl = changeEmailTemplate(appUrl(), plaintext, updated.displayName, sendEmailChange);
        await getMailer().send(sendEmailChange, tpl);
      }
      res.json(toPublicUser(updated!));
    } catch (e) { next(e); }
  });

  r.post('/change-password', requireAuth, async (req, res, next) => {
    try {
      const input = changePasswordSchema.parse(req.body);
      const user = req.user!;
      const row = db.select().from(users).where(eq(users.id, user.id)).get();
      if (!row?.passwordHash || !(await verifyPassword(input.currentPassword, row.passwordHash))) {
        throw new ApiError(401, 'INVALID_CREDENTIALS', 'Current password is incorrect');
      }
      const passwordHash = await hashPassword(input.newPassword);
      db.update(users).set({ passwordHash, updatedAt: nowSec() }).where(eq(users.id, user.id)).run();
      if (req.sessionId) await invalidateAllForUser(db, user.id, { except: req.sessionId });
      res.status(204).end();
    } catch (e) { next(e); }
  });

  return r;
}
```

- [ ] **Step 5: Install supertest if not already**

```bash
# Already installed per Task 3 backend bootstrap (supertest is in devDeps).
# Verify:
node -p "require('./packages/backend/node_modules/supertest/package.json').version" || npm i -D -w @flashcard/backend supertest @types/supertest
```

- [ ] **Step 6: Stop here — full integration test runs after app wiring (Task 14)**

Don't run the integration test yet. It needs `createApp` to mount the new router. We'll un-skip it after Task 14.

For now, just typecheck:

```bash
npm -w @flashcard/backend run typecheck
```

Expected: passes.

- [ ] **Step 7: Commit**

```bash
git add packages/backend/src/routes/auth.ts packages/backend/src/tests/auth.integration.test.ts packages/backend/src/tests/dbHelper.ts
git -c commit.gpgsign=false commit -m "feat(auth): /api/auth routes (register, verify, login, logout, me, forgot, reset, profile, change-password, accept-invite)"
```

---

## Task 11: Users service & admin routes

**Files:**
- Create: `packages/backend/src/services/users.ts`
- Create: `packages/backend/src/routes/admin-users.ts`
- Create: `packages/backend/src/tests/admin-users.integration.test.ts`

- [ ] **Step 1: Implement `services/users.ts`**

```ts
import { and, asc, desc, eq, like, ne, or, sql } from 'drizzle-orm';
import type { Db } from '../db/client.js';
import { users } from '../db/schema.js';
import type { Role, User } from '@flashcard/shared';
import { ApiError } from '../lib/errors.js';

function rowToUser(r: typeof users.$inferSelect): User {
  return {
    id: r.id, email: r.email, displayName: r.displayName, role: r.role,
    isActive: r.isActive, emailVerifiedAt: r.emailVerifiedAt ?? null,
    pendingEmail: r.pendingEmail ?? null, createdAt: r.createdAt, updatedAt: r.updatedAt,
  };
}

export interface ListUsersParams { q?: string; role?: Role; active?: boolean; limit?: number; offset?: number; }
export interface ListUsersResult { rows: User[]; total: number; }

export async function listUsers(db: Db, p: ListUsersParams = {}): Promise<ListUsersResult> {
  const conditions = [] as ReturnType<typeof eq>[];
  if (p.q && p.q.trim() !== '') {
    const q = `%${p.q.toLowerCase()}%`;
    conditions.push(or(like(sql`lower(${users.email})`, q), like(sql`lower(${users.displayName})`, q))!);
  }
  if (p.role) conditions.push(eq(users.role, p.role));
  if (p.active !== undefined) conditions.push(eq(users.isActive, p.active));
  const where = conditions.length ? and(...conditions) : undefined;
  const limit = Math.min(200, p.limit ?? 50);
  const offset = Math.max(0, p.offset ?? 0);

  const rows = db.select().from(users)
    .where(where as any)
    .orderBy(asc(users.email))
    .limit(limit).offset(offset).all();
  const totalRow = db.select({ c: sql<number>`count(*)`.as('c') }).from(users).where(where as any).get();
  return { rows: rows.map(rowToUser), total: Number(totalRow?.c ?? 0) };
}

export async function adminUpdateUser(
  db: Db,
  actorId: number,
  id: number,
  updates: { displayName?: string; role?: Role; isActive?: boolean }
): Promise<User> {
  const target = db.select().from(users).where(eq(users.id, id)).get();
  if (!target) throw ApiError.notFound('User');

  // Last-sysadmin guard
  if (target.id === actorId && (updates.isActive === false || updates.role === 'user')) {
    const otherActiveSysadmins = db.select({ c: sql<number>`count(*)`.as('c') })
      .from(users)
      .where(and(eq(users.role, 'sysadmin'), eq(users.isActive, true), ne(users.id, actorId)))
      .get()?.c ?? 0;
    if (Number(otherActiveSysadmins) === 0) {
      throw new ApiError(409, 'LAST_SYSADMIN', 'Cannot demote or disable the last active sysadmin');
    }
  }

  const [row] = db.update(users).set({
    ...(updates.displayName !== undefined && { displayName: updates.displayName }),
    ...(updates.role !== undefined && { role: updates.role }),
    ...(updates.isActive !== undefined && { isActive: updates.isActive }),
    updatedAt: Math.floor(Date.now() / 1000),
  }).where(eq(users.id, id)).returning().all();
  return rowToUser(row!);
}
```

- [ ] **Step 2: Implement `routes/admin-users.ts`**

```ts
import { Router } from 'express';
import { eq } from 'drizzle-orm';
import {
  adminUserUpdateSchema, inviteUserSchema,
} from '@flashcard/shared';
import type { Db } from '../db/client.js';
import { users } from '../db/schema.js';
import { listUsers, adminUpdateUser } from '../services/users.js';
import { createAuthToken, invalidateTokensForUser } from '../services/auth/tokens.js';
import { getMailer } from '../services/auth/email.js';
import { inviteTemplate, passwordResetTemplate } from '../services/auth/templates.js';
import { ApiError } from '../lib/errors.js';

const INVITE_TTL = 24 * 60 * 60;
const RESET_TTL = 60 * 60;
function appUrl() { return process.env.APP_URL ?? 'http://localhost:5173'; }
function nowSec() { return Math.floor(Date.now() / 1000); }

export function adminUsersRouter(db: Db): Router {
  const r = Router();

  r.get('/', async (req, res, next) => {
    try {
      const q = typeof req.query.q === 'string' ? req.query.q : undefined;
      const role = req.query.role === 'user' || req.query.role === 'sysadmin' ? req.query.role : undefined;
      const active = req.query.active === 'true' ? true : req.query.active === 'false' ? false : undefined;
      const limit = req.query.limit ? Number(req.query.limit) : undefined;
      const offset = req.query.offset ? Number(req.query.offset) : undefined;
      res.json(await listUsers(db, { q, role, active, limit, offset }));
    } catch (e) { next(e); }
  });

  r.post('/invite', async (req, res, next) => {
    try {
      const input = inviteUserSchema.parse(req.body);
      const existing = db.select().from(users).where(eq(users.email, input.email)).get();
      if (existing) throw new ApiError(409, 'EMAIL_TAKEN', 'Email already in use');
      const [u] = db.insert(users).values({
        email: input.email,
        displayName: input.email.split('@')[0]!,
        role: input.role,
        passwordHash: null,
        emailVerifiedAt: null,
        isActive: true,
      }).returning().all();
      const { plaintext } = await createAuthToken(db, u!.id, 'invite', INVITE_TTL);
      const inviter = req.user!;
      const tpl = inviteTemplate(appUrl(), plaintext, inviter.displayName);
      await getMailer().send(u!.email, tpl);
      res.status(201).json({ id: u!.id, email: u!.email, role: u!.role });
    } catch (e) { next(e); }
  });

  r.patch('/:id', async (req, res, next) => {
    try {
      const input = adminUserUpdateSchema.parse(req.body);
      const actor = req.user!;
      const updated = await adminUpdateUser(db, actor.id, Number(req.params.id), input);
      res.json(updated);
    } catch (e) { next(e); }
  });

  r.post('/:id/send-reset', async (req, res, next) => {
    try {
      const id = Number(req.params.id);
      const u = db.select().from(users).where(eq(users.id, id)).get();
      if (!u) throw ApiError.notFound('User');
      if (!u.emailVerifiedAt) {
        // resend invite instead
        await invalidateTokensForUser(db, u.id, 'invite');
        const { plaintext } = await createAuthToken(db, u.id, 'invite', INVITE_TTL);
        await getMailer().send(u.email, inviteTemplate(appUrl(), plaintext, req.user!.displayName));
      } else {
        await invalidateTokensForUser(db, u.id, 'password_reset');
        const { plaintext } = await createAuthToken(db, u.id, 'password_reset', RESET_TTL);
        await getMailer().send(u.email, passwordResetTemplate(appUrl(), plaintext, u.displayName));
      }
      res.status(204).end();
    } catch (e) { next(e); }
  });

  return r;
}
```

- [ ] **Step 3: Write integration tests**

Create `packages/backend/src/tests/admin-users.integration.test.ts`:

