bert.hausmans/flashcards
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9fdadca52915426893bcb59bf00ab7756bbc495c
flashcards/docs/superpowers/plans/2026-05-20-auth-and-roles.md

3439 lines
125 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Auth & Roles Implementation Plan (Sub-project A)
> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
**Goal:** Put the existing flashcard app behind email+password authentication with self-service registration, admin invites, password reset, profile management, and a sysadmin role for user management.
**Architecture:** Server-side sessions in SQLite (Drizzle ORM) backed by HttpOnly cookies, with double-submit CSRF tokens for mutations. Email delivery via nodemailer over SMTP (Mailpit in dev, Amazon SES in prod) with a stub-mailer fallback that logs to console when SMTP is unreachable. New backend modules under `src/services/auth/`, `src/middleware/`, and route files for `/api/auth/*` and `/api/admin/users/*`. New React pages for login/register/verify/forgot/reset/accept-invite/profile/admin-users, gated by an `AuthBoundary` + `RoleGuard`.
**Tech Stack:** bcryptjs, nodemailer, cookie-parser, express-rate-limit, Drizzle ORM, Zod, React + Zustand, Vitest + supertest, Playwright + Mailpit HTTP API.
**Spec:** `docs/superpowers/specs/2026-05-20-auth-and-roles-design.md`
**Pre-implementation:** The current dev DB at `data/flashcard.db` will be dropped and re-migrated. No production data exists yet.
---
## File Structure
```
flashcard/
├── docker-compose.yml NEW (mailpit)
├── .env.example NEW
├── packages/
│ ├── shared/src/
│ │ ├── types.ts MODIFIED (+ User, AuthSession, Role)
│ │ └── schemas.ts MODIFIED (+ auth zod schemas)
│ ├── backend/src/
│ │ ├── db/
│ │ │ ├── schema.ts MODIFIED (+ users, sessions_auth, auth_tokens)
│ │ │ └── seed.ts MODIFIED (creates demo user + lessons)
│ │ ├── services/
│ │ │ ├── auth/
│ │ │ │ ├── passwords.ts NEW
│ │ │ │ ├── passwords.test.ts NEW
│ │ │ │ ├── tokens.ts NEW
│ │ │ │ ├── tokens.test.ts NEW
│ │ │ │ ├── sessions.ts NEW
│ │ │ │ ├── sessions.test.ts NEW
│ │ │ │ ├── email.ts NEW
│ │ │ │ └── templates.ts NEW
│ │ │ └── users.ts NEW (admin user management)
│ │ ├── middleware/
│ │ │ ├── auth.ts NEW (requireAuth, requireRole, currentUserOrNull)
│ │ │ ├── csrf.ts NEW
│ │ │ └── rate-limit.ts NEW
│ │ ├── lib/
│ │ │ └── cookies.ts NEW
│ │ ├── routes/
│ │ │ ├── auth.ts NEW
│ │ │ ├── admin-users.ts NEW
│ │ │ ├── cards.ts MODIFIED (no functional change beyond mounting)
│ │ │ ├── lessons.ts (unchanged)
│ │ │ ├── sessions.ts (unchanged)
│ │ │ └── stats.ts (unchanged)
│ │ ├── tests/
│ │ │ ├── dbHelper.ts MODIFIED (helper to seed a user + return session cookie)
│ │ │ ├── auth.integration.test.ts NEW
│ │ │ └── admin-users.integration.test.ts NEW
│ │ ├── app.ts MODIFIED (mount auth, csrf, rate limit, protect all)
│ │ └── index.ts MODIFIED (env validation)
│ └── frontend/src/
│ ├── api/
│ │ ├── client.ts MODIFIED (CSRF header + 401 handling)
│ │ ├── auth.ts NEW
│ │ └── admin-users.ts NEW
│ ├── stores/
│ │ └── authStore.ts NEW
│ ├── components/
│ │ ├── AuthBoundary.tsx NEW
│ │ ├── RoleGuard.tsx NEW
│ │ ├── UserMenu.tsx NEW
│ │ └── Layout.tsx MODIFIED (UserMenu + sysadmin link)
│ ├── pages/
│ │ ├── auth/
│ │ │ ├── Login.tsx NEW
│ │ │ ├── Register.tsx NEW
│ │ │ ├── VerifyEmail.tsx NEW
│ │ │ ├── ForgotPassword.tsx NEW
│ │ │ ├── ResetPassword.tsx NEW
│ │ │ └── AcceptInvite.tsx NEW
│ │ ├── Profile.tsx NEW
│ │ └── AdminUsers.tsx NEW
│ └── router.tsx MODIFIED (auth routes + boundaries)
├── e2e/
│ ├── smoke.spec.ts MODIFIED (registers + logs in first)
│ └── auth.spec.ts NEW (full mailpit-based auth flow)
└── README.md MODIFIED (auth setup section)
```
---
## Task 1: Database schema for auth
**Files:**
- Modify: `packages/backend/src/db/schema.ts`
- Generate: `packages/backend/drizzle/0001_*.sql`
- Modify: `packages/backend/src/db/seed.ts`
- [ ] **Step 1: Drop existing dev DB**
```bash
cd /Users/berthausmans/Documents/Development/flashcard
rm -f data/flashcard.db data/flashcard.db-* packages/backend/data/*.db packages/backend/data/*.db-*
```
- [ ] **Step 2: Append new tables to `schema.ts`**
Add to `packages/backend/src/db/schema.ts` (after the existing `attempts` table, before the type exports):
```ts
export const users = sqliteTable(
'users',
{
id: integer('id').primaryKey({ autoIncrement: true }),
email: text('email').notNull().unique(),
displayName: text('display_name').notNull(),
passwordHash: text('password_hash'),
role: text('role', { enum: ['user', 'sysadmin'] }).notNull().default('user'),
isActive: integer('is_active', { mode: 'boolean' }).notNull().default(true),
emailVerifiedAt: integer('email_verified_at'),
pendingEmail: text('pending_email'),
createdAt: integer('created_at').notNull().default(sql`(unixepoch())`),
updatedAt: integer('updated_at').notNull().default(sql`(unixepoch())`),
},
(t) => ({ emailIdx: index('users_email_idx').on(t.email) })
);
export const sessionsAuth = sqliteTable(
'sessions_auth',
{
id: text('id').primaryKey(),
userId: integer('user_id').notNull().references(() => users.id, { onDelete: 'cascade' }),
createdAt: integer('created_at').notNull().default(sql`(unixepoch())`),
expiresAt: integer('expires_at').notNull(),
lastUsedAt: integer('last_used_at').notNull().default(sql`(unixepoch())`),
userAgent: text('user_agent'),
ip: text('ip'),
},
(t) => ({
userIdx: index('sessions_auth_user_idx').on(t.userId),
expIdx: index('sessions_auth_expires_idx').on(t.expiresAt),
})
);
export const authTokens = sqliteTable(
'auth_tokens',
{
id: integer('id').primaryKey({ autoIncrement: true }),
userId: integer('user_id').notNull().references(() => users.id, { onDelete: 'cascade' }),
tokenHash: text('token_hash').notNull(),
purpose: text('purpose', { enum: ['verify_email', 'password_reset', 'invite', 'change_email'] }).notNull(),
payload: text('payload'),
expiresAt: integer('expires_at').notNull(),
usedAt: integer('used_at'),
createdAt: integer('created_at').notNull().default(sql`(unixepoch())`),
},
(t) => ({
hashIdx: index('auth_tokens_hash_idx').on(t.tokenHash),
userPurposeIdx: index('auth_tokens_user_purpose_idx').on(t.userId, t.purpose),
})
);
export type UserRow = typeof users.$inferSelect;
export type SessionAuthRow = typeof sessionsAuth.$inferSelect;
export type AuthTokenRow = typeof authTokens.$inferSelect;
```
- [ ] **Step 3: Generate migration**
```bash
npm -w @flashcard/backend run db:generate
```
Expected: a new file `packages/backend/drizzle/0001_*.sql` is created.
- [ ] **Step 4: Run migrations on a fresh DB**
```bash
DB_PATH=./data/flashcard.db npm -w @flashcard/backend run db:migrate
```
Expected: `Migrations applied.` and `data/flashcard.db` exists.
- [ ] **Step 5: Update `seed.ts` to be safe with the new tables**
Replace the contents of `packages/backend/src/db/seed.ts` with:
```ts
import { createDb } from './client.js';
import { cards, lessons } from './schema.js';
const { db, sqlite } = createDb();
// Seed only demo lessons + cards. Users are created via /api/auth/register in app.
const [root] = db.insert(lessons).values({ name: 'Demo: Spaans', position: 0 }).returning().all();
const [sub] = db.insert(lessons).values({ name: 'Begroetingen', parentId: root!.id, position: 0 }).returning().all();
db.insert(cards).values([
{ lessonId: sub!.id, question: 'Hallo', answer: 'Hola', position: 0 },
{ lessonId: sub!.id, question: 'Goedemorgen', answer: 'Buenos días', position: 1 },
{ lessonId: sub!.id, question: 'Tot ziens', answer: 'Adiós', position: 2 },
]).run();
sqlite.close();
console.log('Seed inserted.');
```
(No change to logic; only confirming that seed continues to work after the new tables exist.)
- [ ] **Step 6: Typecheck and commit**
```bash
npm -w @flashcard/backend run typecheck
git add packages/backend/src/db/schema.ts packages/backend/drizzle packages/backend/src/db/seed.ts
git -c commit.gpgsign=false commit -m "feat(db): add users, sessions_auth, auth_tokens tables"
```
---
## Task 2: Shared auth types & Zod schemas
**Files:**
- Modify: `packages/shared/src/types.ts`
- Modify: `packages/shared/src/schemas.ts`
- [ ] **Step 1: Append types to `types.ts`**
Append these to `packages/shared/src/types.ts`:
```ts
export type Role = 'user' | 'sysadmin';
export interface User {
id: number;
email: string;
displayName: string;
role: Role;
isActive: boolean;
emailVerifiedAt: number | null;
pendingEmail: string | null;
createdAt: number;
updatedAt: number;
}
export interface PublicUser {
id: number;
email: string;
displayName: string;
role: Role;
}
```
- [ ] **Step 2: Append Zod schemas to `schemas.ts`**
Append to `packages/shared/src/schemas.ts`:
```ts
export const emailSchema = z.string().email().max(320).transform((v) => v.trim().toLowerCase());
export const registerSchema = z.object({
email: emailSchema,
displayName: z.string().trim().min(1).max(120),
password: z.string().min(8).max(200),
});
export const loginSchema = z.object({
email: emailSchema,
password: z.string().min(1).max(200),
});
export const forgotPasswordSchema = z.object({ email: emailSchema });
export const resetPasswordSchema = z.object({
token: z.string().min(20).max(200),
password: z.string().min(8).max(200),
});
export const verifyEmailSchema = z.object({
token: z.string().min(20).max(200),
});
export const resendVerificationSchema = z.object({ email: emailSchema });
export const profileUpdateSchema = z.object({
displayName: z.string().trim().min(1).max(120).optional(),
email: emailSchema.optional(),
});
export const changePasswordSchema = z.object({
currentPassword: z.string().min(1).max(200),
newPassword: z.string().min(8).max(200),
});
export const acceptInviteSchema = z.object({
token: z.string().min(20).max(200),
displayName: z.string().trim().min(1).max(120),
password: z.string().min(8).max(200),
});
export const inviteUserSchema = z.object({
email: emailSchema,
role: z.enum(['user', 'sysadmin']).default('user'),
});
export const adminUserUpdateSchema = z.object({
displayName: z.string().trim().min(1).max(120).optional(),
role: z.enum(['user', 'sysadmin']).optional(),
isActive: z.boolean().optional(),
});
export type RegisterInput = z.infer<typeof registerSchema>;
export type LoginInput = z.infer<typeof loginSchema>;
export type ForgotPasswordInput = z.infer<typeof forgotPasswordSchema>;
export type ResetPasswordInput = z.infer<typeof resetPasswordSchema>;
export type VerifyEmailInput = z.infer<typeof verifyEmailSchema>;
export type ResendVerificationInput = z.infer<typeof resendVerificationSchema>;
export type ProfileUpdateInput = z.infer<typeof profileUpdateSchema>;
export type ChangePasswordInput = z.infer<typeof changePasswordSchema>;
export type AcceptInviteInput = z.infer<typeof acceptInviteSchema>;
export type InviteUserInput = z.infer<typeof inviteUserSchema>;
export type AdminUserUpdateInput = z.infer<typeof adminUserUpdateSchema>;
```
- [ ] **Step 3: Typecheck and commit**
```bash
npm -w @flashcard/shared run typecheck
git add packages/shared/src/types.ts packages/shared/src/schemas.ts
git -c commit.gpgsign=false commit -m "feat(shared): add auth types and zod schemas"
```
---
## Task 3: Password service (TDD)
**Files:**
- Create: `packages/backend/src/services/auth/passwords.ts`
- Create: `packages/backend/src/services/auth/passwords.test.ts`
- [ ] **Step 1: Install bcryptjs**
```bash
cd /Users/berthausmans/Documents/Development/flashcard
npm i -w @flashcard/backend bcryptjs
npm i -D -w @flashcard/backend @types/bcryptjs
```
- [ ] **Step 2: Write the failing tests**
Create `packages/backend/src/services/auth/passwords.test.ts`:
```ts
import { describe, it, expect } from 'vitest';
import { hashPassword, verifyPassword } from './passwords.js';
describe('passwords', () => {
it('hashes a password and verifies it', async () => {
const hash = await hashPassword('correcthorse');
expect(hash).toMatch(/^\$2[aby]\$/);
expect(await verifyPassword('correcthorse', hash)).toBe(true);
});
it('rejects a wrong password', async () => {
const hash = await hashPassword('correcthorse');
expect(await verifyPassword('wrong', hash)).toBe(false);
});
it('returns false on malformed hash', async () => {
expect(await verifyPassword('x', 'not-a-bcrypt-hash')).toBe(false);
});
});
```
- [ ] **Step 3: Run — fail**
```bash
npm -w @flashcard/backend test
```
Expected: failure (module not found).
- [ ] **Step 4: Implement `passwords.ts`**
```ts
import bcrypt from 'bcryptjs';
const COST = 12;
export async function hashPassword(plain: string): Promise<string> {
return bcrypt.hash(plain, COST);
}
export async function verifyPassword(plain: string, hash: string): Promise<boolean> {
try {
return await bcrypt.compare(plain, hash);
} catch {
return false;
}
}
```
- [ ] **Step 5: Run — pass**
```bash
npm -w @flashcard/backend test
```
Expected: 3 password tests pass.
