ramadhan sjamsani
98156d1e49
Rips firebase_auth; auth talks directly to the new backend endpoints. Anonymous-first + phone OTP work end-to-end; Google/Apple SDKs are kept but buttons are hidden behind ENABLE_SOCIAL_AUTH until backend OAuth credentials are provisioned. Smoke-tested against the backend via curl: - anonymous → PATCH display_name → /me - OTP request (read stub code from backend log) → verify with anonymous_customer_id → same customer row preserved, display_name preserved, phone added → upgrade confirmed - refresh rotation + logout → post-logout refresh correctly fails REFRESH_INVALID - Debug APK builds clean - pubspec: drop firebase_auth; add flutter_secure_storage - core/auth/auth_bridge.dart: shared mutable state (access token + refresh callback + in-flight de-dup) — keepAlive provider - core/auth/token_storage.dart: flutter_secure_storage wrapper (customer_refresh_token key) - core/auth/social_auth_enabled.dart: const flag from --dart-define=ENABLE_SOCIAL_AUTH (default false) - core/auth/auth_notifier.dart: bootstrap via stored refresh; anonymous via /api/shared/auth/anonymous + PATCH display_name; phone OTP via /api/client/auth/*; Google + Apple wired (passes anonymous_customer_id for upgrade); anonymity config check for ForceRegister state; granular error-code mapping - core/api/api_client.dart: Bearer from bridge + postRaw(skipAuth) for auth endpoints + single-retry 401 refresh - core/chat/chat_notifier.dart + core/pairing/pairing_notifier.dart: WS auth frame reads bridge.accessToken - features/auth/screens/otp_screen.dart: verificationId → otpRequestId - features/auth/screens/register_screen.dart + force_register_screen.dart: Google/Apple buttons gated behind kSocialAuthEnabled; force_register drops obsolete linkAccount() (upgrade happens server-side now via anonymous_customer_id) - client_app/CLAUDE.md: Auth section rewritten (was stale on Firebase) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
29 lines
1.8 KiB
Markdown
29 lines
1.8 KiB
Markdown
# Halo Bestie — Client App
|
|
|
|
Flutter mobile application for end users (clients) seeking mental health support.
|
|
|
|
> See root `CLAUDE.md` for full project context and architectural decisions.
|
|
|
|
## Stack
|
|
|
|
- **Framework:** Flutter (iOS + Android)
|
|
- **Auth:** Self-managed (Phase 3.4). Anonymous-first + phone OTP + (Google / Apple when creds arrive).
|
|
- Access token in memory on `AuthBridge`; refresh token persisted via `flutter_secure_storage`.
|
|
- Google + Apple SDKs installed but buttons are hidden behind `--dart-define=ENABLE_SOCIAL_AUTH=true` until backend OAuth credentials exist.
|
|
- `firebase_auth` removed; `firebase_messaging` kept for FCM push.
|
|
- **API:** Calls public Fastify backend (`/api/client/` and `/api/shared/` routes). Refresh + logout live on `shared.auth`.
|
|
- **Payment:** Xendit (paid sessions, optional trial)
|
|
|
|
## Key Concepts
|
|
|
|
- Users are **clients** — they seek mental health support ("curhat")
|
|
- Core flow: **server-issued anonymous** → optional phone/Google/Apple identity upgrade (same customer row via `anonymous_customer_id`) → browse/match with mitra → book session → chat → pay
|
|
- Anonymity toggle: if `/api/shared/config/anonymity` reports `anonymity_enabled = false`, the router shows `ForceRegisterScreen` until the user identifies
|
|
|
|
## Conventions
|
|
|
|
- Never call `/api/mitra/` or `/internal/` routes from this app
|
|
- API calls go through `ApiClient`; it auto-attaches the JWT from `AuthBridge` and auto-refreshes on 401
|
|
- WebSocket handshake (`/api/shared/ws`) reads the access token from `AuthBridge` in the first frame's `{type:"auth", token, session_id?}` message
|
|
- Use `const bool.fromEnvironment('ENABLE_SOCIAL_AUTH')` (via `social_auth_enabled.dart`) to gate any Google/Apple UI — never call `loginGoogle` / `loginApple` from a path reachable without that flag
|