```ts
import { describe, it, expect, beforeEach } from 'vitest';
import request from 'supertest';
import { eq } from 'drizzle-orm';
import { createApp } from '../app.js';
import { users } from '../db/schema.js';
import { makeTestDb, createUserDirect } from './dbHelper.js';
import { hashPassword } from '../services/auth/passwords.js';
import { setMailerForTests, type Mailer } from '../services/auth/email.js';

class CaptureMailer implements Mailer {
  sent: { to: string; subject: string; text: string }[] = [];
  async send(to: string, m: { subject: string; html: string; text: string }) {
    this.sent.push({ to, subject: m.subject, text: m.text });
  }
}

async function loginAs(app: ReturnType<typeof createApp>, email: string, password = 'secretpass') {
  const r = await request(app).post('/api/auth/login').send({ email, password });
  if (r.status !== 200) throw new Error(`login failed: ${r.status} ${JSON.stringify(r.body)}`);
  const cookies = (r.headers['set-cookie'] as unknown as string[]);
  const csrf = cookies.find((c) => c.startsWith('flashcard_csrf='))!.split(';')[0]!.split('=')[1]!;
  return { cookies, csrf };
}

async function makeAdmin(env: ReturnType<typeof makeTestDb>, email: string) {
  return createUserDirect(env.db, {
    email, role: 'sysadmin', isActive: true,
    passwordHash: await hashPassword('secretpass'),
    emailVerifiedAt: Math.floor(Date.now() / 1000),
  });
}

let env: ReturnType<typeof makeTestDb>;
let mailer: CaptureMailer;
let app: ReturnType<typeof createApp>;

beforeEach(async () => {
  env = makeTestDb();
  mailer = new CaptureMailer();
  setMailerForTests(mailer);
  app = createApp(env.db);
});

describe('admin users', () => {
  it('invites a user, target accepts and can log in', async () => {
    await makeAdmin(env, 'admin@example.com');
    const { cookies, csrf } = await loginAs(app, 'admin@example.com');

    const inv = await request(app).post('/api/admin/users/invite')
      .set('Cookie', cookies).set('x-csrf-token', csrf)
      .send({ email: 'newbie@example.com', role: 'user' });
    expect(inv.status).toBe(201);
    expect(mailer.sent).toHaveLength(1);
    const link = mailer.sent[0]!.text;
    const token = decodeURIComponent(link.match(/token=([^\s&"]+)/)![1]!);

    const accept = await request(app).post('/api/auth/accept-invite')
      .send({ token, displayName: 'Newbie', password: 'anotherpass' });
    expect(accept.status).toBe(200);
    expect(accept.body.email).toBe('newbie@example.com');
  });

  it('lists users with filtering', async () => {
    await makeAdmin(env, 'admin@example.com');
    await createUserDirect(env.db, { email: 'a@example.com', role: 'user' });
    await createUserDirect(env.db, { email: 'b@example.com', role: 'user' });
    const { cookies } = await loginAs(app, 'admin@example.com');
    const list = await request(app).get('/api/admin/users?q=a').set('Cookie', cookies);
    expect(list.status).toBe(200);
    expect(list.body.rows.find((u: { email: string }) => u.email === 'a@example.com')).toBeTruthy();
  });

  it('blocks demoting the last sysadmin', async () => {
    const admin = await makeAdmin(env, 'admin@example.com');
    const { cookies, csrf } = await loginAs(app, 'admin@example.com');
    const r = await request(app).patch(`/api/admin/users/${admin.id}`)
      .set('Cookie', cookies).set('x-csrf-token', csrf)
      .send({ role: 'user' });
    expect(r.status).toBe(409);
    expect(r.body.error.code).toBe('LAST_SYSADMIN');
  });

  it('rejects non-admin access to admin routes', async () => {
    // Create a normal verified user
    await createUserDirect(env.db, {
      email: 'plain@example.com', role: 'user', isActive: true,
      passwordHash: await hashPassword('secretpass'),
      emailVerifiedAt: Math.floor(Date.now() / 1000),
    });
    const { cookies } = await loginAs(app, 'plain@example.com');
    const r = await request(app).get('/api/admin/users').set('Cookie', cookies);
    expect(r.status).toBe(403);
  });

  it('blocks unauthenticated access to admin routes', async () => {
    const r = await request(app).get('/api/admin/users');
    expect(r.status).toBe(401);
  });
});
```

- [ ] **Step 4: Typecheck**

```bash
npm -w @flashcard/backend run typecheck
```

- [ ] **Step 5: Commit**

```bash
git add packages/backend/src/services/users.ts packages/backend/src/routes/admin-users.ts packages/backend/src/tests/admin-users.integration.test.ts
git -c commit.gpgsign=false commit -m "feat(auth): admin user management service, routes, and integration tests"
```

---

## Task 12: Wire auth into app.ts + protect existing endpoints

**Files:**
- Modify: `packages/backend/src/app.ts`
- Modify: `packages/backend/src/index.ts`

- [ ] **Step 1: Rewrite `app.ts`**

Replace `packages/backend/src/app.ts` with:

```ts
import express, { type Express, type NextFunction, type Request, type Response } from 'express';
import cookieParser from 'cookie-parser';
import { existsSync } from 'node:fs';
import { resolve } from 'node:path';
import { ZodError } from 'zod';
import type { Db } from './db/client.js';
import { ApiError } from './lib/errors.js';
import { currentUserOrNull, requireAuth, requireRole } from './middleware/auth.js';
import { ensureCsrfToken, verifyCsrf } from './middleware/csrf.js';
import { authRouter } from './routes/auth.js';
import { adminUsersRouter } from './routes/admin-users.js';
import { lessonsRouter } from './routes/lessons.js';
import { cardsRouter } from './routes/cards.js';
import { sessionsRouter } from './routes/sessions.js';
import { statsRouter } from './routes/stats.js';

export function createApp(db: Db): Express {
  const app = express();
  app.set('trust proxy', 1);
  app.use(cookieParser());
  app.use(express.json({ limit: '5mb' }));
  app.use(ensureCsrfToken);
  app.use(currentUserOrNull(db));

  app.get('/api/health', (_req, res) => res.json({ ok: true }));

  // Public auth endpoints — verifyCsrf applied INSIDE the router for mutations that don't need it
  // (register/login/forgot/reset/verify/accept-invite/resend-verification are public mutations, so CSRF is not relevant).
  // However, /api/auth/logout, /api/auth/profile, /api/auth/change-password DO need CSRF.
  app.use('/api/auth', authRouter(db));

  // Protected app routes — auth + csrf on mutations
  app.use('/api/lessons', requireAuth, verifyCsrf, lessonsRouter(db));
  app.use('/api', requireAuth, verifyCsrf, cardsRouter(db));
  app.use('/api/sessions', requireAuth, verifyCsrf, sessionsRouter(db));
  app.use('/api/stats', requireAuth, statsRouter(db));   // GET only — no CSRF needed
  app.use('/api/admin/users', requireAuth, requireRole('sysadmin'), verifyCsrf, adminUsersRouter(db));

  // Static frontend in production
  const frontendDist = resolve(import.meta.dirname, '../../frontend/dist');
  if (existsSync(frontendDist)) {
    app.use(express.static(frontendDist));
    app.get('*', (_req, res) => res.sendFile(resolve(frontendDist, 'index.html')));
  }

  app.use((err: unknown, _req: Request, res: Response, _next: NextFunction) => {
    if (err instanceof ZodError) {
      res.status(400).json({ error: { code: 'VALIDATION_ERROR', message: 'Invalid input', details: err.flatten() } });
      return;
    }
    if (err instanceof ApiError) {
      res.status(err.status).json({ error: { code: err.code, message: err.message, details: err.details } });
      return;
    }
    console.error(err);
    res.status(500).json({ error: { code: 'INTERNAL', message: 'Internal server error' } });
  });

  return app;
}
```

Note: `verifyCsrf` is not applied to the entire `/api/auth` router because login/register/forgot/reset don't have a session yet — they bootstrap the cookie set. Mutations that DO have a session (logout, profile, change-password) get CSRF protection added inline in Task 13.

- [ ] **Step 2: Add CSRF to authenticated auth mutations**

Modify `packages/backend/src/routes/auth.ts` — wrap the three authenticated mutation routes with `verifyCsrf`:

```ts
import { verifyCsrf } from '../middleware/csrf.js';
// ...
r.post('/logout', requireAuth, verifyCsrf, async (req, res, next) => { /* unchanged */ });
r.patch('/profile', requireAuth, verifyCsrf, async (req, res, next) => { /* unchanged */ });
r.post('/change-password', requireAuth, verifyCsrf, async (req, res, next) => { /* unchanged */ });
```

(The other auth endpoints remain unprotected — they're public mutations.)

- [ ] **Step 3: Run all backend tests**

```bash
npm -w @flashcard/backend test
```

Expected: all auth + admin-users integration tests pass, plus existing unit tests. Existing lesson/card/session/stats tests do NOT go through HTTP, so they're unaffected by the new requireAuth middleware.

- [ ] **Step 4: Commit**

```bash
git add packages/backend/src/app.ts packages/backend/src/routes/auth.ts
git -c commit.gpgsign=false commit -m "feat(auth): wire auth middleware in app, protect all /api endpoints"
```

---

## Task 13: Dev tooling — docker-compose for Mailpit + .env.example + README

**Files:**
- Create: `docker-compose.yml`
- Create: `.env.example`
- Modify: `README.md`

- [ ] **Step 1: Create `docker-compose.yml`**

```yaml
services:
  mailpit:
    image: axllent/mailpit:latest
    container_name: flashcard-mailpit
    ports:
      - "1025:1025"   # SMTP
      - "8025:8025"   # Web UI
    environment:
      MP_MAX_MESSAGES: 5000
    restart: unless-stopped
```

- [ ] **Step 2: Create `.env.example`**

```
# Backend
PORT=3000
DB_PATH=./data/flashcard.db
APP_URL=http://localhost:5173

# Cookies
COOKIE_SECURE=false

# SMTP (Mailpit dev defaults; override in production with SES SMTP)
SMTP_HOST=localhost
SMTP_PORT=1025
SMTP_SECURE=false
SMTP_USER=
SMTP_PASS=
SMTP_FROM="Flashcard <noreply@flashcard.local>"
```

- [ ] **Step 3: Append README section**

Append to `README.md`:

```markdown
## Auth & e-mail

De applicatie zit achter een login. Eerste registratie (POST /api/auth/register via /register pagina) wordt automatisch sysadmin.