- [ ] **Step 6: Commit**
```bash
git add packages/backend/package.json package-lock.json packages/backend/src/services/auth/
git -c commit.gpgsign=false commit -m "feat(auth): password hashing service"
```
---
## Task 4: Token service (TDD)
**Files:**
- Create: `packages/backend/src/services/auth/tokens.ts`
- Create: `packages/backend/src/services/auth/tokens.test.ts`
- [ ] **Step 1: Write failing tests**
```ts
import { describe, it, expect, beforeEach } from 'vitest';
import { makeTestDb } from '../../tests/dbHelper.js';
import { createUserDirect } from '../../tests/dbHelper.js';
import { generateToken, createAuthToken, consumeAuthToken, findValidAuthToken } from './tokens.js';
let env: ReturnType<typeof makeTestDb>;
beforeEach(() => { env = makeTestDb(); });
describe('tokens', () => {
it('generates a URL-safe random token of the expected length', () => {
const t = generateToken();
expect(t).toMatch(/^[A-Za-z0-9_-]+$/);
expect(t.length).toBeGreaterThanOrEqual(32);
});
it('stores a hashed token and finds it by plaintext', async () => {
const user = await createUserDirect(env.db, { email: 'a@example.com' });
const { plaintext } = await createAuthToken(env.db, user.id, 'verify_email', 3600);
const found = await findValidAuthToken(env.db, plaintext, 'verify_email');
expect(found?.userId).toBe(user.id);
});
it('rejects an expired token', async () => {
const user = await createUserDirect(env.db, { email: 'b@example.com' });
const { plaintext } = await createAuthToken(env.db, user.id, 'verify_email', -1);
expect(await findValidAuthToken(env.db, plaintext, 'verify_email')).toBeNull();
});
it('rejects a wrong purpose', async () => {
const user = await createUserDirect(env.db, { email: 'c@example.com' });
const { plaintext } = await createAuthToken(env.db, user.id, 'verify_email', 3600);
expect(await findValidAuthToken(env.db, plaintext, 'password_reset')).toBeNull();
});
it('consumes a token once', async () => {
const user = await createUserDirect(env.db, { email: 'd@example.com' });
const { plaintext } = await createAuthToken(env.db, user.id, 'verify_email', 3600);
const first = await consumeAuthToken(env.db, plaintext, 'verify_email');
expect(first?.userId).toBe(user.id);
const second = await consumeAuthToken(env.db, plaintext, 'verify_email');
expect(second).toBeNull();
});
it('stores and returns the payload', async () => {
const user = await createUserDirect(env.db, { email: 'e@example.com' });
const { plaintext } = await createAuthToken(env.db, user.id, 'change_email', 3600, 'new@example.com');
const found = await findValidAuthToken(env.db, plaintext, 'change_email');
expect(found?.payload).toBe('new@example.com');
});
});
```
- [ ] **Step 2: Add helper to dbHelper.ts**
Modify `packages/backend/src/tests/dbHelper.ts` to also export `createUserDirect`:
```ts
import { migrate } from 'drizzle-orm/better-sqlite3/migrator';
import { resolve } from 'node:path';
import { createDb, type Db } from '../db/client.js';
import { users } from '../db/schema.js';
import type { UserRow } from '../db/schema.js';
export function makeTestDb(): { db: Db; close: () => void } {
const { db, sqlite } = createDb(':memory:');
migrate(db, { migrationsFolder: resolve(import.meta.dirname, '../../drizzle') });
return { db, close: () => sqlite.close() };
}
export async function createUserDirect(
db: Db,
init: { email: string; displayName?: string; role?: 'user' | 'sysadmin'; passwordHash?: string | null; emailVerifiedAt?: number | null; isActive?: boolean }
): Promise<UserRow> {
const [row] = db.insert(users).values({
email: init.email,
displayName: init.displayName ?? 'Test User',
role: init.role ?? 'user',
passwordHash: init.passwordHash ?? null,
emailVerifiedAt: init.emailVerifiedAt ?? null,
isActive: init.isActive ?? true,
}).returning().all();
return row!;
}
```
- [ ] **Step 3: Run — fail**
```bash
npm -w @flashcard/backend test
```
Expected: tokens module not found.
- [ ] **Step 4: Implement `tokens.ts`**
```ts
import { randomBytes, createHash } from 'node:crypto';
import { and, eq, isNull, sql } from 'drizzle-orm';
import type { Db } from '../../db/client.js';
import { authTokens } from '../../db/schema.js';
const TOKEN_BYTES = 32;
export type Purpose = 'verify_email' | 'password_reset' | 'invite' | 'change_email';
export function generateToken(): string {
return randomBytes(TOKEN_BYTES).toString('base64url');
}
function hashToken(plaintext: string): string {
return createHash('sha256').update(plaintext).digest('hex');
}
export interface CreatedToken {
plaintext: string;
hash: string;
expiresAt: number;
}
export async function createAuthToken(
db: Db,
userId: number,
purpose: Purpose,
ttlSeconds: number,
payload?: string | null
): Promise<CreatedToken> {
const plaintext = generateToken();
const hash = hashToken(plaintext);
const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
db.insert(authTokens).values({
userId,
tokenHash: hash,
purpose,
payload: payload ?? null,
expiresAt,
}).run();
return { plaintext, hash, expiresAt };
}
export async function findValidAuthToken(
db: Db,
plaintext: string,
purpose: Purpose
): Promise<{ id: number; userId: number; payload: string | null } | null> {
const now = Math.floor(Date.now() / 1000);
const hash = hashToken(plaintext);
const row = db.select().from(authTokens).where(
and(
eq(authTokens.tokenHash, hash),
eq(authTokens.purpose, purpose),
isNull(authTokens.usedAt),
sql`${authTokens.expiresAt} > ${now}`
)
).get();
if (!row) return null;
return { id: row.id, userId: row.userId, payload: row.payload ?? null };
}
export async function consumeAuthToken(
db: Db,
plaintext: string,
purpose: Purpose
): Promise<{ userId: number; payload: string | null } | null> {
const now = Math.floor(Date.now() / 1000);
const row = await findValidAuthToken(db, plaintext, purpose);
if (!row) return null;
const r = db.update(authTokens).set({ usedAt: now })
.where(and(eq(authTokens.id, row.id), isNull(authTokens.usedAt)))
.run();
if (r.changes === 0) return null;
return { userId: row.userId, payload: row.payload };
}
export async function invalidateTokensForUser(db: Db, userId: number, purpose: Purpose): Promise<void> {
const now = Math.floor(Date.now() / 1000);
db.update(authTokens).set({ usedAt: now })
.where(and(eq(authTokens.userId, userId), eq(authTokens.purpose, purpose), isNull(authTokens.usedAt)))
.run();
}
```
- [ ] **Step 5: Run — pass**
```bash
npm -w @flashcard/backend test
```
Expected: 6 token tests pass.
- [ ] **Step 6: Commit**
```bash
git add packages/backend/src/services/auth/tokens.ts packages/backend/src/services/auth/tokens.test.ts packages/backend/src/tests/dbHelper.ts
git -c commit.gpgsign=false commit -m "feat(auth): token service with single-use, hashed storage"
```
---
## Task 5: Auth session service (TDD)
**Files:**
- Create: `packages/backend/src/services/auth/sessions.ts`
- Create: `packages/backend/src/services/auth/sessions.test.ts`
Note: this file is for **auth sessions**, not the existing practice sessions. Filename `sessions.ts` inside `services/auth/` keeps them disambiguated.
- [ ] **Step 1: Write failing tests**
```ts
import { describe, it, expect, beforeEach } from 'vitest';
import { makeTestDb, createUserDirect } from '../../tests/dbHelper.js';
import { createAuthSession, validateAuthSession, invalidateAuthSession, invalidateAllForUser } from './sessions.js';
let env: ReturnType<typeof makeTestDb>;
beforeEach(() => { env = makeTestDb(); });
describe('auth sessions', () => {
it('creates a session and validates it', async () => {
const u = await createUserDirect(env.db, { email: 'a@example.com' });
const s = await createAuthSession(env.db, u.id, { userAgent: 'jest', ip: '127.0.0.1' });
const v = await validateAuthSession(env.db, s.id);
expect(v?.userId).toBe(u.id);
});
it('rejects an unknown session id', async () => {
expect(await validateAuthSession(env.db, 'nope')).toBeNull();
});
it('rejects an expired session', async () => {
const u = await createUserDirect(env.db, { email: 'b@example.com' });
const s = await createAuthSession(env.db, u.id, { ttlSeconds: -1 });
expect(await validateAuthSession(env.db, s.id)).toBeNull();
});
it('invalidates one session', async () => {
const u = await createUserDirect(env.db, { email: 'c@example.com' });
const s = await createAuthSession(env.db, u.id);
await invalidateAuthSession(env.db, s.id);
expect(await validateAuthSession(env.db, s.id)).toBeNull();
});
it('invalidates all sessions for a user', async () => {
const u = await createUserDirect(env.db, { email: 'd@example.com' });
const a = await createAuthSession(env.db, u.id);
const b = await createAuthSession(env.db, u.id);
await invalidateAllForUser(env.db, u.id);
expect(await validateAuthSession(env.db, a.id)).toBeNull();
expect(await validateAuthSession(env.db, b.id)).toBeNull();
});
it('supports excluding one session when invalidating (for change-password keep-current)', async () => {
const u = await createUserDirect(env.db, { email: 'e@example.com' });
const a = await createAuthSession(env.db, u.id);
const b = await createAuthSession(env.db, u.id);
await invalidateAllForUser(env.db, u.id, { except: b.id });
expect(await validateAuthSession(env.db, a.id)).toBeNull();
expect(await validateAuthSession(env.db, b.id)?.then?.((v) => v?.userId)).resolves !== undefined; // structural; assertion below
const v = await validateAuthSession(env.db, b.id);
expect(v?.userId).toBe(u.id);
});
});
```
- [ ] **Step 2: Run — fail**
```bash
npm -w @flashcard/backend test
```
- [ ] **Step 3: Implement `sessions.ts`**
```ts
import { randomBytes } from 'node:crypto';
import { and, eq, ne, sql } from 'drizzle-orm';
import type { Db } from '../../db/client.js';
import { sessionsAuth } from '../../db/schema.js';
const DEFAULT_TTL = 30 * 24 * 60 * 60; // 30 days
const REFRESH_THRESHOLD = 24 * 60 * 60; // refresh expires_at when within 1 day of expiry
function nowSec() { return Math.floor(Date.now() / 1000); }
function genId(): string { return randomBytes(32).toString('hex'); }
export interface CreatedSession {
id: string;
expiresAt: number;
}
export async function createAuthSession(
db: Db,
userId: number,
opts: { ttlSeconds?: number; userAgent?: string; ip?: string } = {}
): Promise<CreatedSession> {
const id = genId();
const ttl = opts.ttlSeconds ?? DEFAULT_TTL;
const expiresAt = nowSec() + ttl;
db.insert(sessionsAuth).values({
id, userId, expiresAt, lastUsedAt: nowSec(),
userAgent: opts.userAgent ?? null, ip: opts.ip ?? null,
}).run();
return { id, expiresAt };
}
export async function validateAuthSession(
db: Db,
id: string
): Promise<{ userId: number; expiresAt: number } | null> {
const row = db.select().from(sessionsAuth).where(eq(sessionsAuth.id, id)).get();
if (!row) return null;
const now = nowSec();
if (row.expiresAt <= now) return null;
// rolling refresh
if (row.expiresAt - now < REFRESH_THRESHOLD) {
db.update(sessionsAuth)
.set({ expiresAt: now + DEFAULT_TTL, lastUsedAt: now })
.where(eq(sessionsAuth.id, id))
.run();
} else {
db.update(sessionsAuth).set({ lastUsedAt: now }).where(eq(sessionsAuth.id, id)).run();
}
return { userId: row.userId, expiresAt: row.expiresAt };
}
export async function invalidateAuthSession(db: Db, id: string): Promise<void> {
db.delete(sessionsAuth).where(eq(sessionsAuth.id, id)).run();
}
export async function invalidateAllForUser(
db: Db,
userId: number,
opts: { except?: string } = {}
): Promise<void> {
if (opts.except) {
db.delete(sessionsAuth).where(and(eq(sessionsAuth.userId, userId), ne(sessionsAuth.id, opts.except))).run();
} else {
db.delete(sessionsAuth).where(eq(sessionsAuth.userId, userId)).run();
}
}
export async function purgeExpiredSessions(db: Db): Promise<void> {
const now = nowSec();
db.delete(sessionsAuth).where(sql`${sessionsAuth.expiresAt} <= ${now}`).run();
}
```
- [ ] **Step 4: Run — pass**
```bash
npm -w @flashcard/backend test
```
Expected: 6 session tests pass.
