- Store authentication tokens explicitly before setting user state in login
and TOTP verification flows to prevent race conditions
- Add 'credentials: include' to WebAuthn endpoints for proper session
cookie handling
- Add comprehensive debug logging throughout authentication flow to trace
token lifecycle and API requests
- Update WebAuthn completeLogin to use fetch directly instead of request
helper to properly handle session cookies
- Add allowedHosts configuration to Vite dev server
Ensure Authorization header is preserved and credentials are included across all API calls after login by updating the global request flow to always include the auth token and cookies, preventing API requests from failing due to missing authentication.
X-Lovable-Edit-ID: edt-e27762ef-c64c-401b-9944-0d5bcb8ea624
Ensure fetch requests always include credentials to maintain session cookies after login and TOTP flows.
X-Lovable-Edit-ID: edt-bd4a695e-663c-4919-a238-aa222a5c0609
Enhance login and security UI with WebAuthn passkey support:
- Implement WebAuthn API integration for registration, login, and credential management.
- Wire up begin/complete registration and login flows, including credential handling and status checks.
- Extend API client with webauthn endpoints, status, and credential management; adjust token handling for 401s.
- Update Login and Security pages to support passkey enrollment, removal, and display of passkeys.
- Add WebAuthn utilities and adjust existing components to work with new flows.
X-Lovable-Edit-ID: edt-5876d103-501a-44d9-b117-e671b9995451
- Implement TOTP prompts during login: if login returns requires_totp, show TOTP input and verify via /auth/totp/verify to complete authentication.
- Update API client to support TOTP flow, store tokens after successful TOTP verification.
- Wire AuthContext and LoginPage to handle TOTP challenge, returning requiresTotp from login and proceeding after verification.
- Preserve token on 401 for credential-related steps; clear only on true session-invalid responses.
X-Lovable-Edit-ID: edt-0672a4fb-c58a-4d0c-88dc-86bcee853964
Update TotpEnrollmentWizard to handle QR code data_uri gracefully by using enrollmentData.qr_code directly if it already starts with data:, otherwise prefix with data:image/png;base64,. This prevents invalid HTML and extra requests.
X-Lovable-Edit-ID: edt-779080b3-442d-4aeb-aaaf-e0e3c26b795d
Improve token management on 401 responses by introducing configurable token-clearing logic, apply it to sensitive endpoints (TOTP verify, disable, regenerator, and password change), and adjust me endpoint behavior to use explicit clear-token rules. Also preserve no-cache headers and add dev logs for 401 events.
X-Lovable-Edit-ID: edt-9528378f-7146-45e6-96d9-47c22492fd87
Enable real TOTP flow by integrating enroll/verify/backup codes API, updating TotpEnrollmentWizard and TotpRemoveDialog to use backend, and connect SecurityPage to live status. Replaces mock data with API calls, adds status refresh after enrollment, and wires removal to API with UI confirmations.
X-Lovable-Edit-ID: edt-3f2bb4a3-06ff-406a-bc2c-d4c70de452a1
Ensure all API requests include no-cache headers to avoid cached CORS issues. Added Cache-Control, Pragma headers and set fetch to no-store, so requests are not cached.
X-Lovable-Edit-ID: edt-17929842-67a4-4e77-8ea7-1e46d2ee30fc
- Add TOTP enrollment UI flow to SecurityPage via TotpEnrollmentWizard
- Integrate removal dialog TotpRemoveDialog with confirmation
- Update SecurityPage to reference new TOTP components and reflect enrollment state
- Implement wizard steps: setup, verify, backup-codes, and completion
- Show enabling status and removal option with confirmation when enrolled
X-Lovable-Edit-ID: edt-8f92b58a-f7e2-4820-9941-aeb31a19c58f
Add client-side validation in SecurityPage to alert when the new password matches the current password, preventing submission and showing an error.