### Lokaal e-mail (Mailpit)

```bash
docker compose up -d mailpit
# Web UI: http://localhost:8025
# SMTP:   localhost:1025
```

Kopieer `.env.example` → `.env` in repo-root, of zet de waarden inline.

### Productie (Amazon SES)

In productie:

```
SMTP_HOST=email-smtp.eu-west-1.amazonaws.com
SMTP_PORT=587
SMTP_USER=<SES SMTP username>
SMTP_PASS=<SES SMTP password>
SMTP_FROM="Flashcard <noreply@yourdomain.com>"
COOKIE_SECURE=true
APP_URL=https://yourdomain.com
```

### Fallback (geen SMTP)

Als `SMTP_HOST` ontbreekt, schrijft het systeem de e-mails (incl. links) naar de server-log.
```

- [ ] **Step 4: Commit**

```bash
git add docker-compose.yml .env.example README.md
git -c commit.gpgsign=false commit -m "chore: docker-compose mailpit, env.example, README auth section"
```

---

## Task 14: Frontend API client — CSRF + auth modules

**Files:**
- Modify: `packages/frontend/src/api/client.ts`
- Create: `packages/frontend/src/api/auth.ts`
- Create: `packages/frontend/src/api/admin-users.ts`

- [ ] **Step 1: Rewrite `client.ts` with CSRF header + 401 handling**

```ts
const CSRF_COOKIE = 'flashcard_csrf';

function readCookie(name: string): string | null {
  const m = document.cookie.match(new RegExp(`(?:^|; )${name}=([^;]+)`));
  return m ? decodeURIComponent(m[1]!) : null;
}

export class ApiClientError extends Error {
  constructor(public status: number, public code: string, message: string, public details?: unknown) {
    super(message);
  }
}

const listeners = new Set<() => void>();
export function onUnauthorized(cb: () => void): () => void {
  listeners.add(cb);
  return () => listeners.delete(cb);
}

async function request<T>(
  method: string,
  path: string,
  body?: unknown,
  opts?: { isFormData?: boolean }
): Promise<T> {
  const headers: Record<string, string> = {};
  let payload: BodyInit | undefined;
  if (opts?.isFormData) {
    payload = body as FormData;
  } else if (body !== undefined) {
    headers['Content-Type'] = 'application/json';
    payload = JSON.stringify(body);
  }
  if (method !== 'GET' && method !== 'HEAD') {
    const csrf = readCookie(CSRF_COOKIE);
    if (csrf) headers['X-CSRF-Token'] = csrf;
  }
  const res = await fetch(`/api${path}`, {
    method,
    headers,
    body: payload,
    credentials: 'same-origin',
  });
  if (res.status === 204) return undefined as T;
  const isJson = res.headers.get('content-type')?.includes('application/json');
  const data = isJson ? await res.json() : await res.blob();
  if (!res.ok) {
    const e = (data as { error?: { code: string; message: string; details?: unknown } }).error;
    if (res.status === 401) listeners.forEach((l) => l());
    throw new ApiClientError(res.status, e?.code ?? 'UNKNOWN', e?.message ?? 'Request failed', e?.details);
  }
  return data as T;
}

export const api = {
  get: <T>(path: string) => request<T>('GET', path),
  post: <T>(path: string, body?: unknown) => request<T>('POST', path, body),
  postForm: <T>(path: string, form: FormData) => request<T>('POST', path, form, { isFormData: true }),
  patch: <T>(path: string, body: unknown) => request<T>('PATCH', path, body),
  delete: <T>(path: string) => request<T>('DELETE', path),
  getBlob: async (path: string): Promise<Blob> => {
    const res = await fetch(`/api${path}`, { credentials: 'same-origin' });
    if (!res.ok) throw new ApiClientError(res.status, 'UNKNOWN', 'Request failed');
    return res.blob();
  },
};
```

- [ ] **Step 2: Create `api/auth.ts`**

```ts
import type {
  PublicUser, User,
  LoginInput, RegisterInput, VerifyEmailInput, ResendVerificationInput,
  ForgotPasswordInput, ResetPasswordInput, AcceptInviteInput,
  ProfileUpdateInput, ChangePasswordInput,
} from '@flashcard/shared';
import { api } from './client.js';

export const authApi = {
  me: () => api.get<User>('/auth/me'),
  register: (input: RegisterInput) => api.post<PublicUser>('/auth/register', input),
  verifyEmail: (input: VerifyEmailInput) => api.post<{ ok: true }>('/auth/verify-email', input),
  resendVerification: (input: ResendVerificationInput) => api.post<{ ok: true }>('/auth/resend-verification', input),
  login: (input: LoginInput) => api.post<PublicUser>('/auth/login', input),
  logout: () => api.post<void>('/auth/logout'),
  forgotPassword: (input: ForgotPasswordInput) => api.post<{ ok: true }>('/auth/forgot-password', input),
  resetPassword: (input: ResetPasswordInput) => api.post<{ ok: true }>('/auth/reset-password', input),
  acceptInvite: (input: AcceptInviteInput) => api.post<PublicUser>('/auth/accept-invite', input),
  updateProfile: (input: ProfileUpdateInput) => api.patch<PublicUser>('/auth/profile', input),
  changePassword: (input: ChangePasswordInput) => api.post<void>('/auth/change-password', input),
};
```

- [ ] **Step 3: Create `api/admin-users.ts`**

```ts
import type { User, AdminUserUpdateInput, InviteUserInput, Role } from '@flashcard/shared';
import { api } from './client.js';

export interface ListUsersResponse { rows: User[]; total: number; }

export const adminUsersApi = {
  list: (params: { q?: string; role?: Role; active?: boolean; limit?: number; offset?: number } = {}) => {
    const qs = new URLSearchParams();
    if (params.q) qs.set('q', params.q);
    if (params.role) qs.set('role', params.role);
    if (params.active !== undefined) qs.set('active', String(params.active));
    if (params.limit !== undefined) qs.set('limit', String(params.limit));
    if (params.offset !== undefined) qs.set('offset', String(params.offset));
    const s = qs.toString();
    return api.get<ListUsersResponse>(`/admin/users${s ? '?' + s : ''}`);
  },
  invite: (input: InviteUserInput) => api.post<{ id: number; email: string; role: Role }>('/admin/users/invite', input),
  update: (id: number, input: AdminUserUpdateInput) => api.patch<User>(`/admin/users/${id}`, input),
  sendReset: (id: number) => api.post<void>(`/admin/users/${id}/send-reset`),
};
```

- [ ] **Step 4: Typecheck and commit**

```bash
npm -w @flashcard/frontend run typecheck
git add packages/frontend/src/api/
git -c commit.gpgsign=false commit -m "feat(frontend): API client CSRF support + auth and admin-users API modules"
```

---

## Task 15: Frontend authStore

**Files:**
- Create: `packages/frontend/src/stores/authStore.ts`

- [ ] **Step 1: Create `authStore.ts`**

```ts
import { create } from 'zustand';
import type { User } from '@flashcard/shared';
import { authApi } from '../api/auth.js';
import { ApiClientError } from '../api/client.js';

interface AuthState {
  user: User | null;
  loading: boolean;
  ready: boolean;
  hydrate: () => Promise<void>;
  refreshMe: () => Promise<void>;
  login: (email: string, password: string) => Promise<void>;
  logout: () => Promise<void>;
  setUserFromAuthResponse: (publicUser: { id: number; email: string; displayName: string; role: 'user' | 'sysadmin' }) => void;
}

export const useAuth = create<AuthState>((set, get) => ({
  user: null,
  loading: false,
  ready: false,

  hydrate: async () => {
    set({ loading: true });
    try {
      const user = await authApi.me();
      set({ user, ready: true });
    } catch (e) {
      if (e instanceof ApiClientError && e.status === 401) {
        set({ user: null, ready: true });
        return;
      }
      set({ user: null, ready: true });
    } finally {
      set({ loading: false });
    }
  },

  refreshMe: async () => {
    try { set({ user: await authApi.me() }); } catch { set({ user: null }); }
  },

  login: async (email, password) => {
    await authApi.login({ email, password });
    await get().refreshMe();
  },

  logout: async () => {
    await authApi.logout();
    set({ user: null });
  },

  setUserFromAuthResponse: (pu) => {
    // Optimistic set after register/accept-invite where backend returns PublicUser
    set({
      user: {
        id: pu.id, email: pu.email, displayName: pu.displayName, role: pu.role,
        isActive: true, emailVerifiedAt: Math.floor(Date.now() / 1000),
        pendingEmail: null, createdAt: 0, updatedAt: 0,
      },
    });
  },
}));
```

- [ ] **Step 2: Commit**