- [ ] **Step 5: Commit**
```bash
git add packages/backend/src/services/auth/sessions.ts packages/backend/src/services/auth/sessions.test.ts
git -c commit.gpgsign=false commit -m "feat(auth): server-side auth sessions with rolling expiry"
```
---
## Task 6: Email service + templates
**Files:**
- Create: `packages/backend/src/services/auth/templates.ts`
- Create: `packages/backend/src/services/auth/email.ts`
- [ ] **Step 1: Install nodemailer**
```bash
npm i -w @flashcard/backend nodemailer
npm i -D -w @flashcard/backend @types/nodemailer
```
- [ ] **Step 2: Create `templates.ts`**
```ts
function layout(title: string, body: string): { html: string; text: string } {
const html = `<!doctype html>
<html><body style="font-family: -apple-system, Segoe UI, sans-serif; background:#FAF5FF; padding:24px;">
<div style="max-width:520px; margin:0 auto; background:white; border-radius:24px; padding:32px; box-shadow:0 8px 32px rgba(124,58,237,0.12);">
<h1 style="margin:0 0 16px; font-size:22px; color:#6D28D9;">${title}</h1>
${body}
<hr style="border:none; border-top:1px solid #EFE7FC; margin:24px 0;" />
<p style="font-size:12px; color:#94A3B8;">Flashcard — leer slimmer met spaced repetition</p>
</div>
</body></html>`;
return { html, text: stripHtml(body) };
}
function stripHtml(s: string): string {
return s.replace(/<[^>]+>/g, ' ').replace(/\s+/g, ' ').trim();
}
export function verifyEmailTemplate(appUrl: string, token: string, displayName: string) {
const link = `${appUrl}/verify-email?token=${encodeURIComponent(token)}`;
return {
subject: 'Bevestig je e-mailadres',
...layout('Welkom bij Flashcard 👋', `
<p>Hi ${escapeHtml(displayName)},</p>
<p>Klik op de knop hieronder om je e-mailadres te bevestigen. De link is 24 uur geldig.</p>
<p style="margin:24px 0;"><a href="${link}" style="background:#7C3AED; color:white; padding:12px 20px; border-radius:14px; text-decoration:none; font-weight:600;">Bevestig e-mail</a></p>
<p style="font-size:13px; color:#64748B;">Werkt de knop niet? Kopieer deze link in je browser:<br/><span style="word-break:break-all;">${link}</span></p>
`),
};
}
export function passwordResetTemplate(appUrl: string, token: string, displayName: string) {
const link = `${appUrl}/reset-password?token=${encodeURIComponent(token)}`;
return {
subject: 'Reset je wachtwoord',
...layout('Wachtwoord resetten', `
<p>Hi ${escapeHtml(displayName)},</p>
<p>Iemand vroeg een wachtwoord-reset aan voor je account. Was jij dat niet? Negeer dan deze e-mail.</p>
<p>De link is 1 uur geldig.</p>
<p style="margin:24px 0;"><a href="${link}" style="background:#7C3AED; color:white; padding:12px 20px; border-radius:14px; text-decoration:none; font-weight:600;">Reset wachtwoord</a></p>
<p style="font-size:13px; color:#64748B; word-break:break-all;">${link}</p>
`),
};
}
export function inviteTemplate(appUrl: string, token: string, inviterName: string) {
const link = `${appUrl}/accept-invite?token=${encodeURIComponent(token)}`;
return {
subject: 'Je bent uitgenodigd voor Flashcard',
...layout('Je bent uitgenodigd ✨', `
<p>${escapeHtml(inviterName)} heeft je uitgenodigd voor Flashcard.</p>
<p>Maak je account aan via onderstaande knop. De link is 24 uur geldig.</p>
<p style="margin:24px 0;"><a href="${link}" style="background:#7C3AED; color:white; padding:12px 20px; border-radius:14px; text-decoration:none; font-weight:600;">Account aanmaken</a></p>
<p style="font-size:13px; color:#64748B; word-break:break-all;">${link}</p>
`),
};
}
export function changeEmailTemplate(appUrl: string, token: string, displayName: string, newEmail: string) {
const link = `${appUrl}/verify-email?token=${encodeURIComponent(token)}`;
return {
subject: 'Bevestig je nieuwe e-mailadres',
...layout('Nieuw e-mailadres bevestigen', `
<p>Hi ${escapeHtml(displayName)},</p>
<p>Bevestig <strong>${escapeHtml(newEmail)}</strong> als je nieuwe e-mailadres.</p>
<p style="margin:24px 0;"><a href="${link}" style="background:#7C3AED; color:white; padding:12px 20px; border-radius:14px; text-decoration:none; font-weight:600;">Bevestig adres</a></p>
<p style="font-size:13px; color:#64748B; word-break:break-all;">${link}</p>
`),
};
}
function escapeHtml(s: string): string {
return s.replace(/[&<>"']/g, (c) => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' }[c]!));
}
```
- [ ] **Step 3: Create `email.ts`**
```ts
import nodemailer, { type Transporter } from 'nodemailer';
export interface Mailer {
send(to: string, msg: { subject: string; html: string; text: string }): Promise<void>;
}
class SmtpMailer implements Mailer {
constructor(private transporter: Transporter, private from: string) {}
async send(to: string, msg: { subject: string; html: string; text: string }): Promise<void> {
await this.transporter.sendMail({ from: this.from, to, ...msg });
}
}
class StubMailer implements Mailer {
async send(to: string, msg: { subject: string; html: string; text: string }): Promise<void> {
console.log('\n=== EMAIL (stub) ===');
console.log(`TO: ${to}`);
console.log(`SUBJECT: ${msg.subject}`);
console.log('---');
console.log(msg.text);
console.log('====================\n');
}
}
let cached: Mailer | null = null;
export function getMailer(): Mailer {
if (cached) return cached;
const host = process.env.SMTP_HOST;
const from = process.env.SMTP_FROM ?? 'Flashcard <noreply@example.com>';
if (!host) {
cached = new StubMailer();
return cached;
}
const transporter = nodemailer.createTransport({
host,
port: Number(process.env.SMTP_PORT ?? 587),
secure: process.env.SMTP_SECURE === 'true',
auth: process.env.SMTP_USER ? { user: process.env.SMTP_USER, pass: process.env.SMTP_PASS ?? '' } : undefined,
});
cached = new SmtpMailer(transporter, from);
return cached;
}
export function setMailerForTests(m: Mailer | null): void {
cached = m;
}
```
- [ ] **Step 4: Typecheck and commit**
```bash
npm -w @flashcard/backend run typecheck
git add packages/backend/package.json package-lock.json packages/backend/src/services/auth/templates.ts packages/backend/src/services/auth/email.ts
git -c commit.gpgsign=false commit -m "feat(auth): email service with stub fallback + html templates"
```
---
## Task 7: Cookies & CSRF middleware
**Files:**
- Create: `packages/backend/src/lib/cookies.ts`
- Create: `packages/backend/src/middleware/csrf.ts`
- [ ] **Step 1: Install cookie-parser**
```bash
npm i -w @flashcard/backend cookie-parser
npm i -D -w @flashcard/backend @types/cookie-parser
```
- [ ] **Step 2: Create `lib/cookies.ts`**
```ts
import type { CookieOptions } from 'express';
export const SID_COOKIE = 'flashcard_sid';
export const CSRF_COOKIE = 'flashcard_csrf';
export const CSRF_HEADER = 'x-csrf-token';
export function sidCookieOptions(expiresAtSec: number): CookieOptions {
return {
httpOnly: true,
sameSite: 'lax',
secure: process.env.COOKIE_SECURE === 'true',
path: '/',
expires: new Date(expiresAtSec * 1000),
};
}
export function csrfCookieOptions(expiresAtSec: number): CookieOptions {
return {
httpOnly: false,
sameSite: 'lax',
secure: process.env.COOKIE_SECURE === 'true',
path: '/',
expires: new Date(expiresAtSec * 1000),
};
}
export function clearCookieOptions(): CookieOptions {
return {
httpOnly: true,
sameSite: 'lax',
secure: process.env.COOKIE_SECURE === 'true',
path: '/',
};
}
```
- [ ] **Step 3: Create `middleware/csrf.ts`**
```ts
import { randomBytes } from 'node:crypto';
import type { Request, Response, NextFunction } from 'express';
import { CSRF_COOKIE, CSRF_HEADER, csrfCookieOptions } from '../lib/cookies.js';
import { ApiError } from '../lib/errors.js';
const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
export function ensureCsrfToken(req: Request, res: Response, next: NextFunction): void {
if (!req.cookies?.[CSRF_COOKIE]) {
const token = randomBytes(24).toString('base64url');
const expires = Math.floor(Date.now() / 1000) + 30 * 24 * 60 * 60;
res.cookie(CSRF_COOKIE, token, csrfCookieOptions(expires));
}
next();
}
export function verifyCsrf(req: Request, _res: Response, next: NextFunction): void {
if (SAFE_METHODS.has(req.method)) return next();
const cookieToken = req.cookies?.[CSRF_COOKIE];
const headerToken = req.headers[CSRF_HEADER];
if (!cookieToken || !headerToken || cookieToken !== headerToken) {
return next(new ApiError(403, 'CSRF_MISMATCH', 'CSRF token mismatch'));
}
next();
}
```
- [ ] **Step 4: Typecheck and commit**
```bash
npm -w @flashcard/backend run typecheck
git add packages/backend/package.json package-lock.json packages/backend/src/lib/cookies.ts packages/backend/src/middleware/
git -c commit.gpgsign=false commit -m "feat(auth): cookies helpers and CSRF middleware"
```
---
## Task 8: Rate limit middleware
**Files:**
- Create: `packages/backend/src/middleware/rate-limit.ts`
- [ ] **Step 1: Install express-rate-limit**
```bash
npm i -w @flashcard/backend express-rate-limit
```
- [ ] **Step 2: Create `rate-limit.ts`**
```ts
import rateLimit from 'express-rate-limit';
const fifteenMin = 15 * 60 * 1000;
function makeLimiter(max: number, codeMessage = 'Too many attempts, please try again later') {
return rateLimit({
windowMs: fifteenMin,
limit: max,
standardHeaders: 'draft-7',
legacyHeaders: false,
skip: () => process.env.NODE_ENV === 'test',
handler: (_req, res) => {
res.status(429).json({ error: { code: 'RATE_LIMITED', message: codeMessage } });
},
});
}
export const loginLimiter = makeLimiter(10);
export const registerLimiter = makeLimiter(5);
export const forgotPasswordLimiter = makeLimiter(5);
export const tokenLimiter = makeLimiter(20);
```
- [ ] **Step 3: Commit**
```bash
git add packages/backend/package.json package-lock.json packages/backend/src/middleware/rate-limit.ts
git -c commit.gpgsign=false commit -m "feat(auth): named rate limiters (skip in tests)"
```
---
## Task 9: Auth middleware
**Files:**
- Create: `packages/backend/src/middleware/auth.ts`
- [ ] **Step 1: Create `auth.ts`**
```ts
import type { Request, Response, NextFunction } from 'express';
import { eq } from 'drizzle-orm';
import type { Db } from '../db/client.js';
import { users } from '../db/schema.js';
import { validateAuthSession } from '../services/auth/sessions.js';
import { ApiError } from '../lib/errors.js';
import { SID_COOKIE } from '../lib/cookies.js';
import type { Role, User } from '@flashcard/shared';
declare module 'express-serve-static-core' {
interface Request {
user?: User;
sessionId?: string;
}
}
function rowToUser(r: typeof users.$inferSelect): User {
return {
id: r.id,
email: r.email,
displayName: r.displayName,
role: r.role,
isActive: r.isActive,
emailVerifiedAt: r.emailVerifiedAt ?? null,
pendingEmail: r.pendingEmail ?? null,
createdAt: r.createdAt,
updatedAt: r.updatedAt,
};
}
export function currentUserOrNull(db: Db) {
return async (req: Request, _res: Response, next: NextFunction) => {
const sid = req.cookies?.[SID_COOKIE];
if (!sid) return next();
const session = await validateAuthSession(db, sid);
if (!session) return next();
const row = db.select().from(users).where(eq(users.id, session.userId)).get();
if (!row || !row.isActive) return next();
req.user = rowToUser(row);
req.sessionId = sid;
next();
};
}
export function requireAuth(req: Request, _res: Response, next: NextFunction): void {
if (!req.user) return next(new ApiError(401, 'UNAUTHENTICATED', 'Authentication required'));
next();
}
export function requireRole(role: Role) {
return (req: Request, _res: Response, next: NextFunction): void => {
if (!req.user) return next(new ApiError(401, 'UNAUTHENTICATED', 'Authentication required'));
if (req.user.role !== role) return next(new ApiError(403, 'FORBIDDEN', 'Insufficient role'));
next();
};
}
```
- [ ] **Step 2: Typecheck**
```bash
npm -w @flashcard/backend run typecheck
```
Expected: passes.
- [ ] **Step 3: Commit**
```bash
git add packages/backend/src/middleware/auth.ts
git -c commit.gpgsign=false commit -m "feat(auth): currentUser, requireAuth, requireRole middleware"
```
---
## Task 10: Auth routes — register, login, logout, me
**Files:**
- Create: `packages/backend/src/routes/auth.ts`
- Create: `packages/backend/src/tests/auth.integration.test.ts`
- Modify: `packages/backend/src/tests/dbHelper.ts` (add `makeTestApp`)
- [ ] **Step 1: Extend `tests/dbHelper.ts` with `makeTestApp` helper**
Append to `packages/backend/src/tests/dbHelper.ts`:
```ts
import type { Express } from 'express';
export interface TestApp {
app: Express;
db: Db;
close: () => void;
}
```
(Actual `makeTestApp` is added once `createApp(db)` is wired in Task 14. For now, expose `makeTestDb` and `createUserDirect` only.)
- [ ] **Step 2: Write integration tests covering register → verify → login → me → logout**
Create `packages/backend/src/tests/auth.integration.test.ts`:
```ts
import { describe, it, expect, beforeEach } from 'vitest';
import request from 'supertest';
import { createApp } from '../app.js';
import { makeTestDb, createUserDirect } from './dbHelper.js';
import { setMailerForTests, type Mailer } from '../services/auth/email.js';
class CaptureMailer implements Mailer {
sent: { to: string; subject: string; text: string; html: string }[] = [];
async send(to: string, m: { subject: string; html: string; text: string }) {
this.sent.push({ to, ...m });
}
}
let env: ReturnType<typeof makeTestDb>;
let mailer: CaptureMailer;
let app: ReturnType<typeof createApp>;
beforeEach(() => {
env = makeTestDb();
mailer = new CaptureMailer();
setMailerForTests(mailer);
app = createApp(env.db);
});
function tokenFromMail(text: string): string {
const m = text.match(/token=([^\s&"]+)/);
if (!m) throw new Error('no token in mail');
return decodeURIComponent(m[1]!);
}
describe('auth: register → verify → login → me → logout', () => {
it('registers, blocks unverified login, verifies, logs in, returns me, logs out', async () => {
// 1. Register
const reg = await request(app).post('/api/auth/register').send({
email: 'alice@example.com', displayName: 'Alice', password: 'secretpass',
});
expect(reg.status).toBe(201);
expect(mailer.sent).toHaveLength(1);
const verifyToken = tokenFromMail(mailer.sent[0]!.text);
// 2. Login unverified -> 403
const bad = await request(app).post('/api/auth/login').send({ email: 'alice@example.com', password: 'secretpass' });
expect(bad.status).toBe(403);
expect(bad.body.error.code).toBe('EMAIL_NOT_VERIFIED');
// 3. Verify
const ver = await request(app).post('/api/auth/verify-email').send({ token: verifyToken });
expect(ver.status).toBe(200);
// 4. Login -> 200 + cookies
const ok = await request(app).post('/api/auth/login').send({ email: 'alice@example.com', password: 'secretpass' });
expect(ok.status).toBe(200);
const cookies = ok.headers['set-cookie'] as unknown as string[];
expect(cookies.find((c) => c.startsWith('flashcard_sid='))).toBeDefined();
expect(cookies.find((c) => c.startsWith('flashcard_csrf='))).toBeDefined();
// 5. /me works
const me = await request(app).get('/api/auth/me').set('Cookie', cookies);
expect(me.status).toBe(200);
expect(me.body.email).toBe('alice@example.com');
// 6. Logout
const logout = await request(app).post('/api/auth/logout').set('Cookie', cookies)
.set('x-csrf-token', extractCookieValue(cookies, 'flashcard_csrf'));
expect(logout.status).toBe(204);
// 7. /me unauth after logout
const me2 = await request(app).get('/api/auth/me').set('Cookie', cookies);
expect(me2.status).toBe(401);
});
it('marks first registered user as sysadmin', async () => {
const r = await request(app).post('/api/auth/register').send({
email: 'first@example.com', displayName: 'First', password: 'secretpass',
});
expect(r.status).toBe(201);
const token = tokenFromMail(mailer.sent[0]!.text);
await request(app).post('/api/auth/verify-email').send({ token });
const login = await request(app).post('/api/auth/login').send({ email: 'first@example.com', password: 'secretpass' });
const cookies = login.headers['set-cookie'] as unknown as string[];
const me = await request(app).get('/api/auth/me').set('Cookie', cookies);
expect(me.body.role).toBe('sysadmin');
});
it('rejects duplicate email', async () => {
await request(app).post('/api/auth/register').send({ email: 'a@example.com', displayName: 'A', password: 'secretpass' });
const dup = await request(app).post('/api/auth/register').send({ email: 'A@example.com', displayName: 'A2', password: 'secretpass' });
expect(dup.status).toBe(409);
expect(dup.body.error.code).toBe('EMAIL_TAKEN');
});
});
function extractCookieValue(cookies: string[], name: string): string {
for (const c of cookies) {
if (c.startsWith(`${name}=`)) {
const v = c.split(';')[0]!.slice(name.length + 1);
return decodeURIComponent(v);
}
}
throw new Error(`cookie ${name} not found`);
}
```
- [ ] **Step 3: Run — tests fail (routes not implemented)**
```bash
npm -w @flashcard/backend test
```
Expected: tests fail.
