d09e50af55
Phase 3.7: paid pairing flow + returning chat + extension flip
...
- Backend: payment_sessions + pairing_failures tables; payment.service.js
and pairing-failure.service.js (new); rewritten pairing.service.js
(payment-gated blast + targeted "Curhat lagi" + cancel + fallback);
rewritten extension.service.js (data-driven auto-approve with offline
safeguard, charge-at-approval); pricing.service.js (extension tiers
without free trial); mitra-status.service.js (countAvailableMitras
cached path); 60s sweeper for stale payment sessions
- Backend routes: client.payment.routes, client.mitra-availability.routes,
internal/failed-pairings.routes; client.chat.routes rewritten for
payment-gated start + /returning + /cancel + /fallback-to-blast;
internal/config.routes adds 4 new keys with Valkey invalidate publish
- client_app: mitra-availability poll, payment screen + notifier, pairing
notifier rewrite (PairingTargetedWaiting + PairingFailed states),
targeted-waiting overlay + bestie-unavailable dialog, "Curhat lagi"
CTA, failed-pairing terminal, extension via payment-session
- mitra_app: PairingRequestType enum, returning-chat 20s countdown
auto-dismiss, extension card "otomatis disetujui" copy
- control_center: 4 new config rows in Settings, Failed Pairings page
(filter + paginate + action menu), sidebar + route registered
- Test infrastructure: Vitest backend (7/7 pass), Playwright CC (4/4
pass), Maestro mobile scaffold (CLI install pending)
- Bugs found via Playwright + fixed: LoginPage labels not associated
with inputs (a11y); backend internal CORS missing PATCH/PUT/DELETE
in allow-methods (silent settings breakage in browsers since Stage 4)
- Docs: phase3.7.md PRD, phase3.7-plan.md, phase3.7-questions.md (Q&A),
phase3.7-testing.md (E2E checklist), phase3.7-test-run-2026-05-03.md
(today's run results)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-03 23:02:49 +08:00
4a796277b8
Phase 3.4: control_center self-managed auth cutover
...
Replaces Firebase Auth with the new JWT + httpOnly-cookie refresh flow.
Smoke-tested end-to-end via curl (login → /me → refresh rotation → logout).
- Remove firebase dep + firebase.js
- New token-bridge decouples api-client from AuthContext and de-dupes
concurrent 401 refreshes
- AuthContext: in-memory access token (useRef), bootstrap via
/internal/auth/refresh, login/logout/refresh methods
- api-client: withCredentials, Bearer attach, auto-retry once on 401
- LoginPage: handle INVALID_CREDENTIALS / ACCOUNT_LOCKED / VALIDATION_ERROR
- Layout: self-service "Ganti password" form
- UsersPage: initial password field on create + per-row admin-forced reset
- .env / .env.example: drop VITE_FIREBASE_* vars
- backend/CLAUDE.md + control_center/CLAUDE.md: describe new auth (were
stale on Firebase)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-04-24 15:32:32 +08:00
50d31260dc
Fix auth errors, CORS, control center login, and stale session handling
...
- Mitra auth: parse DioException response for proper error messages
(ACCOUNT_NOT_FOUND, ACCOUNT_INACTIVE) instead of generic "OTP invalid"
- Backend: add CORS to internal app (port 3001) for control center
- Control center: fix login race condition (wait for AuthContext verify
before navigating), fix MitraActivityPage fetching paginated data
- Stale session goodbye: both apps detect SESSION_NOT_ACTIVE/409 and
move to complete state instead of retrying endlessly
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-15 20:49:57 +08:00