```bash
git add packages/frontend/src/stores/authStore.ts
git -c commit.gpgsign=false commit -m "feat(frontend): authStore (Zustand)"
```

---

## Task 16: AuthBoundary, RoleGuard, UserMenu + Layout integration

**Files:**
- Create: `packages/frontend/src/components/AuthBoundary.tsx`
- Create: `packages/frontend/src/components/RoleGuard.tsx`
- Create: `packages/frontend/src/components/UserMenu.tsx`
- Modify: `packages/frontend/src/components/Layout.tsx`
- Modify: `packages/frontend/src/main.tsx`

- [ ] **Step 1: Create `AuthBoundary.tsx`**

```tsx
import { useEffect } from 'react';
import { Navigate, Outlet, useLocation } from 'react-router-dom';
import { useAuth } from '../stores/authStore.js';

export function AuthBoundary() {
  const { user, ready, hydrate } = useAuth();
  const location = useLocation();

  useEffect(() => {
    if (!ready) hydrate();
  }, [ready, hydrate]);

  if (!ready) {
    return (
      <div className="flex h-full items-center justify-center">
        <div className="h-2 w-32 animate-shimmer rounded-full bg-gradient-to-r from-brand-100 via-brand-200 to-brand-100 bg-[length:1000px_100%]" />
      </div>
    );
  }
  if (!user) {
    const next = encodeURIComponent(location.pathname + location.search);
    return <Navigate to={`/login?next=${next}`} replace />;
  }
  return <Outlet />;
}
```

- [ ] **Step 2: Create `RoleGuard.tsx`**

```tsx
import { Navigate, Outlet } from 'react-router-dom';
import type { Role } from '@flashcard/shared';
import { useAuth } from '../stores/authStore.js';

export function RoleGuard({ role }: { role: Role }) {
  const user = useAuth((s) => s.user);
  if (!user) return <Navigate to="/login" replace />;
  if (user.role !== role) {
    return (
      <div className="mx-auto max-w-md p-12 text-center">
        <h1 className="font-display text-2xl font-bold">Geen toegang</h1>
        <p className="mt-2 text-sm text-slate-500">Deze pagina is alleen voor beheerders.</p>
      </div>
    );
  }
  return <Outlet />;
}
```

- [ ] **Step 3: Create `UserMenu.tsx`**

```tsx
import { useState, useRef, useEffect } from 'react';
import { Link, useNavigate } from 'react-router-dom';
import { useAuth } from '../stores/authStore.js';

export function UserMenu() {
  const { user, logout } = useAuth();
  const [open, setOpen] = useState(false);
  const ref = useRef<HTMLDivElement>(null);
  const navigate = useNavigate();

  useEffect(() => {
    function onClick(e: MouseEvent) {
      if (ref.current && !ref.current.contains(e.target as Node)) setOpen(false);
    }
    document.addEventListener('mousedown', onClick);
    return () => document.removeEventListener('mousedown', onClick);
  }, []);

  if (!user) return null;

  const initials = user.displayName.trim().split(/\s+/).map((p) => p[0]).slice(0, 2).join('').toUpperCase();

  async function handleLogout() {
    await logout();
    navigate('/login');
  }

  return (
    <div className="relative" ref={ref}>
      <button
        onClick={() => setOpen((o) => !o)}
        className="grid h-9 w-9 place-items-center rounded-full bg-brand-gradient text-sm font-bold text-white shadow-glow hover:brightness-110"
        aria-label="Account menu"
      >
        {initials || '?'}
      </button>
      {open && (
        <div className="absolute right-0 top-11 z-30 w-56 rounded-2xl border border-white/60 bg-white/95 p-2 shadow-soft backdrop-blur dark:border-slate-800 dark:bg-slate-900/95">
          <div className="px-3 py-2">
            <div className="truncate text-sm font-semibold">{user.displayName}</div>
            <div className="truncate text-xs text-slate-500">{user.email}</div>
          </div>
          <hr className="my-1 border-brand-100 dark:border-slate-800" />
          <Link to="/profile" className="block rounded-xl px-3 py-2 text-sm hover:bg-brand-50 dark:hover:bg-slate-800" onClick={() => setOpen(false)}>Profiel</Link>
          {user.role === 'sysadmin' && (
            <Link to="/admin/users" className="block rounded-xl px-3 py-2 text-sm hover:bg-brand-50 dark:hover:bg-slate-800" onClick={() => setOpen(false)}>👑 Systeembeheer</Link>
          )}
          <button onClick={handleLogout} className="block w-full rounded-xl px-3 py-2 text-left text-sm text-danger-600 hover:bg-danger-50 dark:hover:bg-danger-400/10">
            Uitloggen
          </button>
        </div>
      )}
    </div>
  );
}
```

- [ ] **Step 4: Replace `Layout.tsx`**

```tsx
import { NavLink, Outlet } from 'react-router-dom';
import { useSettings } from '../stores/settingsStore.js';
import { useAuth } from '../stores/authStore.js';
import { UserMenu } from './UserMenu.js';

const navItems = [
  { to: '/', label: 'Dashboard', end: true },
  { to: '/admin', label: 'Lessen' },
  { to: '/stats', label: 'Stats' },
];

export function Layout() {
  const { theme, toggleTheme } = useSettings();
  const user = useAuth((s) => s.user);
  return (
    <div className="flex h-full flex-col">
      <header className="sticky top-0 z-20 border-b border-white/40 bg-white/70 backdrop-blur-xl dark:border-slate-800/60 dark:bg-slate-950/70">
        <div className="mx-auto flex max-w-6xl items-center gap-2 px-4 py-3 sm:px-6">
          <NavLink to="/" className="flex items-center gap-2 font-display text-lg font-bold">
            <span className="grid h-8 w-8 place-items-center rounded-xl bg-brand-gradient text-white shadow-glow">⚡</span>
            <span className="bg-brand-gradient bg-clip-text text-transparent">Flashcards</span>
          </NavLink>
          {user && (
            <nav className="ml-4 hidden gap-1 sm:flex">
              {navItems.map((item) => (
                <NavLink
                  key={item.to}
                  to={item.to}
                  end={item.end}
                  className={({ isActive }) =>
                    `rounded-xl px-3 py-1.5 text-sm font-medium transition ${
                      isActive
                        ? 'bg-brand-100 text-brand-700 dark:bg-brand-900/40 dark:text-brand-200'
                        : 'text-slate-600 hover:bg-white/70 hover:text-slate-900 dark:text-slate-300 dark:hover:bg-slate-900/60'
                    }`
                  }
                >
                  {item.label}
                </NavLink>
              ))}
            </nav>
          )}
          <div className="ml-auto flex items-center gap-2">
            <button
              onClick={toggleTheme}
              className="grid h-9 w-9 place-items-center rounded-xl border border-white/60 bg-white/70 text-base shadow-sm transition hover:scale-105 dark:border-slate-800 dark:bg-slate-900/70"
              aria-label="Toggle dark mode"
            >
              {theme === 'dark' ? '☀️' : '🌙'}
            </button>
            <UserMenu />
          </div>
        </div>
        {user && (
          <nav className="flex gap-1 overflow-x-auto px-4 pb-2 sm:hidden">
            {navItems.map((item) => (
              <NavLink
                key={item.to}
                to={item.to}
                end={item.end}
                className={({ isActive }) =>
                  `whitespace-nowrap rounded-full px-3 py-1 text-xs font-medium transition ${
                    isActive ? 'bg-brand-600 text-white' : 'bg-white/60 text-slate-700 dark:bg-slate-900/60 dark:text-slate-300'
                  }`
                }
              >
                {item.label}
              </NavLink>
            ))}
          </nav>
        )}
      </header>
      <main className="flex-1 overflow-auto">
        <div className="mx-auto max-w-6xl px-4 py-6 sm:px-6">
          <Outlet />
        </div>
      </main>
    </div>
  );
}
```

- [ ] **Step 5: Hook the 401-handler in `main.tsx` to bounce to /login**

Replace `packages/frontend/src/main.tsx` with:

```tsx
import React from 'react';
import { createRoot } from 'react-dom/client';
import { RouterProvider } from 'react-router-dom';
import { router } from './router.js';
import { useSettings } from './stores/settingsStore.js';
import { useAuth } from './stores/authStore.js';
import { onUnauthorized } from './api/client.js';
import './styles.css';

useSettings.getState().hydrate();

onUnauthorized(() => {
  useAuth.setState({ user: null, ready: true });
});

const root = createRoot(document.getElementById('root')!);
root.render(
  <React.StrictMode>
    <RouterProvider router={router} />
  </React.StrictMode>
);
```

- [ ] **Step 6: Typecheck + commit**

```bash
npm -w @flashcard/frontend run typecheck
git add packages/frontend/src/components/ packages/frontend/src/main.tsx
git -c commit.gpgsign=false commit -m "feat(frontend): AuthBoundary, RoleGuard, UserMenu + Layout integration"
```

---

## Task 17: Auth pages — Login + Register

**Files:**
- Create: `packages/frontend/src/pages/auth/Login.tsx`
- Create: `packages/frontend/src/pages/auth/Register.tsx`

- [ ] **Step 1: Create `Login.tsx`**