- [ ] **Step 4: Implement `routes/auth.ts` (first slice — register/verify/login/logout/me)**
```ts
import { Router } from 'express';
import { eq, sql } from 'drizzle-orm';
import {
registerSchema, loginSchema, verifyEmailSchema, resendVerificationSchema,
forgotPasswordSchema, resetPasswordSchema, profileUpdateSchema, changePasswordSchema,
acceptInviteSchema, type PublicUser,
} from '@flashcard/shared';
import type { Db } from '../db/client.js';
import { users } from '../db/schema.js';
import { hashPassword, verifyPassword } from '../services/auth/passwords.js';
import { createAuthToken, consumeAuthToken, invalidateTokensForUser } from '../services/auth/tokens.js';
import { createAuthSession, invalidateAuthSession, invalidateAllForUser } from '../services/auth/sessions.js';
import { getMailer } from '../services/auth/email.js';
import {
verifyEmailTemplate, passwordResetTemplate, inviteTemplate, changeEmailTemplate,
} from '../services/auth/templates.js';
import { SID_COOKIE, CSRF_COOKIE, sidCookieOptions, csrfCookieOptions, clearCookieOptions } from '../lib/cookies.js';
import { ApiError } from '../lib/errors.js';
import { requireAuth } from '../middleware/auth.js';
import { loginLimiter, registerLimiter, forgotPasswordLimiter, tokenLimiter } from '../middleware/rate-limit.js';
import { randomBytes } from 'node:crypto';
const VERIFY_TTL = 24 * 60 * 60;
const INVITE_TTL = 24 * 60 * 60;
const RESET_TTL = 60 * 60;
const CHANGE_EMAIL_TTL = 24 * 60 * 60;
function nowSec() { return Math.floor(Date.now() / 1000); }
function appUrl() { return process.env.APP_URL ?? 'http://localhost:5173'; }
function toPublicUser(r: typeof users.$inferSelect): PublicUser {
return { id: r.id, email: r.email, displayName: r.displayName, role: r.role };
}
export function authRouter(db: Db): Router {
const r = Router();
r.get('/me', (req, res) => {
if (!req.user) {
res.status(401).json({ error: { code: 'UNAUTHENTICATED', message: 'Not signed in' } });
return;
}
res.json(req.user);
});
r.post('/register', registerLimiter, async (req, res, next) => {
try {
const input = registerSchema.parse(req.body);
const existing = db.select().from(users).where(eq(users.email, input.email)).get();
if (existing) throw new ApiError(409, 'EMAIL_TAKEN', 'Email already in use');
const totalUsers = db.select({ c: sql<number>`count(*)`.as('c') }).from(users).get()?.c ?? 0;
const role: 'user' | 'sysadmin' = Number(totalUsers) === 0 ? 'sysadmin' : 'user';
const passwordHash = await hashPassword(input.password);
const [user] = db.insert(users).values({
email: input.email,
displayName: input.displayName,
passwordHash,
role,
}).returning().all();
const { plaintext } = await createAuthToken(db, user!.id, 'verify_email', VERIFY_TTL);
const tpl = verifyEmailTemplate(appUrl(), plaintext, user!.displayName);
await getMailer().send(user!.email, tpl);
res.status(201).json({ id: user!.id, email: user!.email, displayName: user!.displayName, role: user!.role });
} catch (e) { next(e); }
});
r.post('/verify-email', tokenLimiter, async (req, res, next) => {
try {
const { token } = verifyEmailSchema.parse(req.body);
// Try verify_email first; if not found, try change_email
let consumed = await consumeAuthToken(db, token, 'verify_email');
let purpose: 'verify_email' | 'change_email' = 'verify_email';
if (!consumed) {
consumed = await consumeAuthToken(db, token, 'change_email');
purpose = 'change_email';
}
if (!consumed) throw new ApiError(400, 'INVALID_TOKEN', 'Invalid or expired token');
if (purpose === 'verify_email') {
db.update(users).set({ emailVerifiedAt: nowSec(), updatedAt: nowSec() })
.where(eq(users.id, consumed.userId)).run();
} else {
const newEmail = consumed.payload;
if (!newEmail) throw new ApiError(400, 'INVALID_TOKEN', 'Invalid token payload');
const taken = db.select().from(users).where(eq(users.email, newEmail)).get();
if (taken && taken.id !== consumed.userId) {
throw new ApiError(409, 'EMAIL_TAKEN', 'Email already in use');
}
db.update(users).set({ email: newEmail, pendingEmail: null, updatedAt: nowSec() })
.where(eq(users.id, consumed.userId)).run();
}
res.status(200).json({ ok: true });
} catch (e) { next(e); }
});
r.post('/resend-verification', tokenLimiter, async (req, res, next) => {
try {
const { email } = resendVerificationSchema.parse(req.body);
const u = db.select().from(users).where(eq(users.email, email)).get();
// Generic 200 response (no enumeration)
if (u && !u.emailVerifiedAt && u.isActive) {
await invalidateTokensForUser(db, u.id, 'verify_email');
const { plaintext } = await createAuthToken(db, u.id, 'verify_email', VERIFY_TTL);
const tpl = verifyEmailTemplate(appUrl(), plaintext, u.displayName);
await getMailer().send(u.email, tpl);
}
res.status(200).json({ ok: true });
} catch (e) { next(e); }
});
r.post('/login', loginLimiter, async (req, res, next) => {
try {
const input = loginSchema.parse(req.body);
const u = db.select().from(users).where(eq(users.email, input.email)).get();
if (!u || !u.passwordHash || !(await verifyPassword(input.password, u.passwordHash))) {
throw new ApiError(401, 'INVALID_CREDENTIALS', 'Invalid email or password');
}
if (!u.isActive) throw new ApiError(403, 'ACCOUNT_DISABLED', 'Account is disabled');
if (!u.emailVerifiedAt) throw new ApiError(403, 'EMAIL_NOT_VERIFIED', 'Email not verified');
const s = await createAuthSession(db, u.id, {
userAgent: req.headers['user-agent'] ?? null,
ip: req.ip ?? null,
});
const csrf = randomBytes(24).toString('base64url');
res.cookie(SID_COOKIE, s.id, sidCookieOptions(s.expiresAt));
res.cookie(CSRF_COOKIE, csrf, csrfCookieOptions(s.expiresAt));
res.json(toPublicUser(u));
} catch (e) { next(e); }
});
r.post('/logout', requireAuth, async (req, res, next) => {
try {
if (req.sessionId) await invalidateAuthSession(db, req.sessionId);
res.clearCookie(SID_COOKIE, clearCookieOptions());
res.clearCookie(CSRF_COOKIE, { ...clearCookieOptions(), httpOnly: false });
res.status(204).end();
} catch (e) { next(e); }
});
r.post('/forgot-password', forgotPasswordLimiter, async (req, res, next) => {
try {
const { email } = forgotPasswordSchema.parse(req.body);
const u = db.select().from(users).where(eq(users.email, email)).get();
if (u && u.isActive && u.emailVerifiedAt) {
await invalidateTokensForUser(db, u.id, 'password_reset');
const { plaintext } = await createAuthToken(db, u.id, 'password_reset', RESET_TTL);
const tpl = passwordResetTemplate(appUrl(), plaintext, u.displayName);
await getMailer().send(u.email, tpl);
}
res.status(200).json({ ok: true });
} catch (e) { next(e); }
});
r.post('/reset-password', tokenLimiter, async (req, res, next) => {
try {
const { token, password } = resetPasswordSchema.parse(req.body);
const consumed = await consumeAuthToken(db, token, 'password_reset');
if (!consumed) throw new ApiError(400, 'INVALID_TOKEN', 'Invalid or expired token');
const passwordHash = await hashPassword(password);
db.update(users).set({ passwordHash, updatedAt: nowSec() })
.where(eq(users.id, consumed.userId)).run();
await invalidateAllForUser(db, consumed.userId);
res.status(200).json({ ok: true });
} catch (e) { next(e); }
});
r.post('/accept-invite', tokenLimiter, async (req, res, next) => {
try {
const input = acceptInviteSchema.parse(req.body);
const consumed = await consumeAuthToken(db, input.token, 'invite');
if (!consumed) throw new ApiError(400, 'INVALID_TOKEN', 'Invalid or expired token');
const passwordHash = await hashPassword(input.password);
const [updated] = db.update(users).set({
passwordHash, displayName: input.displayName,
emailVerifiedAt: nowSec(), updatedAt: nowSec(),
}).where(eq(users.id, consumed.userId)).returning().all();
if (!updated) throw new ApiError(400, 'INVALID_TOKEN', 'Invalid invitation');
const s = await createAuthSession(db, updated.id, {
userAgent: req.headers['user-agent'] ?? null, ip: req.ip ?? null,
});
const csrf = randomBytes(24).toString('base64url');
res.cookie(SID_COOKIE, s.id, sidCookieOptions(s.expiresAt));
res.cookie(CSRF_COOKIE, csrf, csrfCookieOptions(s.expiresAt));
res.status(200).json(toPublicUser(updated));
} catch (e) { next(e); }
});
r.patch('/profile', requireAuth, async (req, res, next) => {
try {
const input = profileUpdateSchema.parse(req.body);
const user = req.user!;
const updates: Record<string, unknown> = { updatedAt: nowSec() };
if (input.displayName !== undefined) updates.displayName = input.displayName;
let sendEmailChange: string | null = null;
if (input.email !== undefined && input.email !== user.email) {
const taken = db.select().from(users).where(eq(users.email, input.email)).get();
if (taken) throw new ApiError(409, 'EMAIL_TAKEN', 'Email already in use');
updates.pendingEmail = input.email;
sendEmailChange = input.email;
}
const [updated] = db.update(users).set(updates).where(eq(users.id, user.id)).returning().all();
if (sendEmailChange && updated) {
const { plaintext } = await createAuthToken(db, updated.id, 'change_email', CHANGE_EMAIL_TTL, sendEmailChange);
const tpl = changeEmailTemplate(appUrl(), plaintext, updated.displayName, sendEmailChange);
await getMailer().send(sendEmailChange, tpl);
}
res.json(toPublicUser(updated!));
} catch (e) { next(e); }
});
r.post('/change-password', requireAuth, async (req, res, next) => {
try {
const input = changePasswordSchema.parse(req.body);
const user = req.user!;
const row = db.select().from(users).where(eq(users.id, user.id)).get();
if (!row?.passwordHash || !(await verifyPassword(input.currentPassword, row.passwordHash))) {
throw new ApiError(401, 'INVALID_CREDENTIALS', 'Current password is incorrect');
}
const passwordHash = await hashPassword(input.newPassword);
db.update(users).set({ passwordHash, updatedAt: nowSec() }).where(eq(users.id, user.id)).run();
if (req.sessionId) await invalidateAllForUser(db, user.id, { except: req.sessionId });
res.status(204).end();
} catch (e) { next(e); }
});
return r;
}
```
- [ ] **Step 5: Install supertest if not already**
```bash
# Already installed per Task 3 backend bootstrap (supertest is in devDeps).
# Verify:
node -p "require('./packages/backend/node_modules/supertest/package.json').version" || npm i -D -w @flashcard/backend supertest @types/supertest
```
- [ ] **Step 6: Stop here — full integration test runs after app wiring (Task 14)**
Don't run the integration test yet. It needs `createApp` to mount the new router. We'll un-skip it after Task 14.
For now, just typecheck:
```bash
npm -w @flashcard/backend run typecheck
```
Expected: passes.
- [ ] **Step 7: Commit**
```bash
git add packages/backend/src/routes/auth.ts packages/backend/src/tests/auth.integration.test.ts packages/backend/src/tests/dbHelper.ts
git -c commit.gpgsign=false commit -m "feat(auth): /api/auth routes (register, verify, login, logout, me, forgot, reset, profile, change-password, accept-invite)"
```
---
## Task 11: Users service & admin routes
**Files:**
- Create: `packages/backend/src/services/users.ts`
- Create: `packages/backend/src/routes/admin-users.ts`
- Create: `packages/backend/src/tests/admin-users.integration.test.ts`
- [ ] **Step 1: Implement `services/users.ts`**
```ts
import { and, asc, desc, eq, like, ne, or, sql } from 'drizzle-orm';
import type { Db } from '../db/client.js';
import { users } from '../db/schema.js';
import type { Role, User } from '@flashcard/shared';
import { ApiError } from '../lib/errors.js';
function rowToUser(r: typeof users.$inferSelect): User {
return {
id: r.id, email: r.email, displayName: r.displayName, role: r.role,
isActive: r.isActive, emailVerifiedAt: r.emailVerifiedAt ?? null,
pendingEmail: r.pendingEmail ?? null, createdAt: r.createdAt, updatedAt: r.updatedAt,
};
}
export interface ListUsersParams { q?: string; role?: Role; active?: boolean; limit?: number; offset?: number; }
export interface ListUsersResult { rows: User[]; total: number; }
export async function listUsers(db: Db, p: ListUsersParams = {}): Promise<ListUsersResult> {
const conditions = [] as ReturnType<typeof eq>[];
if (p.q && p.q.trim() !== '') {
const q = `%${p.q.toLowerCase()}%`;
conditions.push(or(like(sql`lower(${users.email})`, q), like(sql`lower(${users.displayName})`, q))!);
}
if (p.role) conditions.push(eq(users.role, p.role));
if (p.active !== undefined) conditions.push(eq(users.isActive, p.active));
const where = conditions.length ? and(...conditions) : undefined;
const limit = Math.min(200, p.limit ?? 50);
const offset = Math.max(0, p.offset ?? 0);
const rows = db.select().from(users)
.where(where as any)
.orderBy(asc(users.email))
.limit(limit).offset(offset).all();
const totalRow = db.select({ c: sql<number>`count(*)`.as('c') }).from(users).where(where as any).get();
return { rows: rows.map(rowToUser), total: Number(totalRow?.c ?? 0) };
}
export async function adminUpdateUser(
db: Db,
actorId: number,
id: number,
updates: { displayName?: string; role?: Role; isActive?: boolean }
): Promise<User> {
const target = db.select().from(users).where(eq(users.id, id)).get();
if (!target) throw ApiError.notFound('User');
// Last-sysadmin guard
if (target.id === actorId && (updates.isActive === false || updates.role === 'user')) {
const otherActiveSysadmins = db.select({ c: sql<number>`count(*)`.as('c') })
.from(users)
.where(and(eq(users.role, 'sysadmin'), eq(users.isActive, true), ne(users.id, actorId)))
.get()?.c ?? 0;
if (Number(otherActiveSysadmins) === 0) {
throw new ApiError(409, 'LAST_SYSADMIN', 'Cannot demote or disable the last active sysadmin');
}
}
const [row] = db.update(users).set({
...(updates.displayName !== undefined && { displayName: updates.displayName }),
...(updates.role !== undefined && { role: updates.role }),
...(updates.isActive !== undefined && { isActive: updates.isActive }),
