7abd433d95
- Simplified conditional rendering in OrderSummary, ProductCard, InstallationOptions, InternetOfferingCard, DeviceCompatibility, SimPlansContent, and other components by removing unnecessary parentheses. - Enhanced clarity in the use of ternary operators for better maintainability. - Updated documentation to reflect changes in development setup for skipping OTP verification during login. - Removed outdated orchestrator refactoring plan document. - Added new environment variable for skipping OTP verification in development. - Minor adjustments in domain contracts and mappers for consistency in conditional checks.
3.6 KiB
3.6 KiB
Development Authentication Setup
Overview
The auth module now exposes a clean facade (AuthFacade) and a layered structure. Development conveniences (CSRF bypass, throttling disable) still exist, but code placements and service names have changed. This guide outlines how to configure the dev environment and where to look in the codebase.
File Map
| Purpose | Location | |
|---|---|---|
| Express cookie helper | apps/bff/src/app/bootstrap.ts |
|
| Auth controller | modules/auth/presentation/http/auth.controller.ts |
|
| Guards/interceptors | `modules/auth/presentation/http/guards | interceptors` |
| Passport strategies | modules/auth/presentation/strategies |
|
| Facade (use-cases) | modules/auth/application/auth.facade.ts |
|
| Token services | modules/auth/infra/token |
|
| Rate limiter service | modules/auth/infra/rate-limiting/auth-rate-limit.service.ts |
|
| Signup/password flows | modules/auth/infra/workflows |
Development Environment Flags
Add to .env as needed:
# Disable CSRF protection (use only locally)
DISABLE_CSRF=true
# Disable auth rate limits / lockouts
DISABLE_RATE_LIMIT=true
DISABLE_ACCOUNT_LOCKING=true
# Skip OTP verification during login (direct login after credentials)
SKIP_OTP=true
# Show detailed validation errors in responses
EXPOSE_VALIDATION_ERRORS=true
# Allow portal origin
CORS_ORIGIN=http://localhost:3000
These flags are consumed in core/config/auth-dev.config.ts and by guards/middleware.
CSRF in Development
- Middleware (
core/security/middleware/csrf.middleware.ts) auto-issues stateless tokens. - Frontend API client must forward
X-CSRF-Token; the helper already performs this. - To bypass entirely in dev, set
DISABLE_CSRF=true(middleware checksdevAuthConfig.disableCsrf).
Rate Limiting in Development
AuthRateLimitServiceuses Redis; if Redis isn’t running, setDISABLE_RATE_LIMIT=trueto bypass guards.- Login, signup, password reset, and refresh flows now go through this centralized service.
Common Troubleshooting
- CSRF mismatch – ensure
csrf-secretcookie and header are both present. Use/api/security/csrf/tokenif you need to fetch manually. - Rate limit hits – check headers
X-RateLimit-Remainingor disable via env flag. - Redis not running – dev scripts (
pnpm dev:start) spin up Redis; otherwise set bypass flags. - Cookie issues – confirm
CORS_ORIGINmatches portal dev origin and browser sends cookies (credentials: 'include').
Production Safeguards
- Remove/bypass flags (
DISABLE_*) in staging/production. - Ensure
CSRF_SECRET_KEYis set in production so tokens are signed with stable key. - Tune rate limits via env values (
LOGIN_RATE_LIMIT_LIMIT, etc.).
Quick Validation Steps
- Start Redis/Postgres via
pnpm dev:start. - Launch BFF and portal (
pnpm --filter @customer-portal/bff dev,pnpm --filter @customer-portal/portal dev). - In browser, verify CSRF token is returned on first GET (check
X-CSRF-Tokenresponse header). - Attempt login/signup; inspect console for clear warnings if rate limit triggers.
Reference Documentation
docs/AUTH-MODULE-ARCHITECTURE.md– full module layout.docs/STRUCTURE.md– high-level repo map.docs/REDIS-TOKEN-FLOW-IMPLEMENTATION.md– deep dive on refresh token storage.