```tsx
import { useState } from 'react';
import { Link, useNavigate, useSearchParams } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { ApiClientError } from '../../api/client.js';
import { useAuth } from '../../stores/authStore.js';

export function LoginPage() {
  const [searchParams] = useSearchParams();
  const next = searchParams.get('next') ?? '/';
  const navigate = useNavigate();
  const login = useAuth((s) => s.login);
  const [email, setEmail] = useState('');
  const [password, setPassword] = useState('');
  const [busy, setBusy] = useState(false);
  const [error, setError] = useState<string | null>(null);
  const [needsVerification, setNeedsVerification] = useState(false);

  async function submit(e: React.FormEvent) {
    e.preventDefault();
    setBusy(true); setError(null); setNeedsVerification(false);
    try {
      await login(email, password);
      navigate(next, { replace: true });
    } catch (err) {
      if (err instanceof ApiClientError) {
        if (err.code === 'EMAIL_NOT_VERIFIED') setNeedsVerification(true);
        else setError(err.message);
      } else setError('Onbekende fout');
    } finally { setBusy(false); }
  }

  async function resend() {
    try { await authApi.resendVerification({ email }); setError('Bevestigingsmail opnieuw verstuurd.'); }
    catch { setError('Kon mail niet versturen.'); }
  }

  return (
    <AuthLayout title="Inloggen">
      <form onSubmit={submit} className="space-y-4">
        <Field label="E-mailadres">
          <input type="email" className="input-field" required value={email} onChange={(e) => setEmail(e.target.value)} autoComplete="email" />
        </Field>
        <Field label="Wachtwoord">
          <input type="password" className="input-field" required value={password} onChange={(e) => setPassword(e.target.value)} autoComplete="current-password" />
        </Field>
        {error && <p className="rounded-xl bg-danger-50 p-3 text-sm text-danger-700 dark:bg-danger-400/10 dark:text-danger-400">{error}</p>}
        {needsVerification && (
          <div className="rounded-xl bg-amber-50 p-3 text-sm text-amber-800 dark:bg-amber-900/30 dark:text-amber-200">
            Je e-mailadres is nog niet bevestigd.
            <button type="button" className="ml-2 font-semibold underline" onClick={resend}>Stuur opnieuw</button>
          </div>
        )}
        <button type="submit" className="btn-primary w-full py-3" disabled={busy}>{busy ? 'Bezig…' : 'Inloggen'}</button>
      </form>
      <div className="mt-6 flex justify-between text-sm">
        <Link to="/forgot-password" className="text-brand-600 hover:underline">Wachtwoord vergeten?</Link>
        <Link to="/register" className="text-brand-600 hover:underline">Account aanmaken</Link>
      </div>
    </AuthLayout>
  );
}

export function AuthLayout({ title, children }: { title: string; children: React.ReactNode }) {
  return (
    <div className="mx-auto max-w-md p-6">
      <div className="surface p-8">
        <h1 className="mb-6 font-display text-2xl font-bold">{title}</h1>
        {children}
      </div>
    </div>
  );
}

export function Field({ label, children }: { label: string; children: React.ReactNode }) {
  return (
    <label className="block text-sm">
      <span className="mb-1 block font-medium text-slate-700 dark:text-slate-200">{label}</span>
      {children}
    </label>
  );
}
```

- [ ] **Step 2: Create `Register.tsx`**

```tsx
import { useState } from 'react';
import { Link, useNavigate } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { ApiClientError } from '../../api/client.js';
import { AuthLayout, Field } from './Login.js';

export function RegisterPage() {
  const navigate = useNavigate();
  const [email, setEmail] = useState('');
  const [displayName, setDisplayName] = useState('');
  const [password, setPassword] = useState('');
  const [busy, setBusy] = useState(false);
  const [error, setError] = useState<string | null>(null);
  const [done, setDone] = useState(false);

  async function submit(e: React.FormEvent) {
    e.preventDefault();
    setBusy(true); setError(null);
    try {
      await authApi.register({ email, displayName, password });
      setDone(true);
    } catch (err) {
      if (err instanceof ApiClientError) setError(err.message);
      else setError('Onbekende fout');
    } finally { setBusy(false); }
  }

  if (done) {
    return (
      <AuthLayout title="Bijna klaar 📬">
        <p className="text-sm">
          We hebben een bevestigingsmail gestuurd naar <strong>{email}</strong>.
          Klik op de link om je account te activeren.
        </p>
        <Link to="/login" className="mt-6 block text-sm text-brand-600 hover:underline">Terug naar inloggen</Link>
      </AuthLayout>
    );
  }

  return (
    <AuthLayout title="Registreren">
      <form onSubmit={submit} className="space-y-4">
        <Field label="Naam"><input className="input-field" required minLength={1} value={displayName} onChange={(e) => setDisplayName(e.target.value)} autoComplete="name" /></Field>
        <Field label="E-mailadres"><input type="email" className="input-field" required value={email} onChange={(e) => setEmail(e.target.value)} autoComplete="email" /></Field>
        <Field label="Wachtwoord (min. 8 tekens)"><input type="password" className="input-field" required minLength={8} value={password} onChange={(e) => setPassword(e.target.value)} autoComplete="new-password" /></Field>
        {error && <p className="rounded-xl bg-danger-50 p-3 text-sm text-danger-700 dark:bg-danger-400/10 dark:text-danger-400">{error}</p>}
        <button type="submit" className="btn-primary w-full py-3" disabled={busy}>{busy ? 'Bezig…' : 'Account aanmaken'}</button>
        <p className="text-xs text-slate-500">
          De eerste registratie wordt automatisch beheerder.
        </p>
      </form>
      <div className="mt-6 text-sm">
        <Link to="/login" className="text-brand-600 hover:underline">Heb je al een account? Inloggen</Link>
      </div>
    </AuthLayout>
  );
}
```

- [ ] **Step 3: Typecheck and commit**

```bash
npm -w @flashcard/frontend run typecheck
git add packages/frontend/src/pages/auth/
git -c commit.gpgsign=false commit -m "feat(frontend): Login + Register pages"
```

---

## Task 18: Auth pages — VerifyEmail, ForgotPassword, ResetPassword, AcceptInvite

**Files:**
- Create: `packages/frontend/src/pages/auth/VerifyEmail.tsx`
- Create: `packages/frontend/src/pages/auth/ForgotPassword.tsx`
- Create: `packages/frontend/src/pages/auth/ResetPassword.tsx`
- Create: `packages/frontend/src/pages/auth/AcceptInvite.tsx`

- [ ] **Step 1: Create `VerifyEmail.tsx`**

```tsx
import { useEffect, useState } from 'react';
import { Link, useSearchParams } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { ApiClientError } from '../../api/client.js';
import { AuthLayout } from './Login.js';

export function VerifyEmailPage() {
  const [params] = useSearchParams();
  const token = params.get('token');
  const [state, setState] = useState<'pending' | 'ok' | 'err'>('pending');
  const [message, setMessage] = useState('');

  useEffect(() => {
    if (!token) { setState('err'); setMessage('Token ontbreekt.'); return; }
    (async () => {
      try {
        await authApi.verifyEmail({ token });
        setState('ok');
      } catch (e) {
        setState('err');
        setMessage(e instanceof ApiClientError ? e.message : 'Verificatie mislukt.');
      }
    })();
  }, [token]);

  return (
    <AuthLayout title="E-mailverificatie">
      {state === 'pending' && <p>Bezig met verifiëren…</p>}
      {state === 'ok' && (
        <>
          <p className="text-sm">Je e-mailadres is bevestigd ✅</p>
          <Link to="/login" className="btn-primary mt-6 inline-flex">Naar inloggen</Link>
        </>
      )}
      {state === 'err' && (
        <>
          <p className="text-sm text-danger-700 dark:text-danger-400">{message}</p>
          <Link to="/login" className="mt-6 inline-block text-sm text-brand-600 hover:underline">Terug naar inloggen</Link>
        </>
      )}
    </AuthLayout>
  );
}
```

- [ ] **Step 2: Create `ForgotPassword.tsx`**

```tsx
import { useState } from 'react';
import { Link } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { AuthLayout, Field } from './Login.js';

export function ForgotPasswordPage() {
  const [email, setEmail] = useState('');
  const [busy, setBusy] = useState(false);
  const [sent, setSent] = useState(false);

  async function submit(e: React.FormEvent) {
    e.preventDefault();
    setBusy(true);
    try { await authApi.forgotPassword({ email }); }
    finally { setBusy(false); setSent(true); }
  }

  if (sent) {
    return (
      <AuthLayout title="Check je mail 📬">
        <p className="text-sm">Als <strong>{email}</strong> bekend is, hebben we een reset-link gestuurd. De link is 1 uur geldig.</p>
        <Link to="/login" className="mt-6 inline-block text-sm text-brand-600 hover:underline">Terug naar inloggen</Link>
      </AuthLayout>
    );
  }

  return (
    <AuthLayout title="Wachtwoord vergeten">
      <form onSubmit={submit} className="space-y-4">
        <Field label="E-mailadres">
          <input type="email" required className="input-field" value={email} onChange={(e) => setEmail(e.target.value)} autoComplete="email" />
        </Field>
        <button type="submit" className="btn-primary w-full py-3" disabled={busy}>{busy ? 'Bezig…' : 'Stuur reset-link'}</button>
      </form>
      <div className="mt-6 text-sm">
        <Link to="/login" className="text-brand-600 hover:underline">Terug naar inloggen</Link>
      </div>
    </AuthLayout>
  );
}
```

- [ ] **Step 3: Create `ResetPassword.tsx`**