updatedAt: Math.floor(Date.now() / 1000),
}).where(eq(users.id, id)).returning().all();
return rowToUser(row!);
}
```
- [ ] **Step 2: Implement `routes/admin-users.ts`**
```ts
import { Router } from 'express';
import { eq } from 'drizzle-orm';
import {
adminUserUpdateSchema, inviteUserSchema,
} from '@flashcard/shared';
import type { Db } from '../db/client.js';
import { users } from '../db/schema.js';
import { listUsers, adminUpdateUser } from '../services/users.js';
import { createAuthToken, invalidateTokensForUser } from '../services/auth/tokens.js';
import { getMailer } from '../services/auth/email.js';
import { inviteTemplate, passwordResetTemplate } from '../services/auth/templates.js';
import { ApiError } from '../lib/errors.js';
const INVITE_TTL = 24 * 60 * 60;
const RESET_TTL = 60 * 60;
function appUrl() { return process.env.APP_URL ?? 'http://localhost:5173'; }
function nowSec() { return Math.floor(Date.now() / 1000); }
export function adminUsersRouter(db: Db): Router {
const r = Router();
r.get('/', async (req, res, next) => {
try {
const q = typeof req.query.q === 'string' ? req.query.q : undefined;
const role = req.query.role === 'user' || req.query.role === 'sysadmin' ? req.query.role : undefined;
const active = req.query.active === 'true' ? true : req.query.active === 'false' ? false : undefined;
const limit = req.query.limit ? Number(req.query.limit) : undefined;
const offset = req.query.offset ? Number(req.query.offset) : undefined;
res.json(await listUsers(db, { q, role, active, limit, offset }));
} catch (e) { next(e); }
});
r.post('/invite', async (req, res, next) => {
try {
const input = inviteUserSchema.parse(req.body);
const existing = db.select().from(users).where(eq(users.email, input.email)).get();
if (existing) throw new ApiError(409, 'EMAIL_TAKEN', 'Email already in use');
const [u] = db.insert(users).values({
email: input.email,
displayName: input.email.split('@')[0]!,
role: input.role,
passwordHash: null,
emailVerifiedAt: null,
isActive: true,
}).returning().all();
const { plaintext } = await createAuthToken(db, u!.id, 'invite', INVITE_TTL);
const inviter = req.user!;
const tpl = inviteTemplate(appUrl(), plaintext, inviter.displayName);
await getMailer().send(u!.email, tpl);
res.status(201).json({ id: u!.id, email: u!.email, role: u!.role });
} catch (e) { next(e); }
});
r.patch('/:id', async (req, res, next) => {
try {
const input = adminUserUpdateSchema.parse(req.body);
const actor = req.user!;
const updated = await adminUpdateUser(db, actor.id, Number(req.params.id), input);
res.json(updated);
} catch (e) { next(e); }
});
r.post('/:id/send-reset', async (req, res, next) => {
try {
const id = Number(req.params.id);
const u = db.select().from(users).where(eq(users.id, id)).get();
if (!u) throw ApiError.notFound('User');
if (!u.emailVerifiedAt) {
// resend invite instead
await invalidateTokensForUser(db, u.id, 'invite');
const { plaintext } = await createAuthToken(db, u.id, 'invite', INVITE_TTL);
await getMailer().send(u.email, inviteTemplate(appUrl(), plaintext, req.user!.displayName));
} else {
await invalidateTokensForUser(db, u.id, 'password_reset');
const { plaintext } = await createAuthToken(db, u.id, 'password_reset', RESET_TTL);
await getMailer().send(u.email, passwordResetTemplate(appUrl(), plaintext, u.displayName));
}
res.status(204).end();
} catch (e) { next(e); }
});
return r;
}
```
- [ ] **Step 3: Write integration tests**
Create `packages/backend/src/tests/admin-users.integration.test.ts`:
```ts
import { describe, it, expect, beforeEach } from 'vitest';
import request from 'supertest';
import { eq } from 'drizzle-orm';
import { createApp } from '../app.js';
import { users } from '../db/schema.js';
import { makeTestDb, createUserDirect } from './dbHelper.js';
import { hashPassword } from '../services/auth/passwords.js';
import { setMailerForTests, type Mailer } from '../services/auth/email.js';
class CaptureMailer implements Mailer {
sent: { to: string; subject: string; text: string }[] = [];
async send(to: string, m: { subject: string; html: string; text: string }) {
this.sent.push({ to, subject: m.subject, text: m.text });
}
}
async function loginAs(app: ReturnType<typeof createApp>, email: string, password = 'secretpass') {
const r = await request(app).post('/api/auth/login').send({ email, password });
if (r.status !== 200) throw new Error(`login failed: ${r.status} ${JSON.stringify(r.body)}`);
const cookies = (r.headers['set-cookie'] as unknown as string[]);
const csrf = cookies.find((c) => c.startsWith('flashcard_csrf='))!.split(';')[0]!.split('=')[1]!;
return { cookies, csrf };
}
async function makeAdmin(env: ReturnType<typeof makeTestDb>, email: string) {
return createUserDirect(env.db, {
email, role: 'sysadmin', isActive: true,
passwordHash: await hashPassword('secretpass'),
emailVerifiedAt: Math.floor(Date.now() / 1000),
});
}
let env: ReturnType<typeof makeTestDb>;
let mailer: CaptureMailer;
let app: ReturnType<typeof createApp>;
beforeEach(async () => {
env = makeTestDb();
mailer = new CaptureMailer();
setMailerForTests(mailer);
app = createApp(env.db);
});
describe('admin users', () => {
it('invites a user, target accepts and can log in', async () => {
await makeAdmin(env, 'admin@example.com');
const { cookies, csrf } = await loginAs(app, 'admin@example.com');
const inv = await request(app).post('/api/admin/users/invite')
.set('Cookie', cookies).set('x-csrf-token', csrf)
.send({ email: 'newbie@example.com', role: 'user' });
expect(inv.status).toBe(201);
expect(mailer.sent).toHaveLength(1);
const link = mailer.sent[0]!.text;
const token = decodeURIComponent(link.match(/token=([^\s&"]+)/)![1]!);
const accept = await request(app).post('/api/auth/accept-invite')
.send({ token, displayName: 'Newbie', password: 'anotherpass' });
expect(accept.status).toBe(200);
expect(accept.body.email).toBe('newbie@example.com');
});
it('lists users with filtering', async () => {
await makeAdmin(env, 'admin@example.com');
await createUserDirect(env.db, { email: 'a@example.com', role: 'user' });
await createUserDirect(env.db, { email: 'b@example.com', role: 'user' });
const { cookies } = await loginAs(app, 'admin@example.com');
const list = await request(app).get('/api/admin/users?q=a').set('Cookie', cookies);
expect(list.status).toBe(200);
expect(list.body.rows.find((u: { email: string }) => u.email === 'a@example.com')).toBeTruthy();
});
it('blocks demoting the last sysadmin', async () => {
const admin = await makeAdmin(env, 'admin@example.com');
const { cookies, csrf } = await loginAs(app, 'admin@example.com');
const r = await request(app).patch(`/api/admin/users/${admin.id}`)
.set('Cookie', cookies).set('x-csrf-token', csrf)
.send({ role: 'user' });
expect(r.status).toBe(409);
expect(r.body.error.code).toBe('LAST_SYSADMIN');
});
it('rejects non-admin access to admin routes', async () => {
// Create a normal verified user
await createUserDirect(env.db, {
email: 'plain@example.com', role: 'user', isActive: true,
passwordHash: await hashPassword('secretpass'),
emailVerifiedAt: Math.floor(Date.now() / 1000),
});
const { cookies } = await loginAs(app, 'plain@example.com');
const r = await request(app).get('/api/admin/users').set('Cookie', cookies);
expect(r.status).toBe(403);
});
it('blocks unauthenticated access to admin routes', async () => {
const r = await request(app).get('/api/admin/users');
expect(r.status).toBe(401);
});
});
```
- [ ] **Step 4: Typecheck**
```bash
npm -w @flashcard/backend run typecheck
```
- [ ] **Step 5: Commit**
```bash
git add packages/backend/src/services/users.ts packages/backend/src/routes/admin-users.ts packages/backend/src/tests/admin-users.integration.test.ts
git -c commit.gpgsign=false commit -m "feat(auth): admin user management service, routes, and integration tests"
```
---
## Task 12: Wire auth into app.ts + protect existing endpoints
**Files:**
- Modify: `packages/backend/src/app.ts`
- Modify: `packages/backend/src/index.ts`
- [ ] **Step 1: Rewrite `app.ts`**
Replace `packages/backend/src/app.ts` with:
```ts
import express, { type Express, type NextFunction, type Request, type Response } from 'express';
import cookieParser from 'cookie-parser';
import { existsSync } from 'node:fs';
import { resolve } from 'node:path';
import { ZodError } from 'zod';
import type { Db } from './db/client.js';
import { ApiError } from './lib/errors.js';
import { currentUserOrNull, requireAuth, requireRole } from './middleware/auth.js';
import { ensureCsrfToken, verifyCsrf } from './middleware/csrf.js';
import { authRouter } from './routes/auth.js';
import { adminUsersRouter } from './routes/admin-users.js';
import { lessonsRouter } from './routes/lessons.js';
import { cardsRouter } from './routes/cards.js';
import { sessionsRouter } from './routes/sessions.js';
import { statsRouter } from './routes/stats.js';
export function createApp(db: Db): Express {
const app = express();
app.set('trust proxy', 1);
app.use(cookieParser());
app.use(express.json({ limit: '5mb' }));
app.use(ensureCsrfToken);
app.use(currentUserOrNull(db));
app.get('/api/health', (_req, res) => res.json({ ok: true }));
// Public auth endpoints — verifyCsrf applied INSIDE the router for mutations that don't need it
// (register/login/forgot/reset/verify/accept-invite/resend-verification are public mutations, so CSRF is not relevant).
// However, /api/auth/logout, /api/auth/profile, /api/auth/change-password DO need CSRF.
app.use('/api/auth', authRouter(db));
// Protected app routes — auth + csrf on mutations
app.use('/api/lessons', requireAuth, verifyCsrf, lessonsRouter(db));
app.use('/api', requireAuth, verifyCsrf, cardsRouter(db));
app.use('/api/sessions', requireAuth, verifyCsrf, sessionsRouter(db));
app.use('/api/stats', requireAuth, statsRouter(db)); // GET only — no CSRF needed
app.use('/api/admin/users', requireAuth, requireRole('sysadmin'), verifyCsrf, adminUsersRouter(db));
// Static frontend in production
const frontendDist = resolve(import.meta.dirname, '../../frontend/dist');
if (existsSync(frontendDist)) {
app.use(express.static(frontendDist));
app.get('*', (_req, res) => res.sendFile(resolve(frontendDist, 'index.html')));
}
app.use((err: unknown, _req: Request, res: Response, _next: NextFunction) => {
if (err instanceof ZodError) {
res.status(400).json({ error: { code: 'VALIDATION_ERROR', message: 'Invalid input', details: err.flatten() } });
return;
}
if (err instanceof ApiError) {
res.status(err.status).json({ error: { code: err.code, message: err.message, details: err.details } });
return;
}
console.error(err);
res.status(500).json({ error: { code: 'INTERNAL', message: 'Internal server error' } });
});
return app;
}
```
Note: `verifyCsrf` is not applied to the entire `/api/auth` router because login/register/forgot/reset don't have a session yet — they bootstrap the cookie set. Mutations that DO have a session (logout, profile, change-password) get CSRF protection added inline in Task 13.
- [ ] **Step 2: Add CSRF to authenticated auth mutations**
Modify `packages/backend/src/routes/auth.ts` — wrap the three authenticated mutation routes with `verifyCsrf`:
```ts
import { verifyCsrf } from '../middleware/csrf.js';
// ...
r.post('/logout', requireAuth, verifyCsrf, async (req, res, next) => { /* unchanged */ });
r.patch('/profile', requireAuth, verifyCsrf, async (req, res, next) => { /* unchanged */ });
r.post('/change-password', requireAuth, verifyCsrf, async (req, res, next) => { /* unchanged */ });
```
(The other auth endpoints remain unprotected — they're public mutations.)
- [ ] **Step 3: Run all backend tests**
```bash
npm -w @flashcard/backend test
```
Expected: all auth + admin-users integration tests pass, plus existing unit tests. Existing lesson/card/session/stats tests do NOT go through HTTP, so they're unaffected by the new requireAuth middleware.
- [ ] **Step 4: Commit**
```bash
git add packages/backend/src/app.ts packages/backend/src/routes/auth.ts
git -c commit.gpgsign=false commit -m "feat(auth): wire auth middleware in app, protect all /api endpoints"
```
---
## Task 13: Dev tooling — docker-compose for Mailpit + .env.example + README
**Files:**
- Create: `docker-compose.yml`
- Create: `.env.example`
- Modify: `README.md`
- [ ] **Step 1: Create `docker-compose.yml`**
```yaml
services:
mailpit:
image: axllent/mailpit:latest
container_name: flashcard-mailpit
ports:
- "1025:1025" # SMTP
- "8025:8025" # Web UI
environment:
MP_MAX_MESSAGES: 5000
restart: unless-stopped
```
- [ ] **Step 2: Create `.env.example`**
```
# Backend
PORT=3000
DB_PATH=./data/flashcard.db
APP_URL=http://localhost:5173
# Cookies
COOKIE_SECURE=false
# SMTP (Mailpit dev defaults; override in production with SES SMTP)
SMTP_HOST=localhost
SMTP_PORT=1025
SMTP_SECURE=false
SMTP_USER=
SMTP_PASS=
SMTP_FROM="Flashcard <noreply@flashcard.local>"
```
- [ ] **Step 3: Append README section**
Append to `README.md`:
```markdown
## Auth & e-mail
De applicatie zit achter een login. Eerste registratie (POST /api/auth/register via /register pagina) wordt automatisch sysadmin.
### Lokaal e-mail (Mailpit)
```bash
docker compose up -d mailpit
# Web UI: http://localhost:8025
# SMTP: localhost:1025
```
Kopieer `.env.example``.env` in repo-root, of zet de waarden inline.
### Productie (Amazon SES)
In productie:
```
SMTP_HOST=email-smtp.eu-west-1.amazonaws.com
SMTP_PORT=587
SMTP_USER=<SES SMTP username>
SMTP_PASS=<SES SMTP password>
SMTP_FROM="Flashcard <noreply@yourdomain.com>"
COOKIE_SECURE=true
APP_URL=https://yourdomain.com
```
### Fallback (geen SMTP)
Als `SMTP_HOST` ontbreekt, schrijft het systeem de e-mails (incl. links) naar de server-log.