X-Lovable-Edit-ID: edt-3a30092e-86a6-4d0a-892f-19ece7859cfe
Add password change API method and integrate into SecurityPage by wiring form fields, validation, and API call to /users/me/password, replacing mock/stub logic with real endpoint handling.
X-Lovable-Edit-ID: edt-19aca63f-7777-44a3-887e-98303dc46028
Improve ApiDevTools to log fetch errors with stack traces during development, fix UUID generation fallback for environments lacking crypto.randomUUID, and ensure errors are surfaced in the browser console for easier debugging. Includes fallback generateUUID and preserved patching with proper catch blocks.
X-Lovable-Edit-ID: edt-83e14dbc-6e2d-4ff9-9d17-d881d62d7da6
Resolve TS2451 redeclare by removing duplicate isDev, fix fetch patch scope, and restore proper closure. Also improve login error logging to show dev details without breaking prod.
X-Lovable-Edit-ID: edt-ee281f89-34b9-41ce-ae0a-1ed1dcece8ab
Enable ApiDevTools to reliably log API requests on login by refining fetch interception (only log /api/* calls, support dev mode), and adjust login error handling to surface dev-friendly messages.
X-Lovable-Edit-ID: edt-f0cc8901-1c2f-4253-819a-332460757b44
Move Google font @import to the top of index.css so it precedes Tailwind directives and avoid CSS parse error.
X-Lovable-Edit-ID: edt-61ca6e61-d390-47b8-8731-1cb35a116ac9
Expose API dev console on public pages by ensuring ApiDevTools runs in dev mode across all routes, and fix hook usage to render only in development. This includes wiring the dev console to public layout (login screen) and correcting the development-mode guard to avoid React hook issues.
X-Lovable-Edit-ID: edt-a9ff8f85-ee99-48e3-aa63-c62578cf7dab
Replace mock org data with real data from API; fix API response handling to use organizations() correctly and render in dropdown. Adjust imports and remove unused mock data.
X-Lovable-Edit-ID: edt-f32c8098-c5cb-42f7-b2d1-8a073115526e
Enhance Profile page to show loading skeletons while fetching user data and organizations, improving UX during asynchronous calls.
X-Lovable-Edit-ID: edt-3830b509-c8d0-4931-bba7-790c60032d4a
Ensure profile page fetches organizations only after user is available to attach bearer token
This PR guards the /organizations call behind a user presence check to avoid 401 due to missing auth token on initial render.
X-Lovable-Edit-ID: edt-b4dabc36-942c-4632-a80d-4f981ad3d194
Switch API client to use Bearer token authentication with centralized api.ts, remove session-token logic, and update AuthContext to rely on token-based flow. Introduce token storage, propagate token via Authorization header, and keep login/logout flows intact.
X-Lovable-Edit-ID: edt-da01510b-c831-4a48-9b71-708de445097d
Add a new AddPasskeyWizard component and wire it into SecurityPage.
- Introduced AddPasskeyWizard.tsx to guide users through naming, registering, and confirming a passkey with a simulated flow.
- Integrated wizard into SecurityPage: removed inline placeholder and wired AddPasskeyWizard with stateful open/close handling.
- Replaced previous inline UI to use the new wizard for adding passkeys.
X-Lovable-Edit-ID: edt-32783fa6-048e-4efe-898a-544ef48530d1
Add requestHeaders capture and display in the in-page API DevTools, including logging headers for each fetch to /api/*, and render them in the detail view alongside request body and response data.
X-Lovable-Edit-ID: edt-e077c0aa-43b2-48c6-952e-fc734b08627e
- Add API integration for current user data and organizations
- Update ProfilePage to render real user data and orgs from /api/v1/users/me and /users/me/organizations
- Adjust api.ts types to align with new user fields (email_verified, is_active, is_verified) andOrganizationsResponse
- Remove mock/demo UI in favor of live data display and editing flow
X-Lovable-Edit-ID: edt-9178366f-2fd0-459c-bf17-2ec1e2f5529b
coryHawkvelt
gpt-engineer-app[bot]