```tsx
import { useState } from 'react';
import { Link, useNavigate, useSearchParams } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { ApiClientError } from '../../api/client.js';
import { AuthLayout, Field } from './Login.js';

export function ResetPasswordPage() {
  const [params] = useSearchParams();
  const token = params.get('token') ?? '';
  const navigate = useNavigate();
  const [password, setPassword] = useState('');
  const [busy, setBusy] = useState(false);
  const [error, setError] = useState<string | null>(null);
  const [done, setDone] = useState(false);

  async function submit(e: React.FormEvent) {
    e.preventDefault();
    setBusy(true); setError(null);
    try { await authApi.resetPassword({ token, password }); setDone(true); }
    catch (err) { setError(err instanceof ApiClientError ? err.message : 'Reset mislukt.'); }
    finally { setBusy(false); }
  }

  if (done) {
    return (
      <AuthLayout title="Wachtwoord ingesteld ✅">
        <p className="text-sm">Je kunt nu inloggen met je nieuwe wachtwoord.</p>
        <button className="btn-primary mt-6 w-full" onClick={() => navigate('/login')}>Naar inloggen</button>
      </AuthLayout>
    );
  }

  return (
    <AuthLayout title="Nieuw wachtwoord">
      {!token && <p className="text-sm text-danger-700">Geen token in URL.</p>}
      <form onSubmit={submit} className="space-y-4">
        <Field label="Nieuw wachtwoord (min. 8 tekens)">
          <input type="password" required minLength={8} className="input-field" value={password} onChange={(e) => setPassword(e.target.value)} autoComplete="new-password" />
        </Field>
        {error && <p className="rounded-xl bg-danger-50 p-3 text-sm text-danger-700 dark:bg-danger-400/10 dark:text-danger-400">{error}</p>}
        <button type="submit" className="btn-primary w-full py-3" disabled={busy || !token}>{busy ? 'Bezig…' : 'Opslaan'}</button>
      </form>
      <Link to="/login" className="mt-6 block text-sm text-brand-600 hover:underline">Terug naar inloggen</Link>
    </AuthLayout>
  );
}
```

- [ ] **Step 4: Create `AcceptInvite.tsx`**

```tsx
import { useState } from 'react';
import { useNavigate, useSearchParams } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { ApiClientError } from '../../api/client.js';
import { useAuth } from '../../stores/authStore.js';
import { AuthLayout, Field } from './Login.js';

export function AcceptInvitePage() {
  const [params] = useSearchParams();
  const token = params.get('token') ?? '';
  const navigate = useNavigate();
  const refreshMe = useAuth((s) => s.refreshMe);
  const [displayName, setDisplayName] = useState('');
  const [password, setPassword] = useState('');
  const [busy, setBusy] = useState(false);
  const [error, setError] = useState<string | null>(null);

  async function submit(e: React.FormEvent) {
    e.preventDefault();
    setBusy(true); setError(null);
    try {
      await authApi.acceptInvite({ token, displayName, password });
      await refreshMe();
      navigate('/', { replace: true });
    } catch (err) {
      setError(err instanceof ApiClientError ? err.message : 'Accepteren mislukt.');
    } finally { setBusy(false); }
  }

  return (
    <AuthLayout title="Account aanmaken">
      {!token && <p className="text-sm text-danger-700">Geen token in URL.</p>}
      <form onSubmit={submit} className="space-y-4">
        <Field label="Naam">
          <input required className="input-field" value={displayName} onChange={(e) => setDisplayName(e.target.value)} autoComplete="name" />
        </Field>
        <Field label="Wachtwoord (min. 8 tekens)">
          <input type="password" required minLength={8} className="input-field" value={password} onChange={(e) => setPassword(e.target.value)} autoComplete="new-password" />
        </Field>
        {error && <p className="rounded-xl bg-danger-50 p-3 text-sm text-danger-700 dark:bg-danger-400/10 dark:text-danger-400">{error}</p>}
        <button type="submit" className="btn-primary w-full py-3" disabled={busy || !token}>{busy ? 'Bezig…' : 'Account aanmaken'}</button>
      </form>
    </AuthLayout>
  );
}
```

- [ ] **Step 5: Typecheck + commit**

```bash
npm -w @flashcard/frontend run typecheck
git add packages/frontend/src/pages/auth/
git -c commit.gpgsign=false commit -m "feat(frontend): VerifyEmail + ForgotPassword + ResetPassword + AcceptInvite pages"
```

---

## Task 19: Profile page

**Files:**
- Create: `packages/frontend/src/pages/Profile.tsx`

- [ ] **Step 1: Create `Profile.tsx`**

```tsx
import { useState } from 'react';
import { authApi } from '../api/auth.js';
import { ApiClientError } from '../api/client.js';
import { useAuth } from '../stores/authStore.js';

export function ProfilePage() {
  const { user, refreshMe } = useAuth();
  const [displayName, setDisplayName] = useState(user?.displayName ?? '');
  const [email, setEmail] = useState(user?.email ?? '');
  const [profileBusy, setProfileBusy] = useState(false);
  const [profileMsg, setProfileMsg] = useState<string | null>(null);

  const [currentPassword, setCurrentPassword] = useState('');
  const [newPassword, setNewPassword] = useState('');
  const [pwBusy, setPwBusy] = useState(false);
  const [pwMsg, setPwMsg] = useState<string | null>(null);
  const [pwErr, setPwErr] = useState<string | null>(null);

  async function saveProfile(e: React.FormEvent) {
    e.preventDefault();
    setProfileBusy(true); setProfileMsg(null);
    try {
      const updates: { displayName?: string; email?: string } = {};
      if (displayName !== user?.displayName) updates.displayName = displayName;
      if (email !== user?.email) updates.email = email;
      if (Object.keys(updates).length === 0) { setProfileMsg('Geen wijzigingen.'); return; }
      await authApi.updateProfile(updates);
      await refreshMe();
      setProfileMsg(updates.email ? 'Profiel opgeslagen. Bevestig je nieuwe e-mailadres via de link in de mail.' : 'Profiel opgeslagen.');
    } catch (err) {
      setProfileMsg(err instanceof ApiClientError ? err.message : 'Opslaan mislukt.');
    } finally { setProfileBusy(false); }
  }

  async function changePassword(e: React.FormEvent) {
    e.preventDefault();
    setPwBusy(true); setPwMsg(null); setPwErr(null);
    try {
      await authApi.changePassword({ currentPassword, newPassword });
      setPwMsg('Wachtwoord gewijzigd.');
      setCurrentPassword(''); setNewPassword('');
    } catch (err) {
      setPwErr(err instanceof ApiClientError ? err.message : 'Wijzigen mislukt.');
    } finally { setPwBusy(false); }
  }

  if (!user) return null;

  return (
    <div className="mx-auto max-w-2xl space-y-6">
      <header>
        <h1 className="font-display text-3xl font-bold">Profiel</h1>
        <p className="text-sm text-slate-500">Beheer je naam, e-mailadres en wachtwoord.</p>
      </header>

      <form onSubmit={saveProfile} className="surface space-y-4 p-6">
        <h2 className="font-display text-lg font-bold">Gegevens</h2>
        <label className="block text-sm">
          <span className="mb-1 block font-medium">Naam</span>
          <input className="input-field" value={displayName} onChange={(e) => setDisplayName(e.target.value)} />
        </label>
        <label className="block text-sm">
          <span className="mb-1 block font-medium">E-mailadres</span>
          <input type="email" className="input-field" value={email} onChange={(e) => setEmail(e.target.value)} />
          {user.pendingEmail && <span className="mt-1 block text-xs text-amber-700">In afwachting: {user.pendingEmail}</span>}
        </label>
        {profileMsg && <p className="text-sm">{profileMsg}</p>}
        <button className="btn-primary" disabled={profileBusy}>{profileBusy ? 'Bezig…' : 'Opslaan'}</button>
      </form>

      <form onSubmit={changePassword} className="surface space-y-4 p-6">
        <h2 className="font-display text-lg font-bold">Wachtwoord</h2>
        <label className="block text-sm">
          <span className="mb-1 block font-medium">Huidig wachtwoord</span>
          <input type="password" className="input-field" required value={currentPassword} onChange={(e) => setCurrentPassword(e.target.value)} autoComplete="current-password" />
        </label>
        <label className="block text-sm">
          <span className="mb-1 block font-medium">Nieuw wachtwoord (min. 8 tekens)</span>
          <input type="password" minLength={8} className="input-field" required value={newPassword} onChange={(e) => setNewPassword(e.target.value)} autoComplete="new-password" />
        </label>
        {pwMsg && <p className="text-sm text-success-700">{pwMsg}</p>}
        {pwErr && <p className="text-sm text-danger-700">{pwErr}</p>}
        <button className="btn-primary" disabled={pwBusy}>{pwBusy ? 'Bezig…' : 'Wachtwoord wijzigen'}</button>
      </form>
    </div>
  );
}
```

- [ ] **Step 2: Commit**

```bash
git add packages/frontend/src/pages/Profile.tsx
git -c commit.gpgsign=false commit -m "feat(frontend): profile page (display name, email, change password)"
```

---

## Task 20: AdminUsers page

**Files:**
- Create: `packages/frontend/src/pages/AdminUsers.tsx`

- [ ] **Step 1: Create `AdminUsers.tsx`**