```
- [ ] **Step 4: Commit**
```bash
git add docker-compose.yml .env.example README.md
git -c commit.gpgsign=false commit -m "chore: docker-compose mailpit, env.example, README auth section"
```
---
## Task 14: Frontend API client — CSRF + auth modules
**Files:**
- Modify: `packages/frontend/src/api/client.ts`
- Create: `packages/frontend/src/api/auth.ts`
- Create: `packages/frontend/src/api/admin-users.ts`
- [ ] **Step 1: Rewrite `client.ts` with CSRF header + 401 handling**
```ts
const CSRF_COOKIE = 'flashcard_csrf';
function readCookie(name: string): string | null {
const m = document.cookie.match(new RegExp(`(?:^|; )${name}=([^;]+)`));
return m ? decodeURIComponent(m[1]!) : null;
}
export class ApiClientError extends Error {
constructor(public status: number, public code: string, message: string, public details?: unknown) {
super(message);
}
}
const listeners = new Set<() => void>();
export function onUnauthorized(cb: () => void): () => void {
listeners.add(cb);
return () => listeners.delete(cb);
}
async function request<T>(
method: string,
path: string,
body?: unknown,
opts?: { isFormData?: boolean }
): Promise<T> {
const headers: Record<string, string> = {};
let payload: BodyInit | undefined;
if (opts?.isFormData) {
payload = body as FormData;
} else if (body !== undefined) {
headers['Content-Type'] = 'application/json';
payload = JSON.stringify(body);
}
if (method !== 'GET' && method !== 'HEAD') {
const csrf = readCookie(CSRF_COOKIE);
if (csrf) headers['X-CSRF-Token'] = csrf;
}
const res = await fetch(`/api${path}`, {
method,
headers,
body: payload,
credentials: 'same-origin',
});
if (res.status === 204) return undefined as T;
const isJson = res.headers.get('content-type')?.includes('application/json');
const data = isJson ? await res.json() : await res.blob();
if (!res.ok) {
const e = (data as { error?: { code: string; message: string; details?: unknown } }).error;
if (res.status === 401) listeners.forEach((l) => l());
throw new ApiClientError(res.status, e?.code ?? 'UNKNOWN', e?.message ?? 'Request failed', e?.details);
}
return data as T;
}
export const api = {
get: <T>(path: string) => request<T>('GET', path),
post: <T>(path: string, body?: unknown) => request<T>('POST', path, body),
postForm: <T>(path: string, form: FormData) => request<T>('POST', path, form, { isFormData: true }),
patch: <T>(path: string, body: unknown) => request<T>('PATCH', path, body),
delete: <T>(path: string) => request<T>('DELETE', path),
getBlob: async (path: string): Promise<Blob> => {
const res = await fetch(`/api${path}`, { credentials: 'same-origin' });
if (!res.ok) throw new ApiClientError(res.status, 'UNKNOWN', 'Request failed');
return res.blob();
},
};
```
- [ ] **Step 2: Create `api/auth.ts`**
```ts
import type {
PublicUser, User,
LoginInput, RegisterInput, VerifyEmailInput, ResendVerificationInput,
ForgotPasswordInput, ResetPasswordInput, AcceptInviteInput,
ProfileUpdateInput, ChangePasswordInput,
} from '@flashcard/shared';
import { api } from './client.js';
export const authApi = {
me: () => api.get<User>('/auth/me'),
register: (input: RegisterInput) => api.post<PublicUser>('/auth/register', input),
verifyEmail: (input: VerifyEmailInput) => api.post<{ ok: true }>('/auth/verify-email', input),
resendVerification: (input: ResendVerificationInput) => api.post<{ ok: true }>('/auth/resend-verification', input),
login: (input: LoginInput) => api.post<PublicUser>('/auth/login', input),
logout: () => api.post<void>('/auth/logout'),
forgotPassword: (input: ForgotPasswordInput) => api.post<{ ok: true }>('/auth/forgot-password', input),
resetPassword: (input: ResetPasswordInput) => api.post<{ ok: true }>('/auth/reset-password', input),
acceptInvite: (input: AcceptInviteInput) => api.post<PublicUser>('/auth/accept-invite', input),
updateProfile: (input: ProfileUpdateInput) => api.patch<PublicUser>('/auth/profile', input),
changePassword: (input: ChangePasswordInput) => api.post<void>('/auth/change-password', input),
};
```
- [ ] **Step 3: Create `api/admin-users.ts`**
```ts
import type { User, AdminUserUpdateInput, InviteUserInput, Role } from '@flashcard/shared';
import { api } from './client.js';
export interface ListUsersResponse { rows: User[]; total: number; }
export const adminUsersApi = {
list: (params: { q?: string; role?: Role; active?: boolean; limit?: number; offset?: number } = {}) => {
const qs = new URLSearchParams();
if (params.q) qs.set('q', params.q);
if (params.role) qs.set('role', params.role);
if (params.active !== undefined) qs.set('active', String(params.active));
if (params.limit !== undefined) qs.set('limit', String(params.limit));
if (params.offset !== undefined) qs.set('offset', String(params.offset));
const s = qs.toString();
return api.get<ListUsersResponse>(`/admin/users${s ? '?' + s : ''}`);
},
invite: (input: InviteUserInput) => api.post<{ id: number; email: string; role: Role }>('/admin/users/invite', input),
update: (id: number, input: AdminUserUpdateInput) => api.patch<User>(`/admin/users/${id}`, input),
sendReset: (id: number) => api.post<void>(`/admin/users/${id}/send-reset`),
};
```
- [ ] **Step 4: Typecheck and commit**
```bash
npm -w @flashcard/frontend run typecheck
git add packages/frontend/src/api/
git -c commit.gpgsign=false commit -m "feat(frontend): API client CSRF support + auth and admin-users API modules"
```
---
## Task 15: Frontend authStore
**Files:**
- Create: `packages/frontend/src/stores/authStore.ts`
- [ ] **Step 1: Create `authStore.ts`**
```ts
import { create } from 'zustand';
import type { User } from '@flashcard/shared';
import { authApi } from '../api/auth.js';
import { ApiClientError } from '../api/client.js';
interface AuthState {
user: User | null;
loading: boolean;
ready: boolean;
hydrate: () => Promise<void>;
refreshMe: () => Promise<void>;
login: (email: string, password: string) => Promise<void>;
logout: () => Promise<void>;
setUserFromAuthResponse: (publicUser: { id: number; email: string; displayName: string; role: 'user' | 'sysadmin' }) => void;
}
export const useAuth = create<AuthState>((set, get) => ({
user: null,
loading: false,
ready: false,
hydrate: async () => {
set({ loading: true });
try {
const user = await authApi.me();
set({ user, ready: true });
} catch (e) {
if (e instanceof ApiClientError && e.status === 401) {
set({ user: null, ready: true });
return;
}
set({ user: null, ready: true });
} finally {
set({ loading: false });
}
},
refreshMe: async () => {
try { set({ user: await authApi.me() }); } catch { set({ user: null }); }
},
login: async (email, password) => {
await authApi.login({ email, password });
await get().refreshMe();
},
logout: async () => {
await authApi.logout();
set({ user: null });
},
setUserFromAuthResponse: (pu) => {
// Optimistic set after register/accept-invite where backend returns PublicUser
set({
user: {
id: pu.id, email: pu.email, displayName: pu.displayName, role: pu.role,
isActive: true, emailVerifiedAt: Math.floor(Date.now() / 1000),
pendingEmail: null, createdAt: 0, updatedAt: 0,
},
});
},
}));
```
- [ ] **Step 2: Commit**
```bash
git add packages/frontend/src/stores/authStore.ts
git -c commit.gpgsign=false commit -m "feat(frontend): authStore (Zustand)"
```
---
## Task 16: AuthBoundary, RoleGuard, UserMenu + Layout integration
**Files:**
- Create: `packages/frontend/src/components/AuthBoundary.tsx`
- Create: `packages/frontend/src/components/RoleGuard.tsx`
- Create: `packages/frontend/src/components/UserMenu.tsx`
- Modify: `packages/frontend/src/components/Layout.tsx`
- Modify: `packages/frontend/src/main.tsx`
- [ ] **Step 1: Create `AuthBoundary.tsx`**
```tsx
import { useEffect } from 'react';
import { Navigate, Outlet, useLocation } from 'react-router-dom';
import { useAuth } from '../stores/authStore.js';
export function AuthBoundary() {
const { user, ready, hydrate } = useAuth();
const location = useLocation();
useEffect(() => {
if (!ready) hydrate();
}, [ready, hydrate]);
if (!ready) {
return (
<div className="flex h-full items-center justify-center">
<div className="h-2 w-32 animate-shimmer rounded-full bg-gradient-to-r from-brand-100 via-brand-200 to-brand-100 bg-[length:1000px_100%]" />
</div>
);
}
if (!user) {
const next = encodeURIComponent(location.pathname + location.search);
return <Navigate to={`/login?next=${next}`} replace />;
}
return <Outlet />;
}
```
- [ ] **Step 2: Create `RoleGuard.tsx`**
```tsx
import { Navigate, Outlet } from 'react-router-dom';
import type { Role } from '@flashcard/shared';
import { useAuth } from '../stores/authStore.js';
export function RoleGuard({ role }: { role: Role }) {
const user = useAuth((s) => s.user);
if (!user) return <Navigate to="/login" replace />;
if (user.role !== role) {
return (
<div className="mx-auto max-w-md p-12 text-center">
<h1 className="font-display text-2xl font-bold">Geen toegang</h1>
<p className="mt-2 text-sm text-slate-500">Deze pagina is alleen voor beheerders.</p>
</div>
);
}
return <Outlet />;
}
```
- [ ] **Step 3: Create `UserMenu.tsx`**
```tsx
import { useState, useRef, useEffect } from 'react';
import { Link, useNavigate } from 'react-router-dom';
import { useAuth } from '../stores/authStore.js';
export function UserMenu() {
const { user, logout } = useAuth();
const [open, setOpen] = useState(false);
const ref = useRef<HTMLDivElement>(null);
const navigate = useNavigate();
useEffect(() => {
function onClick(e: MouseEvent) {
if (ref.current && !ref.current.contains(e.target as Node)) setOpen(false);
}
document.addEventListener('mousedown', onClick);
return () => document.removeEventListener('mousedown', onClick);
}, []);
if (!user) return null;
const initials = user.displayName.trim().split(/\s+/).map((p) => p[0]).slice(0, 2).join('').toUpperCase();
async function handleLogout() {
await logout();
navigate('/login');
}
return (
<div className="relative" ref={ref}>
<button
onClick={() => setOpen((o) => !o)}
className="grid h-9 w-9 place-items-center rounded-full bg-brand-gradient text-sm font-bold text-white shadow-glow hover:brightness-110"
aria-label="Account menu"
>
{initials || '?'}
</button>
{open && (
<div className="absolute right-0 top-11 z-30 w-56 rounded-2xl border border-white/60 bg-white/95 p-2 shadow-soft backdrop-blur dark:border-slate-800 dark:bg-slate-900/95">
<div className="px-3 py-2">
<div className="truncate text-sm font-semibold">{user.displayName}</div>
<div className="truncate text-xs text-slate-500">{user.email}</div>
</div>
<hr className="my-1 border-brand-100 dark:border-slate-800" />
<Link to="/profile" className="block rounded-xl px-3 py-2 text-sm hover:bg-brand-50 dark:hover:bg-slate-800" onClick={() => setOpen(false)}>Profiel</Link>
{user.role === 'sysadmin' && (
<Link to="/admin/users" className="block rounded-xl px-3 py-2 text-sm hover:bg-brand-50 dark:hover:bg-slate-800" onClick={() => setOpen(false)}>👑 Systeembeheer</Link>
)}
<button onClick={handleLogout} className="block w-full rounded-xl px-3 py-2 text-left text-sm text-danger-600 hover:bg-danger-50 dark:hover:bg-danger-400/10">
Uitloggen
</button>
</div>
)}
</div>
);
}
```
- [ ] **Step 4: Replace `Layout.tsx`**
```tsx
import { NavLink, Outlet } from 'react-router-dom';
import { useSettings } from '../stores/settingsStore.js';
import { useAuth } from '../stores/authStore.js';
import { UserMenu } from './UserMenu.js';
const navItems = [
{ to: '/', label: 'Dashboard', end: true },
{ to: '/admin', label: 'Lessen' },
{ to: '/stats', label: 'Stats' },
];
export function Layout() {
const { theme, toggleTheme } = useSettings();
const user = useAuth((s) => s.user);
return (
<div className="flex h-full flex-col">
<header className="sticky top-0 z-20 border-b border-white/40 bg-white/70 backdrop-blur-xl dark:border-slate-800/60 dark:bg-slate-950/70">
<div className="mx-auto flex max-w-6xl items-center gap-2 px-4 py-3 sm:px-6">
<NavLink to="/" className="flex items-center gap-2 font-display text-lg font-bold">
<span className="grid h-8 w-8 place-items-center rounded-xl bg-brand-gradient text-white shadow-glow"></span>
<span className="bg-brand-gradient bg-clip-text text-transparent">Flashcards</span>
</NavLink>
{user && (
<nav className="ml-4 hidden gap-1 sm:flex">
{navItems.map((item) => (
<NavLink
key={item.to}
to={item.to}
end={item.end}
className={({ isActive }) =>
`rounded-xl px-3 py-1.5 text-sm font-medium transition ${
isActive
? 'bg-brand-100 text-brand-700 dark:bg-brand-900/40 dark:text-brand-200'
: 'text-slate-600 hover:bg-white/70 hover:text-slate-900 dark:text-slate-300 dark:hover:bg-slate-900/60'
}`
}
>
{item.label}
</NavLink>
))}
</nav>
)}
<div className="ml-auto flex items-center gap-2">
<button
onClick={toggleTheme}
className="grid h-9 w-9 place-items-center rounded-xl border border-white/60 bg-white/70 text-base shadow-sm transition hover:scale-105 dark:border-slate-800 dark:bg-slate-900/70"
aria-label="Toggle dark mode"
>
{theme === 'dark' ? '☀️' : '🌙'}
</button>
<UserMenu />
</div>
</div>
{user && (
<nav className="flex gap-1 overflow-x-auto px-4 pb-2 sm:hidden">
{navItems.map((item) => (
<NavLink
key={item.to}
to={item.to}
end={item.end}
className={({ isActive }) =>
`whitespace-nowrap rounded-full px-3 py-1 text-xs font-medium transition ${
isActive ? 'bg-brand-600 text-white' : 'bg-white/60 text-slate-700 dark:bg-slate-900/60 dark:text-slate-300'
}`
}
>
{item.label}
</NavLink>
))}
</nav>
)}
</header>
<main className="flex-1 overflow-auto">
<div className="mx-auto max-w-6xl px-4 py-6 sm:px-6">
<Outlet />
</div>
</main>
</div>
);
}
```
- [ ] **Step 5: Hook the 401-handler in `main.tsx` to bounce to /login**
Replace `packages/frontend/src/main.tsx` with:
```tsx
import React from 'react';
import { createRoot } from 'react-dom/client';
import { RouterProvider } from 'react-router-dom';
import { router } from './router.js';
import { useSettings } from './stores/settingsStore.js';
import { useAuth } from './stores/authStore.js';
import { onUnauthorized } from './api/client.js';
import './styles.css';
useSettings.getState().hydrate();
onUnauthorized(() => {
useAuth.setState({ user: null, ready: true });
});
const root = createRoot(document.getElementById('root')!);
root.render(
<React.StrictMode>
<RouterProvider router={router} />
</React.StrictMode>
);
```
- [ ] **Step 6: Typecheck + commit**
```bash
npm -w @flashcard/frontend run typecheck
git add packages/frontend/src/components/ packages/frontend/src/main.tsx
git -c commit.gpgsign=false commit -m "feat(frontend): AuthBoundary, RoleGuard, UserMenu + Layout integration"
```
---
## Task 17: Auth pages — Login + Register
**Files:**
- Create: `packages/frontend/src/pages/auth/Login.tsx`
- Create: `packages/frontend/src/pages/auth/Register.tsx`
- [ ] **Step 1: Create `Login.tsx`**
```tsx
import { useState } from 'react';
import { Link, useNavigate, useSearchParams } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { ApiClientError } from '../../api/client.js';
import { useAuth } from '../../stores/authStore.js';
export function LoginPage() {
const [searchParams] = useSearchParams();
const next = searchParams.get('next') ?? '/';
const navigate = useNavigate();
const login = useAuth((s) => s.login);
const [email, setEmail] = useState('');
const [password, setPassword] = useState('');
const [busy, setBusy] = useState(false);
const [error, setError] = useState<string | null>(null);
const [needsVerification, setNeedsVerification] = useState(false);
async function submit(e: React.FormEvent) {
e.preventDefault();
setBusy(true); setError(null); setNeedsVerification(false);
try {
await login(email, password);
navigate(next, { replace: true });
} catch (err) {
if (err instanceof ApiClientError) {
if (err.code === 'EMAIL_NOT_VERIFIED') setNeedsVerification(true);
else setError(err.message);
} else setError('Onbekende fout');
} finally { setBusy(false); }
}
async function resend() {
try { await authApi.resendVerification({ email }); setError('Bevestigingsmail opnieuw verstuurd.'); }
catch { setError('Kon mail niet versturen.'); }
}
return (
<AuthLayout title="Inloggen">
<form onSubmit={submit} className="space-y-4">
<Field label="E-mailadres">
<input type="email" className="input-field" required value={email} onChange={(e) => setEmail(e.target.value)} autoComplete="email" />
</Field>
<Field label="Wachtwoord">
<input type="password" className="input-field" required value={password} onChange={(e) => setPassword(e.target.value)} autoComplete="current-password" />
</Field>
{error && <p className="rounded-xl bg-danger-50 p-3 text-sm text-danger-700 dark:bg-danger-400/10 dark:text-danger-400">{error}</p>}
{needsVerification && (
<div className="rounded-xl bg-amber-50 p-3 text-sm text-amber-800 dark:bg-amber-900/30 dark:text-amber-200">
Je e-mailadres is nog niet bevestigd.
<button type="button" className="ml-2 font-semibold underline" onClick={resend}>Stuur opnieuw</button>
</div>
)}
<button type="submit" className="btn-primary w-full py-3" disabled={busy}>{busy ? 'Bezig…' : 'Inloggen'}</button>
</form>
<div className="mt-6 flex justify-between text-sm">
<Link to="/forgot-password" className="text-brand-600 hover:underline">Wachtwoord vergeten?</Link>
<Link to="/register" className="text-brand-600 hover:underline">Account aanmaken</Link>
</div>
</AuthLayout>
);
}
export function AuthLayout({ title, children }: { title: string; children: React.ReactNode }) {
return (
<div className="mx-auto max-w-md p-6">
<div className="surface p-8">
<h1 className="mb-6 font-display text-2xl font-bold">{title}</h1>
{children}
</div>
</div>
);
}
export function Field({ label, children }: { label: string; children: React.ReactNode }) {
return (
<label className="block text-sm">
<span className="mb-1 block font-medium text-slate-700 dark:text-slate-200">{label}</span>
{children}
</label>
);
}
```
- [ ] **Step 2: Create `Register.tsx`**
```tsx
import { useState } from 'react';
import { Link, useNavigate } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { ApiClientError } from '../../api/client.js';
import { AuthLayout, Field } from './Login.js';
export function RegisterPage() {
const navigate = useNavigate();
const [email, setEmail] = useState('');
const [displayName, setDisplayName] = useState('');
const [password, setPassword] = useState('');
const [busy, setBusy] = useState(false);
const [error, setError] = useState<string | null>(null);
const [done, setDone] = useState(false);
async function submit(e: React.FormEvent) {
e.preventDefault();
setBusy(true); setError(null);
try {
await authApi.register({ email, displayName, password });
setDone(true);
} catch (err) {
if (err instanceof ApiClientError) setError(err.message);
else setError('Onbekende fout');
} finally { setBusy(false); }
}
if (done) {
return (
<AuthLayout title="Bijna klaar 📬">
<p className="text-sm">
We hebben een bevestigingsmail gestuurd naar <strong>{email}</strong>.
Klik op de link om je account te activeren.
