rama/halobestie-clone
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
98156d1e496e6df30e567d6cc2d3a5a4617a2af5
halobestie-clone/client_app/CLAUDE.md
ramadhan sjamsani 98156d1e49 Phase 3.4: client_app self-managed auth cutover 
Rips firebase_auth; auth talks directly to the new backend endpoints.
Anonymous-first + phone OTP work end-to-end; Google/Apple SDKs are kept
but buttons are hidden behind ENABLE_SOCIAL_AUTH until backend OAuth
credentials are provisioned.

Smoke-tested against the backend via curl:
- anonymous → PATCH display_name → /me
- OTP request (read stub code from backend log) → verify with
  anonymous_customer_id → same customer row preserved, display_name
  preserved, phone added → upgrade confirmed
- refresh rotation + logout → post-logout refresh correctly fails
  REFRESH_INVALID
- Debug APK builds clean

- pubspec: drop firebase_auth; add flutter_secure_storage
- core/auth/auth_bridge.dart: shared mutable state (access token +
  refresh callback + in-flight de-dup) — keepAlive provider
- core/auth/token_storage.dart: flutter_secure_storage wrapper
  (customer_refresh_token key)
- core/auth/social_auth_enabled.dart: const flag from
  --dart-define=ENABLE_SOCIAL_AUTH (default false)
- core/auth/auth_notifier.dart: bootstrap via stored refresh; anonymous
  via /api/shared/auth/anonymous + PATCH display_name; phone OTP via
  /api/client/auth/*; Google + Apple wired (passes anonymous_customer_id
  for upgrade); anonymity config check for ForceRegister state; granular
  error-code mapping
- core/api/api_client.dart: Bearer from bridge + postRaw(skipAuth) for
  auth endpoints + single-retry 401 refresh
- core/chat/chat_notifier.dart + core/pairing/pairing_notifier.dart: WS
  auth frame reads bridge.accessToken
- features/auth/screens/otp_screen.dart: verificationId → otpRequestId
- features/auth/screens/register_screen.dart + force_register_screen.dart:
  Google/Apple buttons gated behind kSocialAuthEnabled; force_register
  drops obsolete linkAccount() (upgrade happens server-side now via
  anonymous_customer_id)
- client_app/CLAUDE.md: Auth section rewritten (was stale on Firebase)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 16:08:20 +08:00

1.8 KiB
Raw Blame History

Halo Bestie — Client App

Flutter mobile application for end users (clients) seeking mental health support.

See root CLAUDE.md for full project context and architectural decisions.

Stack

  • Framework: Flutter (iOS + Android)
  • Auth: Self-managed (Phase 3.4). Anonymous-first + phone OTP + (Google / Apple when creds arrive).
    • Access token in memory on AuthBridge; refresh token persisted via flutter_secure_storage.
    • Google + Apple SDKs installed but buttons are hidden behind --dart-define=ENABLE_SOCIAL_AUTH=true until backend OAuth credentials exist.
    • firebase_auth removed; firebase_messaging kept for FCM push.
  • API: Calls public Fastify backend (/api/client/ and /api/shared/ routes). Refresh + logout live on shared.auth.
  • Payment: Xendit (paid sessions, optional trial)

Key Concepts

  • Users are clients — they seek mental health support ("curhat")
  • Core flow: server-issued anonymous → optional phone/Google/Apple identity upgrade (same customer row via anonymous_customer_id) → browse/match with mitra → book session → chat → pay
  • Anonymity toggle: if /api/shared/config/anonymity reports anonymity_enabled = false, the router shows ForceRegisterScreen until the user identifies

Conventions

  • Never call /api/mitra/ or /internal/ routes from this app
  • API calls go through ApiClient; it auto-attaches the JWT from AuthBridge and auto-refreshes on 401
  • WebSocket handshake (/api/shared/ws) reads the access token from AuthBridge in the first frame's {type:"auth", token, session_id?} message
  • Use const bool.fromEnvironment('ENABLE_SOCIAL_AUTH') (via social_auth_enabled.dart) to gate any Google/Apple UI — never call loginGoogle / loginApple from a path reachable without that flag
Reference in New Issue View Git Blame Copy Permalink