```tsx
import { useEffect, useState } from 'react';
import { adminUsersApi, type ListUsersResponse } from '../api/admin-users.js';
import type { User } from '@flashcard/shared';
import { ApiClientError } from '../api/client.js';

export function AdminUsersPage() {
  const [data, setData] = useState<ListUsersResponse>({ rows: [], total: 0 });
  const [q, setQ] = useState('');
  const [busy, setBusy] = useState(false);

  const [inviteEmail, setInviteEmail] = useState('');
  const [inviteRole, setInviteRole] = useState<'user' | 'sysadmin'>('user');
  const [inviteMsg, setInviteMsg] = useState<string | null>(null);

  async function refresh() {
    setBusy(true);
    try { setData(await adminUsersApi.list({ q: q.trim() || undefined })); }
    finally { setBusy(false); }
  }
  useEffect(() => { refresh(); }, []);

  async function invite(e: React.FormEvent) {
    e.preventDefault();
    setInviteMsg(null);
    try {
      await adminUsersApi.invite({ email: inviteEmail, role: inviteRole });
      setInviteMsg('Uitnodiging verstuurd.');
      setInviteEmail('');
      await refresh();
    } catch (err) {
      setInviteMsg(err instanceof ApiClientError ? err.message : 'Uitnodigen mislukt.');
    }
  }

  async function setActive(u: User, isActive: boolean) {
    try { await adminUsersApi.update(u.id, { isActive }); await refresh(); }
    catch (err) { alert(err instanceof ApiClientError ? err.message : 'Bijwerken mislukt.'); }
  }

  async function setRole(u: User, role: 'user' | 'sysadmin') {
    try { await adminUsersApi.update(u.id, { role }); await refresh(); }
    catch (err) { alert(err instanceof ApiClientError ? err.message : 'Bijwerken mislukt.'); }
  }

  async function sendReset(u: User) {
    if (!confirm(`Reset/uitnodigingsmail sturen naar ${u.email}?`)) return;
    try { await adminUsersApi.sendReset(u.id); alert('Mail verstuurd.'); }
    catch (err) { alert(err instanceof ApiClientError ? err.message : 'Versturen mislukt.'); }
  }

  return (
    <div className="space-y-6">
      <header>
        <h1 className="font-display text-3xl font-bold">👑 Gebruikersbeheer</h1>
        <p className="text-sm text-slate-500">{data.total} gebruiker(s) totaal</p>
      </header>

      <form onSubmit={invite} className="surface flex flex-col gap-2 p-4 sm:flex-row sm:items-end">
        <label className="flex-1 text-sm">
          <span className="mb-1 block font-medium">Uitnodigen via e-mail</span>
          <input type="email" required className="input-field" value={inviteEmail} onChange={(e) => setInviteEmail(e.target.value)} placeholder="naam@voorbeeld.com" />
        </label>
        <label className="text-sm">
          <span className="mb-1 block font-medium">Rol</span>
          <select className="input-field" value={inviteRole} onChange={(e) => setInviteRole(e.target.value as 'user' | 'sysadmin')}>
            <option value="user">Gebruiker</option>
            <option value="sysadmin">Beheerder</option>
          </select>
        </label>
        <button className="btn-primary shrink-0">Uitnodiging sturen</button>
      </form>
      {inviteMsg && <p className="text-sm">{inviteMsg}</p>}

      <div className="surface p-4">
        <div className="mb-3 flex gap-2">
          <input className="input-field flex-1" placeholder="Zoek op e-mail of naam…" value={q} onChange={(e) => setQ(e.target.value)} onKeyDown={(e) => e.key === 'Enter' && refresh()} />
          <button className="btn-ghost" onClick={refresh} disabled={busy}>Zoek</button>
        </div>
        <table className="w-full text-sm">
          <thead>
            <tr className="text-left text-xs uppercase tracking-wider text-slate-500">
              <th className="px-2 py-2">Email</th>
              <th className="px-2 py-2">Naam</th>
              <th className="px-2 py-2">Rol</th>
              <th className="px-2 py-2">Status</th>
              <th className="px-2 py-2"></th>
            </tr>
          </thead>
          <tbody className="divide-y divide-brand-100/60 dark:divide-slate-800">
            {data.rows.map((u) => (
              <tr key={u.id} className="hover:bg-brand-50/40 dark:hover:bg-slate-800/40">
                <td className="px-2 py-2">{u.email}</td>
                <td className="px-2 py-2">{u.displayName}</td>
                <td className="px-2 py-2">
                  <select className="rounded-lg border border-brand-100 bg-white px-2 py-1 text-xs dark:border-slate-800 dark:bg-slate-900" value={u.role} onChange={(e) => setRole(u, e.target.value as 'user' | 'sysadmin')}>
                    <option value="user">user</option>
                    <option value="sysadmin">sysadmin</option>
                  </select>
                </td>
                <td className="px-2 py-2">
                  {u.isActive ? (
                    <span className="rounded-full bg-success-50 px-2 py-0.5 text-xs font-semibold text-success-700 dark:bg-success-700/20 dark:text-success-400">actief</span>
                  ) : (
                    <span className="rounded-full bg-slate-100 px-2 py-0.5 text-xs font-semibold text-slate-600 dark:bg-slate-800 dark:text-slate-400">uit</span>
                  )}
                  {!u.emailVerifiedAt && (
                    <span className="ml-1 rounded-full bg-amber-50 px-2 py-0.5 text-xs font-semibold text-amber-700 dark:bg-amber-900/30 dark:text-amber-200">onbevestigd</span>
                  )}
                </td>
                <td className="px-2 py-2 text-right">
                  <button className="rounded-lg px-2 py-1 text-xs text-brand-700 hover:bg-brand-50 dark:text-brand-200 dark:hover:bg-brand-900/40" onClick={() => sendReset(u)}>reset-mail</button>
                  <button className="rounded-lg px-2 py-1 text-xs text-slate-600 hover:bg-slate-100 dark:text-slate-300 dark:hover:bg-slate-800" onClick={() => setActive(u, !u.isActive)}>{u.isActive ? 'deactiveer' : 'activeer'}</button>
                </td>
              </tr>
            ))}
          </tbody>
        </table>
      </div>
    </div>
  );
}
```

- [ ] **Step 2: Commit**

```bash
git add packages/frontend/src/pages/AdminUsers.tsx
git -c commit.gpgsign=false commit -m "feat(frontend): admin users page (invite, role, activate, send-reset)"
```

---

## Task 21: Router — wire all auth routes + protect existing routes

**Files:**
- Modify: `packages/frontend/src/router.tsx`

- [ ] **Step 1: Replace `router.tsx`**

```tsx
import { createBrowserRouter, Navigate } from 'react-router-dom';
import { Layout } from './components/Layout.js';
import { AuthBoundary } from './components/AuthBoundary.js';
import { RoleGuard } from './components/RoleGuard.js';
import { DashboardPage } from './pages/Dashboard.js';
import { AdminPage } from './pages/Admin.js';
import { AdminLessonPage } from './pages/AdminLesson.js';
import { PracticeSetupPage } from './pages/PracticeSetup.js';
import { PracticePage } from './pages/Practice.js';
import { PracticeDonePage } from './pages/PracticeDone.js';
import { StatsPage } from './pages/Stats.js';
import { StatsLessonPage } from './pages/StatsLesson.js';
import { StatsCardPage } from './pages/StatsCard.js';
import { SettingsPage } from './pages/Settings.js';
import { LoginPage } from './pages/auth/Login.js';
import { RegisterPage } from './pages/auth/Register.js';
import { VerifyEmailPage } from './pages/auth/VerifyEmail.js';
import { ForgotPasswordPage } from './pages/auth/ForgotPassword.js';
import { ResetPasswordPage } from './pages/auth/ResetPassword.js';
import { AcceptInvitePage } from './pages/auth/AcceptInvite.js';
import { ProfilePage } from './pages/Profile.js';
import { AdminUsersPage } from './pages/AdminUsers.js';

export const router = createBrowserRouter([
  {
    path: '/',
    element: <Layout />,
    children: [
      // Public auth routes
      { path: 'login', element: <LoginPage /> },
      { path: 'register', element: <RegisterPage /> },
      { path: 'verify-email', element: <VerifyEmailPage /> },
      { path: 'forgot-password', element: <ForgotPasswordPage /> },
      { path: 'reset-password', element: <ResetPasswordPage /> },
      { path: 'accept-invite', element: <AcceptInvitePage /> },

      // Authenticated routes
      {
        element: <AuthBoundary />,
        children: [
          { index: true, element: <DashboardPage /> },
          { path: 'admin', element: <AdminPage /> },
          { path: 'admin/lessons/:id', element: <AdminLessonPage /> },
          { path: 'practice/:lessonId/setup', element: <PracticeSetupPage /> },
          { path: 'practice/:lessonId', element: <PracticePage /> },
          { path: 'practice/:lessonId/done', element: <PracticeDonePage /> },
          { path: 'stats', element: <StatsPage /> },
          { path: 'stats/lessons/:id', element: <StatsLessonPage /> },
          { path: 'stats/cards/:id', element: <StatsCardPage /> },
          { path: 'settings', element: <SettingsPage /> },
          { path: 'profile', element: <ProfilePage /> },
          {
            element: <RoleGuard role="sysadmin" />,
            children: [
              { path: 'admin/users', element: <AdminUsersPage /> },
            ],
          },
          { path: '*', element: <Navigate to="/" replace /> },
        ],
      },
    ],
  },
]);
```

- [ ] **Step 2: Typecheck + frontend build**

```bash
npm -w @flashcard/frontend run typecheck
npm -w @flashcard/frontend run build
```

Expected: both succeed.

- [ ] **Step 3: Commit**