</p>
<Link to="/login" className="mt-6 block text-sm text-brand-600 hover:underline">Terug naar inloggen</Link>
</AuthLayout>
);
}
return (
<AuthLayout title="Registreren">
<form onSubmit={submit} className="space-y-4">
<Field label="Naam"><input className="input-field" required minLength={1} value={displayName} onChange={(e) => setDisplayName(e.target.value)} autoComplete="name" /></Field>
<Field label="E-mailadres"><input type="email" className="input-field" required value={email} onChange={(e) => setEmail(e.target.value)} autoComplete="email" /></Field>
<Field label="Wachtwoord (min. 8 tekens)"><input type="password" className="input-field" required minLength={8} value={password} onChange={(e) => setPassword(e.target.value)} autoComplete="new-password" /></Field>
{error && <p className="rounded-xl bg-danger-50 p-3 text-sm text-danger-700 dark:bg-danger-400/10 dark:text-danger-400">{error}</p>}
<button type="submit" className="btn-primary w-full py-3" disabled={busy}>{busy ? 'Bezig…' : 'Account aanmaken'}</button>
<p className="text-xs text-slate-500">
De eerste registratie wordt automatisch beheerder.
</p>
</form>
<div className="mt-6 text-sm">
<Link to="/login" className="text-brand-600 hover:underline">Heb je al een account? Inloggen</Link>
</div>
</AuthLayout>
);
}
```
- [ ] **Step 3: Typecheck and commit**
```bash
npm -w @flashcard/frontend run typecheck
git add packages/frontend/src/pages/auth/
git -c commit.gpgsign=false commit -m "feat(frontend): Login + Register pages"
```
---
## Task 18: Auth pages — VerifyEmail, ForgotPassword, ResetPassword, AcceptInvite
**Files:**
- Create: `packages/frontend/src/pages/auth/VerifyEmail.tsx`
- Create: `packages/frontend/src/pages/auth/ForgotPassword.tsx`
- Create: `packages/frontend/src/pages/auth/ResetPassword.tsx`
- Create: `packages/frontend/src/pages/auth/AcceptInvite.tsx`
- [ ] **Step 1: Create `VerifyEmail.tsx`**
```tsx
import { useEffect, useState } from 'react';
import { Link, useSearchParams } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { ApiClientError } from '../../api/client.js';
import { AuthLayout } from './Login.js';
export function VerifyEmailPage() {
const [params] = useSearchParams();
const token = params.get('token');
const [state, setState] = useState<'pending' | 'ok' | 'err'>('pending');
const [message, setMessage] = useState('');
useEffect(() => {
if (!token) { setState('err'); setMessage('Token ontbreekt.'); return; }
(async () => {
try {
await authApi.verifyEmail({ token });
setState('ok');
} catch (e) {
setState('err');
setMessage(e instanceof ApiClientError ? e.message : 'Verificatie mislukt.');
}
})();
}, [token]);
return (
<AuthLayout title="E-mailverificatie">
{state === 'pending' && <p>Bezig met verifiëren</p>}
{state === 'ok' && (
<>
<p className="text-sm">Je e-mailadres is bevestigd </p>
<Link to="/login" className="btn-primary mt-6 inline-flex">Naar inloggen</Link>
</>
)}
{state === 'err' && (
<>
<p className="text-sm text-danger-700 dark:text-danger-400">{message}</p>
<Link to="/login" className="mt-6 inline-block text-sm text-brand-600 hover:underline">Terug naar inloggen</Link>
</>
)}
</AuthLayout>
);
}
```
- [ ] **Step 2: Create `ForgotPassword.tsx`**
```tsx
import { useState } from 'react';
import { Link } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { AuthLayout, Field } from './Login.js';
export function ForgotPasswordPage() {
const [email, setEmail] = useState('');
const [busy, setBusy] = useState(false);
const [sent, setSent] = useState(false);
async function submit(e: React.FormEvent) {
e.preventDefault();
setBusy(true);
try { await authApi.forgotPassword({ email }); }
finally { setBusy(false); setSent(true); }
}
if (sent) {
return (
<AuthLayout title="Check je mail 📬">
<p className="text-sm">Als <strong>{email}</strong> bekend is, hebben we een reset-link gestuurd. De link is 1 uur geldig.</p>
<Link to="/login" className="mt-6 inline-block text-sm text-brand-600 hover:underline">Terug naar inloggen</Link>
</AuthLayout>
);
}
return (
<AuthLayout title="Wachtwoord vergeten">
<form onSubmit={submit} className="space-y-4">
<Field label="E-mailadres">
<input type="email" required className="input-field" value={email} onChange={(e) => setEmail(e.target.value)} autoComplete="email" />
</Field>
<button type="submit" className="btn-primary w-full py-3" disabled={busy}>{busy ? 'Bezig…' : 'Stuur reset-link'}</button>
</form>
<div className="mt-6 text-sm">
<Link to="/login" className="text-brand-600 hover:underline">Terug naar inloggen</Link>
</div>
</AuthLayout>
);
}
```
- [ ] **Step 3: Create `ResetPassword.tsx`**
```tsx
import { useState } from 'react';
import { Link, useNavigate, useSearchParams } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { ApiClientError } from '../../api/client.js';
import { AuthLayout, Field } from './Login.js';
export function ResetPasswordPage() {
const [params] = useSearchParams();
const token = params.get('token') ?? '';
const navigate = useNavigate();
const [password, setPassword] = useState('');
const [busy, setBusy] = useState(false);
const [error, setError] = useState<string | null>(null);
const [done, setDone] = useState(false);
async function submit(e: React.FormEvent) {
e.preventDefault();
setBusy(true); setError(null);
try { await authApi.resetPassword({ token, password }); setDone(true); }
catch (err) { setError(err instanceof ApiClientError ? err.message : 'Reset mislukt.'); }
finally { setBusy(false); }
}
if (done) {
return (
<AuthLayout title="Wachtwoord ingesteld ✅">
<p className="text-sm">Je kunt nu inloggen met je nieuwe wachtwoord.</p>
<button className="btn-primary mt-6 w-full" onClick={() => navigate('/login')}>Naar inloggen</button>
</AuthLayout>
);
}
return (
<AuthLayout title="Nieuw wachtwoord">
{!token && <p className="text-sm text-danger-700">Geen token in URL.</p>}
<form onSubmit={submit} className="space-y-4">
<Field label="Nieuw wachtwoord (min. 8 tekens)">
<input type="password" required minLength={8} className="input-field" value={password} onChange={(e) => setPassword(e.target.value)} autoComplete="new-password" />
</Field>
{error && <p className="rounded-xl bg-danger-50 p-3 text-sm text-danger-700 dark:bg-danger-400/10 dark:text-danger-400">{error}</p>}
<button type="submit" className="btn-primary w-full py-3" disabled={busy || !token}>{busy ? 'Bezig…' : 'Opslaan'}</button>
</form>
<Link to="/login" className="mt-6 block text-sm text-brand-600 hover:underline">Terug naar inloggen</Link>
</AuthLayout>
);
}
```
- [ ] **Step 4: Create `AcceptInvite.tsx`**
```tsx
import { useState } from 'react';
import { useNavigate, useSearchParams } from 'react-router-dom';
import { authApi } from '../../api/auth.js';
import { ApiClientError } from '../../api/client.js';
import { useAuth } from '../../stores/authStore.js';
import { AuthLayout, Field } from './Login.js';
export function AcceptInvitePage() {
const [params] = useSearchParams();
const token = params.get('token') ?? '';
const navigate = useNavigate();
const refreshMe = useAuth((s) => s.refreshMe);
const [displayName, setDisplayName] = useState('');
const [password, setPassword] = useState('');
const [busy, setBusy] = useState(false);
const [error, setError] = useState<string | null>(null);
async function submit(e: React.FormEvent) {
e.preventDefault();
setBusy(true); setError(null);
try {
await authApi.acceptInvite({ token, displayName, password });
await refreshMe();
navigate('/', { replace: true });
} catch (err) {
setError(err instanceof ApiClientError ? err.message : 'Accepteren mislukt.');
} finally { setBusy(false); }
}
return (
<AuthLayout title="Account aanmaken">
{!token && <p className="text-sm text-danger-700">Geen token in URL.</p>}
<form onSubmit={submit} className="space-y-4">
<Field label="Naam">
<input required className="input-field" value={displayName} onChange={(e) => setDisplayName(e.target.value)} autoComplete="name" />
</Field>
<Field label="Wachtwoord (min. 8 tekens)">
<input type="password" required minLength={8} className="input-field" value={password} onChange={(e) => setPassword(e.target.value)} autoComplete="new-password" />
</Field>
{error && <p className="rounded-xl bg-danger-50 p-3 text-sm text-danger-700 dark:bg-danger-400/10 dark:text-danger-400">{error}</p>}
<button type="submit" className="btn-primary w-full py-3" disabled={busy || !token}>{busy ? 'Bezig…' : 'Account aanmaken'}</button>
</form>
</AuthLayout>
);
}
```
- [ ] **Step 5: Typecheck + commit**
```bash
npm -w @flashcard/frontend run typecheck
git add packages/frontend/src/pages/auth/
git -c commit.gpgsign=false commit -m "feat(frontend): VerifyEmail + ForgotPassword + ResetPassword + AcceptInvite pages"
```
---
## Task 19: Profile page
**Files:**
- Create: `packages/frontend/src/pages/Profile.tsx`
- [ ] **Step 1: Create `Profile.tsx`**
```tsx
import { useState } from 'react';
import { authApi } from '../api/auth.js';
import { ApiClientError } from '../api/client.js';
import { useAuth } from '../stores/authStore.js';
export function ProfilePage() {
const { user, refreshMe } = useAuth();
const [displayName, setDisplayName] = useState(user?.displayName ?? '');
const [email, setEmail] = useState(user?.email ?? '');
const [profileBusy, setProfileBusy] = useState(false);
const [profileMsg, setProfileMsg] = useState<string | null>(null);
const [currentPassword, setCurrentPassword] = useState('');
const [newPassword, setNewPassword] = useState('');
const [pwBusy, setPwBusy] = useState(false);
const [pwMsg, setPwMsg] = useState<string | null>(null);
const [pwErr, setPwErr] = useState<string | null>(null);
async function saveProfile(e: React.FormEvent) {
e.preventDefault();
setProfileBusy(true); setProfileMsg(null);
try {
const updates: { displayName?: string; email?: string } = {};
if (displayName !== user?.displayName) updates.displayName = displayName;
if (email !== user?.email) updates.email = email;
if (Object.keys(updates).length === 0) { setProfileMsg('Geen wijzigingen.'); return; }
await authApi.updateProfile(updates);
await refreshMe();
setProfileMsg(updates.email ? 'Profiel opgeslagen. Bevestig je nieuwe e-mailadres via de link in de mail.' : 'Profiel opgeslagen.');
} catch (err) {
setProfileMsg(err instanceof ApiClientError ? err.message : 'Opslaan mislukt.');
} finally { setProfileBusy(false); }
}
async function changePassword(e: React.FormEvent) {
e.preventDefault();
setPwBusy(true); setPwMsg(null); setPwErr(null);
try {
await authApi.changePassword({ currentPassword, newPassword });
setPwMsg('Wachtwoord gewijzigd.');
setCurrentPassword(''); setNewPassword('');
} catch (err) {
setPwErr(err instanceof ApiClientError ? err.message : 'Wijzigen mislukt.');
} finally { setPwBusy(false); }
}
if (!user) return null;
return (
<div className="mx-auto max-w-2xl space-y-6">
<header>
<h1 className="font-display text-3xl font-bold">Profiel</h1>
<p className="text-sm text-slate-500">Beheer je naam, e-mailadres en wachtwoord.</p>
</header>
<form onSubmit={saveProfile} className="surface space-y-4 p-6">
<h2 className="font-display text-lg font-bold">Gegevens</h2>
<label className="block text-sm">
<span className="mb-1 block font-medium">Naam</span>
<input className="input-field" value={displayName} onChange={(e) => setDisplayName(e.target.value)} />
</label>
<label className="block text-sm">
<span className="mb-1 block font-medium">E-mailadres</span>
<input type="email" className="input-field" value={email} onChange={(e) => setEmail(e.target.value)} />
{user.pendingEmail && <span className="mt-1 block text-xs text-amber-700">In afwachting: {user.pendingEmail}</span>}
</label>
{profileMsg && <p className="text-sm">{profileMsg}</p>}
<button className="btn-primary" disabled={profileBusy}>{profileBusy ? 'Bezig…' : 'Opslaan'}</button>
</form>
<form onSubmit={changePassword} className="surface space-y-4 p-6">
<h2 className="font-display text-lg font-bold">Wachtwoord</h2>
<label className="block text-sm">
<span className="mb-1 block font-medium">Huidig wachtwoord</span>
<input type="password" className="input-field" required value={currentPassword} onChange={(e) => setCurrentPassword(e.target.value)} autoComplete="current-password" />
</label>
<label className="block text-sm">
<span className="mb-1 block font-medium">Nieuw wachtwoord (min. 8 tekens)</span>
<input type="password" minLength={8} className="input-field" required value={newPassword} onChange={(e) => setNewPassword(e.target.value)} autoComplete="new-password" />
</label>
{pwMsg && <p className="text-sm text-success-700">{pwMsg}</p>}
{pwErr && <p className="text-sm text-danger-700">{pwErr}</p>}
<button className="btn-primary" disabled={pwBusy}>{pwBusy ? 'Bezig…' : 'Wachtwoord wijzigen'}</button>
</form>
</div>
);
}
```
- [ ] **Step 2: Commit**
```bash
git add packages/frontend/src/pages/Profile.tsx
git -c commit.gpgsign=false commit -m "feat(frontend): profile page (display name, email, change password)"
```
---
## Task 20: AdminUsers page
**Files:**
- Create: `packages/frontend/src/pages/AdminUsers.tsx`
- [ ] **Step 1: Create `AdminUsers.tsx`**
```tsx
import { useEffect, useState } from 'react';
import { adminUsersApi, type ListUsersResponse } from '../api/admin-users.js';
import type { User } from '@flashcard/shared';
import { ApiClientError } from '../api/client.js';
export function AdminUsersPage() {
const [data, setData] = useState<ListUsersResponse>({ rows: [], total: 0 });
const [q, setQ] = useState('');
const [busy, setBusy] = useState(false);
const [inviteEmail, setInviteEmail] = useState('');
const [inviteRole, setInviteRole] = useState<'user' | 'sysadmin'>('user');
const [inviteMsg, setInviteMsg] = useState<string | null>(null);
async function refresh() {
setBusy(true);
try { setData(await adminUsersApi.list({ q: q.trim() || undefined })); }
finally { setBusy(false); }
}
useEffect(() => { refresh(); }, []);
async function invite(e: React.FormEvent) {
e.preventDefault();
setInviteMsg(null);
try {
await adminUsersApi.invite({ email: inviteEmail, role: inviteRole });
setInviteMsg('Uitnodiging verstuurd.');
setInviteEmail('');
await refresh();
} catch (err) {
setInviteMsg(err instanceof ApiClientError ? err.message : 'Uitnodigen mislukt.');
}
}
async function setActive(u: User, isActive: boolean) {
try { await adminUsersApi.update(u.id, { isActive }); await refresh(); }
catch (err) { alert(err instanceof ApiClientError ? err.message : 'Bijwerken mislukt.'); }
}
async function setRole(u: User, role: 'user' | 'sysadmin') {
try { await adminUsersApi.update(u.id, { role }); await refresh(); }
catch (err) { alert(err instanceof ApiClientError ? err.message : 'Bijwerken mislukt.'); }
}
async function sendReset(u: User) {
if (!confirm(`Reset/uitnodigingsmail sturen naar ${u.email}?`)) return;
