Phase 3.4: control_center self-managed auth cutover

Replaces Firebase Auth with the new JWT + httpOnly-cookie refresh flow.
Smoke-tested end-to-end via curl (login → /me → refresh rotation → logout).

- Remove firebase dep + firebase.js
- New token-bridge decouples api-client from AuthContext and de-dupes
  concurrent 401 refreshes
- AuthContext: in-memory access token (useRef), bootstrap via
  /internal/auth/refresh, login/logout/refresh methods
- api-client: withCredentials, Bearer attach, auto-retry once on 401
- LoginPage: handle INVALID_CREDENTIALS / ACCOUNT_LOCKED / VALIDATION_ERROR
- Layout: self-service "Ganti password" form
- UsersPage: initial password field on create + per-row admin-forced reset
- .env / .env.example: drop VITE_FIREBASE_* vars
- backend/CLAUDE.md + control_center/CLAUDE.md: describe new auth (were
  stale on Firebase)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

This commit is contained in:

ramadhan sjamsani

2026-04-24 15:32:32 +08:00

parent 1a610363bb

commit 4a796277b8

12 changed files with 307 additions and 1086 deletions

									
										1

control_center/package.json
									
												View File
												
				@@ -12,7 +12,6 @@

				    "react": "^18.3.1",

				    "react-dom": "^18.3.1",

				    "react-router-dom": "^6.23.1",

				    "firebase": "^10.12.1",

				    "axios": "^1.7.2",

				    "@tanstack/react-query": "^5.45.1"

				  },

Phase 3.4: control_center self-managed auth cutover

1 control_center/package.json Unescape Escape View File

1

control_center/package.json

View File