```bash
git add packages/frontend/src/router.tsx
git -c commit.gpgsign=false commit -m "feat(frontend): router with auth boundary, role guard, and all auth pages"
```

---

## Task 22: Update existing E2E smoke + add new auth E2E (Mailpit-based)

**Files:**
- Modify: `e2e/smoke.spec.ts`
- Create: `e2e/auth.spec.ts`
- Modify: `packages/frontend/playwright.config.ts`

- [ ] **Step 1: Update playwright config to use mailpit and a unique DB per run**

```ts
import { defineConfig } from '@playwright/test';

export default defineConfig({
  testDir: '../../e2e',
  webServer: [
    {
      command:
        'rm -f packages/backend/data/e2e.db data/e2e.db && DB_PATH=./data/e2e.db SMTP_HOST=localhost SMTP_PORT=1025 APP_URL=http://localhost:5173 npm -w @flashcard/backend run db:migrate && DB_PATH=./data/e2e.db SMTP_HOST=localhost SMTP_PORT=1025 APP_URL=http://localhost:5173 npm -w @flashcard/backend run dev',
      cwd: '../..',
      port: 3000,
      reuseExistingServer: false,
      timeout: 60_000,
    },
    {
      command: 'npm -w @flashcard/frontend run dev',
      cwd: '../..',
      port: 5173,
      reuseExistingServer: false,
      timeout: 60_000,
    },
  ],
  use: { baseURL: 'http://localhost:5173' },
  timeout: 30_000,
});
```

- [ ] **Step 2: Replace existing `e2e/smoke.spec.ts` with a flow that first registers/logs in**

```ts
import { test, expect } from '@playwright/test';

async function fetchVerifyLink(email: string): Promise<string> {
  // Mailpit HTTP API: list latest message and pull link from text body
  const res = await fetch('http://localhost:8025/api/v1/messages?limit=10');
  const data = await res.json() as { messages: { ID: string; To: { Address: string }[] }[] };
  const msg = data.messages.find((m) => m.To.some((t) => t.Address === email));
  if (!msg) throw new Error('no message for ' + email);
  const body = await fetch(`http://localhost:8025/api/v1/message/${msg.ID}`);
  const full = await body.json() as { Text: string };
  const match = full.Text.match(/https?:\/\/[^\s]+verify-email\?token=[^\s]+/);
  if (!match) throw new Error('no verify link');
  return match[0];
}

test('register → verify → login → create lesson → add card → practice once', async ({ page, request }) => {
  const email = `user+${Date.now()}@example.com`;
  const password = 'secretpass';
  await page.goto('/register');
  await page.getByLabel(/Naam/).fill('E2E User');
  await page.getByLabel(/E-mailadres/).fill(email);
  await page.getByLabel(/Wachtwoord/).fill(password);
  await page.getByRole('button', { name: /Account aanmaken/ }).click();
  await expect(page.getByText(/bevestigingsmail/i)).toBeVisible({ timeout: 10_000 });

  const link = await fetchVerifyLink(email);
  await page.goto(link);
  await expect(page.getByText(/bevestigd/i)).toBeVisible();

  await page.goto('/login');
  await page.getByLabel(/E-mailadres/).fill(email);
  await page.getByLabel(/Wachtwoord/).fill(password);
  await page.getByRole('button', { name: 'Inloggen' }).click();

  await page.goto('/admin');
  await page.getByPlaceholder(/Nieuwe wortel-les/).fill('E2E les');
  await page.getByRole('button', { name: /Toevoegen/ }).first().click();
  await page.getByRole('link', { name: /E2E les/ }).first().click();
  await page.getByPlaceholder('Nieuwe vraag').fill('q1');
  await page.getByPlaceholder('Antwoord').fill('a1');
  await page.getByRole('button', { name: 'Kaart toevoegen' }).click();
  await page.getByRole('link', { name: /Start oefenen/ }).click();
  await page.getByRole('button', { name: /Start sessie/ }).click();
  await page.getByRole('button', { name: 'Toon antwoord' }).click();
  await page.getByRole('button', { name: /Goed/ }).click();
  await expect(page.getByText(/Sessie klaar/)).toBeVisible({ timeout: 8_000 });
});
```

- [ ] **Step 3: Create `e2e/auth.spec.ts` — admin invites a user**

```ts
import { test, expect } from '@playwright/test';

async function fetchLink(email: string, kind: 'invite' | 'verify-email' | 'reset-password'): Promise<string> {
  for (let i = 0; i < 20; i++) {
    const res = await fetch('http://localhost:8025/api/v1/messages?limit=20');
    const data = await res.json() as { messages: { ID: string; To: { Address: string }[] }[] };
    const msg = data.messages.find((m) => m.To.some((t) => t.Address === email));
    if (msg) {
      const full = await (await fetch(`http://localhost:8025/api/v1/message/${msg.ID}`)).json() as { Text: string };
      const pattern = new RegExp(`https?:\\/\\/[^\\s]+${kind}\\?token=[^\\s]+`);
      const m = full.Text.match(pattern);
      if (m) return m[0];
    }
    await new Promise((r) => setTimeout(r, 250));
  }
  throw new Error(`no ${kind} link for ${email}`);
}

test('admin invites user; user accepts and logs in', async ({ page }) => {
  // Make admin (first registration)
  const adminEmail = `admin+${Date.now()}@example.com`;
  const adminPw = 'secretpass';
  await page.goto('/register');
  await page.getByLabel(/Naam/).fill('Admin');
  await page.getByLabel(/E-mailadres/).fill(adminEmail);
  await page.getByLabel(/Wachtwoord/).fill(adminPw);
  await page.getByRole('button', { name: /Account aanmaken/ }).click();
  await expect(page.getByText(/bevestigingsmail/i)).toBeVisible();
  await page.goto(await fetchLink(adminEmail, 'verify-email'));

  await page.goto('/login');
  await page.getByLabel(/E-mailadres/).fill(adminEmail);
  await page.getByLabel(/Wachtwoord/).fill(adminPw);
  await page.getByRole('button', { name: 'Inloggen' }).click();

  // Invite
  await page.goto('/admin/users');
  const inviteeEmail = `invitee+${Date.now()}@example.com`;
  await page.getByPlaceholder(/naam@voorbeeld/).fill(inviteeEmail);
  await page.getByRole('button', { name: /Uitnodiging sturen/ }).click();
  await expect(page.getByText(/Uitnodiging verstuurd/)).toBeVisible();

  // Accept
  const inviteLink = await fetchLink(inviteeEmail, 'accept-invite');
  // logout admin first via UI
  await page.getByRole('button', { name: 'Account menu' }).click();
  await page.getByRole('button', { name: 'Uitloggen' }).click();

  await page.goto(inviteLink);
  await page.getByLabel(/Naam/).fill('Newbie');
  await page.getByLabel(/Wachtwoord/).fill('newuserpass');
  await page.getByRole('button', { name: /Account aanmaken/ }).click();
  await expect(page).toHaveURL(/\/$/);
});
```

- [ ] **Step 4: Run mailpit before running E2E**

```bash
docker compose up -d mailpit
```

- [ ] **Step 5: Run E2E**

```bash
lsof -ti tcp:3000 2>/dev/null | xargs kill -9 2>/dev/null
lsof -ti tcp:5173 2>/dev/null | xargs kill -9 2>/dev/null
rm -f packages/backend/data/e2e.db data/e2e.db
sleep 2
npm run e2e
```

Expected: both tests pass.

- [ ] **Step 6: Commit**

```bash
git add e2e/ packages/frontend/playwright.config.ts
git -c commit.gpgsign=false commit -m "test(e2e): register+verify smoke and admin invite flow via Mailpit"
```

---

## Self-review

**Spec coverage:**

| Spec section | Implemented in task |
|---|---|
| 3.1 Self-service register + first-user becomes sysadmin | 10 |
| 3.2 Email verification (24h, single-use) | 4, 10 |
| 3.3 Login / logout with cookie session | 5, 7, 10, 12 |
| 3.4 Forgot / reset (1h, all sessions invalidated) | 10 |
| 3.5 Profile + email-change via pending_email + change-password keep-current | 10 |
| 3.6 Invite + accept-invite | 11 (invite) + 10 (accept) |
| 3.7 Admin user list / role / active / send-reset | 11 |
| 3.8 Rate limiting | 8 |
| 3.9 CSRF double-submit + headers | 7, 12, 14 |
| Data model (users, sessions_auth, auth_tokens) | 1 |
| Bcrypt cost 12 | 3 |
| Token TTLs and purposes | 4, 10 |
| Last-sysadmin guard | 11 |
| Email templates (4 types) | 6 |
| StubMailer fallback when SMTP missing | 6 |
| Mailpit docker-compose | 13 |
| Env.example | 13 |
| Frontend auth pages + AuthBoundary + RoleGuard + UserMenu | 16–21 |
| E2E mailpit-based smoke | 22 |

All spec sections covered.

**Placeholders:** none — every step has concrete code or commands.

**Type consistency:** PublicUser/User shapes match between shared types, server responses, and authStore. CSRF cookie/header naming uses `CSRF_COOKIE` and `X-CSRF-Token` consistently.

---

## Execution Handoff

**Plan complete and saved to `docs/superpowers/plans/2026-05-20-auth-and-roles.md`. Two execution options:**

**1. Subagent-Driven (recommended)** — fresh subagent per task, review between tasks, fast iteration

**2. Inline Execution** — execute tasks in this session using executing-plans, batch execution with checkpoints

**Which approach?**