try { await adminUsersApi.sendReset(u.id); alert('Mail verstuurd.'); }
catch (err) { alert(err instanceof ApiClientError ? err.message : 'Versturen mislukt.'); }
}
return (
<div className="space-y-6">
<header>
<h1 className="font-display text-3xl font-bold">👑 Gebruikersbeheer</h1>
<p className="text-sm text-slate-500">{data.total} gebruiker(s) totaal</p>
</header>
<form onSubmit={invite} className="surface flex flex-col gap-2 p-4 sm:flex-row sm:items-end">
<label className="flex-1 text-sm">
<span className="mb-1 block font-medium">Uitnodigen via e-mail</span>
<input type="email" required className="input-field" value={inviteEmail} onChange={(e) => setInviteEmail(e.target.value)} placeholder="naam@voorbeeld.com" />
</label>
<label className="text-sm">
<span className="mb-1 block font-medium">Rol</span>
<select className="input-field" value={inviteRole} onChange={(e) => setInviteRole(e.target.value as 'user' | 'sysadmin')}>
<option value="user">Gebruiker</option>
<option value="sysadmin">Beheerder</option>
</select>
</label>
<button className="btn-primary shrink-0">Uitnodiging sturen</button>
</form>
{inviteMsg && <p className="text-sm">{inviteMsg}</p>}
<div className="surface p-4">
<div className="mb-3 flex gap-2">
<input className="input-field flex-1" placeholder="Zoek op e-mail of naam…" value={q} onChange={(e) => setQ(e.target.value)} onKeyDown={(e) => e.key === 'Enter' && refresh()} />
<button className="btn-ghost" onClick={refresh} disabled={busy}>Zoek</button>
</div>
<table className="w-full text-sm">
<thead>
<tr className="text-left text-xs uppercase tracking-wider text-slate-500">
<th className="px-2 py-2">Email</th>
<th className="px-2 py-2">Naam</th>
<th className="px-2 py-2">Rol</th>
<th className="px-2 py-2">Status</th>
<th className="px-2 py-2"></th>
</tr>
</thead>
<tbody className="divide-y divide-brand-100/60 dark:divide-slate-800">
{data.rows.map((u) => (
<tr key={u.id} className="hover:bg-brand-50/40 dark:hover:bg-slate-800/40">
<td className="px-2 py-2">{u.email}</td>
<td className="px-2 py-2">{u.displayName}</td>
<td className="px-2 py-2">
<select className="rounded-lg border border-brand-100 bg-white px-2 py-1 text-xs dark:border-slate-800 dark:bg-slate-900" value={u.role} onChange={(e) => setRole(u, e.target.value as 'user' | 'sysadmin')}>
<option value="user">user</option>
<option value="sysadmin">sysadmin</option>
</select>
</td>
<td className="px-2 py-2">
{u.isActive ? (
<span className="rounded-full bg-success-50 px-2 py-0.5 text-xs font-semibold text-success-700 dark:bg-success-700/20 dark:text-success-400">actief</span>
) : (
<span className="rounded-full bg-slate-100 px-2 py-0.5 text-xs font-semibold text-slate-600 dark:bg-slate-800 dark:text-slate-400">uit</span>
)}
{!u.emailVerifiedAt && (
<span className="ml-1 rounded-full bg-amber-50 px-2 py-0.5 text-xs font-semibold text-amber-700 dark:bg-amber-900/30 dark:text-amber-200">onbevestigd</span>
)}
</td>
<td className="px-2 py-2 text-right">
<button className="rounded-lg px-2 py-1 text-xs text-brand-700 hover:bg-brand-50 dark:text-brand-200 dark:hover:bg-brand-900/40" onClick={() => sendReset(u)}>reset-mail</button>
<button className="rounded-lg px-2 py-1 text-xs text-slate-600 hover:bg-slate-100 dark:text-slate-300 dark:hover:bg-slate-800" onClick={() => setActive(u, !u.isActive)}>{u.isActive ? 'deactiveer' : 'activeer'}</button>
</td>
</tr>
))}
</tbody>
</table>
</div>
</div>
);
}
```
- [ ] **Step 2: Commit**
```bash
git add packages/frontend/src/pages/AdminUsers.tsx
git -c commit.gpgsign=false commit -m "feat(frontend): admin users page (invite, role, activate, send-reset)"
```
---
## Task 21: Router — wire all auth routes + protect existing routes
**Files:**
- Modify: `packages/frontend/src/router.tsx`
- [ ] **Step 1: Replace `router.tsx`**
```tsx
import { createBrowserRouter, Navigate } from 'react-router-dom';
import { Layout } from './components/Layout.js';
import { AuthBoundary } from './components/AuthBoundary.js';
import { RoleGuard } from './components/RoleGuard.js';
import { DashboardPage } from './pages/Dashboard.js';
import { AdminPage } from './pages/Admin.js';
import { AdminLessonPage } from './pages/AdminLesson.js';
import { PracticeSetupPage } from './pages/PracticeSetup.js';
import { PracticePage } from './pages/Practice.js';
import { PracticeDonePage } from './pages/PracticeDone.js';
import { StatsPage } from './pages/Stats.js';
import { StatsLessonPage } from './pages/StatsLesson.js';
import { StatsCardPage } from './pages/StatsCard.js';
import { SettingsPage } from './pages/Settings.js';
import { LoginPage } from './pages/auth/Login.js';
import { RegisterPage } from './pages/auth/Register.js';
import { VerifyEmailPage } from './pages/auth/VerifyEmail.js';
import { ForgotPasswordPage } from './pages/auth/ForgotPassword.js';
import { ResetPasswordPage } from './pages/auth/ResetPassword.js';
import { AcceptInvitePage } from './pages/auth/AcceptInvite.js';
import { ProfilePage } from './pages/Profile.js';
import { AdminUsersPage } from './pages/AdminUsers.js';
export const router = createBrowserRouter([
{
path: '/',
element: <Layout />,
children: [
// Public auth routes
{ path: 'login', element: <LoginPage /> },
{ path: 'register', element: <RegisterPage /> },
{ path: 'verify-email', element: <VerifyEmailPage /> },
{ path: 'forgot-password', element: <ForgotPasswordPage /> },
{ path: 'reset-password', element: <ResetPasswordPage /> },
{ path: 'accept-invite', element: <AcceptInvitePage /> },
// Authenticated routes
{
element: <AuthBoundary />,
children: [
{ index: true, element: <DashboardPage /> },
{ path: 'admin', element: <AdminPage /> },
{ path: 'admin/lessons/:id', element: <AdminLessonPage /> },
{ path: 'practice/:lessonId/setup', element: <PracticeSetupPage /> },
{ path: 'practice/:lessonId', element: <PracticePage /> },
{ path: 'practice/:lessonId/done', element: <PracticeDonePage /> },
{ path: 'stats', element: <StatsPage /> },
{ path: 'stats/lessons/:id', element: <StatsLessonPage /> },
{ path: 'stats/cards/:id', element: <StatsCardPage /> },
{ path: 'settings', element: <SettingsPage /> },
{ path: 'profile', element: <ProfilePage /> },
{
element: <RoleGuard role="sysadmin" />,
children: [
{ path: 'admin/users', element: <AdminUsersPage /> },
],
},
{ path: '*', element: <Navigate to="/" replace /> },
],
},
],
},
]);
```
- [ ] **Step 2: Typecheck + frontend build**
```bash
npm -w @flashcard/frontend run typecheck
npm -w @flashcard/frontend run build
```
Expected: both succeed.
- [ ] **Step 3: Commit**
```bash
git add packages/frontend/src/router.tsx
git -c commit.gpgsign=false commit -m "feat(frontend): router with auth boundary, role guard, and all auth pages"
```
---
## Task 22: Update existing E2E smoke + add new auth E2E (Mailpit-based)
**Files:**
- Modify: `e2e/smoke.spec.ts`
- Create: `e2e/auth.spec.ts`
- Modify: `packages/frontend/playwright.config.ts`
- [ ] **Step 1: Update playwright config to use mailpit and a unique DB per run**
```ts
import { defineConfig } from '@playwright/test';
export default defineConfig({
testDir: '../../e2e',
webServer: [
{
command:
'rm -f packages/backend/data/e2e.db data/e2e.db && DB_PATH=./data/e2e.db SMTP_HOST=localhost SMTP_PORT=1025 APP_URL=http://localhost:5173 npm -w @flashcard/backend run db:migrate && DB_PATH=./data/e2e.db SMTP_HOST=localhost SMTP_PORT=1025 APP_URL=http://localhost:5173 npm -w @flashcard/backend run dev',
cwd: '../..',
port: 3000,
reuseExistingServer: false,
timeout: 60_000,
},
{
command: 'npm -w @flashcard/frontend run dev',
cwd: '../..',
port: 5173,
reuseExistingServer: false,
timeout: 60_000,
},
],
use: { baseURL: 'http://localhost:5173' },
timeout: 30_000,
});
```
- [ ] **Step 2: Replace existing `e2e/smoke.spec.ts` with a flow that first registers/logs in**
```ts
import { test, expect } from '@playwright/test';
async function fetchVerifyLink(email: string): Promise<string> {
// Mailpit HTTP API: list latest message and pull link from text body
const res = await fetch('http://localhost:8025/api/v1/messages?limit=10');
const data = await res.json() as { messages: { ID: string; To: { Address: string }[] }[] };
const msg = data.messages.find((m) => m.To.some((t) => t.Address === email));
if (!msg) throw new Error('no message for ' + email);
const body = await fetch(`http://localhost:8025/api/v1/message/${msg.ID}`);
const full = await body.json() as { Text: string };
const match = full.Text.match(/https?:\/\/[^\s]+verify-email\?token=[^\s]+/);
if (!match) throw new Error('no verify link');
return match[0];
}
test('register → verify → login → create lesson → add card → practice once', async ({ page, request }) => {
const email = `user+${Date.now()}@example.com`;
const password = 'secretpass';
await page.goto('/register');
await page.getByLabel(/Naam/).fill('E2E User');
await page.getByLabel(/E-mailadres/).fill(email);
await page.getByLabel(/Wachtwoord/).fill(password);
await page.getByRole('button', { name: /Account aanmaken/ }).click();
await expect(page.getByText(/bevestigingsmail/i)).toBeVisible({ timeout: 10_000 });
const link = await fetchVerifyLink(email);
await page.goto(link);
await expect(page.getByText(/bevestigd/i)).toBeVisible();
await page.goto('/login');
await page.getByLabel(/E-mailadres/).fill(email);
await page.getByLabel(/Wachtwoord/).fill(password);
await page.getByRole('button', { name: 'Inloggen' }).click();
await page.goto('/admin');
await page.getByPlaceholder(/Nieuwe wortel-les/).fill('E2E les');
await page.getByRole('button', { name: /Toevoegen/ }).first().click();
await page.getByRole('link', { name: /E2E les/ }).first().click();
await page.getByPlaceholder('Nieuwe vraag').fill('q1');
await page.getByPlaceholder('Antwoord').fill('a1');
await page.getByRole('button', { name: 'Kaart toevoegen' }).click();
await page.getByRole('link', { name: /Start oefenen/ }).click();
await page.getByRole('button', { name: /Start sessie/ }).click();
await page.getByRole('button', { name: 'Toon antwoord' }).click();
await page.getByRole('button', { name: /Goed/ }).click();
await expect(page.getByText(/Sessie klaar/)).toBeVisible({ timeout: 8_000 });
});
```
- [ ] **Step 3: Create `e2e/auth.spec.ts` — admin invites a user**
```ts
import { test, expect } from '@playwright/test';
async function fetchLink(email: string, kind: 'invite' | 'verify-email' | 'reset-password'): Promise<string> {
for (let i = 0; i < 20; i++) {
const res = await fetch('http://localhost:8025/api/v1/messages?limit=20');
const data = await res.json() as { messages: { ID: string; To: { Address: string }[] }[] };
const msg = data.messages.find((m) => m.To.some((t) => t.Address === email));
if (msg) {
const full = await (await fetch(`http://localhost:8025/api/v1/message/${msg.ID}`)).json() as { Text: string };
const pattern = new RegExp(`https?:\\/\\/[^\\s]+${kind}\\?token=[^\\s]+`);
const m = full.Text.match(pattern);
if (m) return m[0];
}
await new Promise((r) => setTimeout(r, 250));
}
throw new Error(`no ${kind} link for ${email}`);
}
test('admin invites user; user accepts and logs in', async ({ page }) => {
// Make admin (first registration)
const adminEmail = `admin+${Date.now()}@example.com`;
const adminPw = 'secretpass';
await page.goto('/register');
await page.getByLabel(/Naam/).fill('Admin');
await page.getByLabel(/E-mailadres/).fill(adminEmail);
await page.getByLabel(/Wachtwoord/).fill(adminPw);
await page.getByRole('button', { name: /Account aanmaken/ }).click();
await expect(page.getByText(/bevestigingsmail/i)).toBeVisible();
await page.goto(await fetchLink(adminEmail, 'verify-email'));
await page.goto('/login');
await page.getByLabel(/E-mailadres/).fill(adminEmail);
await page.getByLabel(/Wachtwoord/).fill(adminPw);
await page.getByRole('button', { name: 'Inloggen' }).click();
// Invite
await page.goto('/admin/users');
const inviteeEmail = `invitee+${Date.now()}@example.com`;
await page.getByPlaceholder(/naam@voorbeeld/).fill(inviteeEmail);
await page.getByRole('button', { name: /Uitnodiging sturen/ }).click();
await expect(page.getByText(/Uitnodiging verstuurd/)).toBeVisible();
// Accept
const inviteLink = await fetchLink(inviteeEmail, 'accept-invite');
// logout admin first via UI
await page.getByRole('button', { name: 'Account menu' }).click();
await page.getByRole('button', { name: 'Uitloggen' }).click();
await page.goto(inviteLink);
await page.getByLabel(/Naam/).fill('Newbie');
await page.getByLabel(/Wachtwoord/).fill('newuserpass');
await page.getByRole('button', { name: /Account aanmaken/ }).click();
await expect(page).toHaveURL(/\/$/);
});
```
- [ ] **Step 4: Run mailpit before running E2E**
```bash
docker compose up -d mailpit
```
- [ ] **Step 5: Run E2E**
```bash
lsof -ti tcp:3000 2>/dev/null | xargs kill -9 2>/dev/null
lsof -ti tcp:5173 2>/dev/null | xargs kill -9 2>/dev/null
rm -f packages/backend/data/e2e.db data/e2e.db
sleep 2
npm run e2e
```
Expected: both tests pass.
- [ ] **Step 6: Commit**
```bash
git add e2e/ packages/frontend/playwright.config.ts
git -c commit.gpgsign=false commit -m "test(e2e): register+verify smoke and admin invite flow via Mailpit"
```
---
## Self-review
**Spec coverage:**
| Spec section | Implemented in task |
|---|---|
| 3.1 Self-service register + first-user becomes sysadmin | 10 |
| 3.2 Email verification (24h, single-use) | 4, 10 |
| 3.3 Login / logout with cookie session | 5, 7, 10, 12 |
| 3.4 Forgot / reset (1h, all sessions invalidated) | 10 |
| 3.5 Profile + email-change via pending_email + change-password keep-current | 10 |
| 3.6 Invite + accept-invite | 11 (invite) + 10 (accept) |
| 3.7 Admin user list / role / active / send-reset | 11 |
| 3.8 Rate limiting | 8 |
| 3.9 CSRF double-submit + headers | 7, 12, 14 |
| Data model (users, sessions_auth, auth_tokens) | 1 |
| Bcrypt cost 12 | 3 |
| Token TTLs and purposes | 4, 10 |
| Last-sysadmin guard | 11 |
| Email templates (4 types) | 6 |
| StubMailer fallback when SMTP missing | 6 |
| Mailpit docker-compose | 13 |
| Env.example | 13 |
| Frontend auth pages + AuthBoundary + RoleGuard + UserMenu | 1621 |
| E2E mailpit-based smoke | 22 |
All spec sections covered.
**Placeholders:** none — every step has concrete code or commands.
**Type consistency:** PublicUser/User shapes match between shared types, server responses, and authStore. CSRF cookie/header naming uses `CSRF_COOKIE` and `X-CSRF-Token` consistently.
---
## Execution Handoff
**Plan complete and saved to `docs/superpowers/plans/2026-05-20-auth-and-roles.md`. Two execution options:**
**1. Subagent-Driven (recommended)** — fresh subagent per task, review between tasks, fast iteration
**2. Inline Execution** — execute tasks in this session using executing-plans, batch execution with checkpoints
**Which approach?**
Reference in New Issue View Git Blame Copy Permalink