Added OIDC Web Page Flow
Admin can add/reset password
Admin can remove users'/members mfa/2fa, unlink account from oauth provider
Chore: Text changes (Forgot Pass, CA)
Add ensureValidRpId helper to validate and correct rp.id for WebAuthn
operations, preventing authentication failures when the configured rp.id
doesn't match the current hostname. Also add OAuthProvider type and fix
type casting in LoginPage.
- Store authentication tokens explicitly before setting user state in login
and TOTP verification flows to prevent race conditions
- Add 'credentials: include' to WebAuthn endpoints for proper session
cookie handling
- Add comprehensive debug logging throughout authentication flow to trace
token lifecycle and API requests
- Update WebAuthn completeLogin to use fetch directly instead of request
helper to properly handle session cookies
- Add allowedHosts configuration to Vite dev server
Ensure Authorization header is preserved and credentials are included across all API calls after login by updating the global request flow to always include the auth token and cookies, preventing API requests from failing due to missing authentication.
X-Lovable-Edit-ID: edt-e27762ef-c64c-401b-9944-0d5bcb8ea624
Ensure fetch requests always include credentials to maintain session cookies after login and TOTP flows.
X-Lovable-Edit-ID: edt-bd4a695e-663c-4919-a238-aa222a5c0609
Enhance login and security UI with WebAuthn passkey support:
- Implement WebAuthn API integration for registration, login, and credential management.
- Wire up begin/complete registration and login flows, including credential handling and status checks.
- Extend API client with webauthn endpoints, status, and credential management; adjust token handling for 401s.
- Update Login and Security pages to support passkey enrollment, removal, and display of passkeys.
- Add WebAuthn utilities and adjust existing components to work with new flows.
X-Lovable-Edit-ID: edt-5876d103-501a-44d9-b117-e671b9995451
- Implement TOTP prompts during login: if login returns requires_totp, show TOTP input and verify via /auth/totp/verify to complete authentication.
- Update API client to support TOTP flow, store tokens after successful TOTP verification.
- Wire AuthContext and LoginPage to handle TOTP challenge, returning requiresTotp from login and proceeding after verification.
- Preserve token on 401 for credential-related steps; clear only on true session-invalid responses.
X-Lovable-Edit-ID: edt-0672a4fb-c58a-4d0c-88dc-86bcee853964
Update TotpEnrollmentWizard to handle QR code data_uri gracefully by using enrollmentData.qr_code directly if it already starts with data:, otherwise prefix with data:image/png;base64,. This prevents invalid HTML and extra requests.
X-Lovable-Edit-ID: edt-779080b3-442d-4aeb-aaaf-e0e3c26b795d
Improve token management on 401 responses by introducing configurable token-clearing logic, apply it to sensitive endpoints (TOTP verify, disable, regenerator, and password change), and adjust me endpoint behavior to use explicit clear-token rules. Also preserve no-cache headers and add dev logs for 401 events.
X-Lovable-Edit-ID: edt-9528378f-7146-45e6-96d9-47c22492fd87
Enable real TOTP flow by integrating enroll/verify/backup codes API, updating TotpEnrollmentWizard and TotpRemoveDialog to use backend, and connect SecurityPage to live status. Replaces mock data with API calls, adds status refresh after enrollment, and wires removal to API with UI confirmations.
X-Lovable-Edit-ID: edt-3f2bb4a3-06ff-406a-bc2c-d4c70de452a1
Ensure all API requests include no-cache headers to avoid cached CORS issues. Added Cache-Control, Pragma headers and set fetch to no-store, so requests are not cached.
X-Lovable-Edit-ID: edt-17929842-67a4-4e77-8ea7-1e46d2ee30fc
- Add TOTP enrollment UI flow to SecurityPage via TotpEnrollmentWizard
- Integrate removal dialog TotpRemoveDialog with confirmation
- Update SecurityPage to reference new TOTP components and reflect enrollment state
- Implement wizard steps: setup, verify, backup-codes, and completion
- Show enabling status and removal option with confirmation when enrolled
X-Lovable-Edit-ID: edt-8f92b58a-f7e2-4820-9941-aeb31a19c58f
Add client-side validation in SecurityPage to alert when the new password matches the current password, preventing submission and showing an error.
X-Lovable-Edit-ID: edt-3a30092e-86a6-4d0a-892f-19ece7859cfe
Add password change API method and integrate into SecurityPage by wiring form fields, validation, and API call to /users/me/password, replacing mock/stub logic with real endpoint handling.
X-Lovable-Edit-ID: edt-19aca63f-7777-44a3-887e-98303dc46028
Improve ApiDevTools to log fetch errors with stack traces during development, fix UUID generation fallback for environments lacking crypto.randomUUID, and ensure errors are surfaced in the browser console for easier debugging. Includes fallback generateUUID and preserved patching with proper catch blocks.
X-Lovable-Edit-ID: edt-83e14dbc-6e2d-4ff9-9d17-d881d62d7da6
Resolve TS2451 redeclare by removing duplicate isDev, fix fetch patch scope, and restore proper closure. Also improve login error logging to show dev details without breaking prod.
X-Lovable-Edit-ID: edt-ee281f89-34b9-41ce-ae0a-1ed1dcece8ab
Enable ApiDevTools to reliably log API requests on login by refining fetch interception (only log /api/* calls, support dev mode), and adjust login error handling to surface dev-friendly messages.
X-Lovable-Edit-ID: edt-f0cc8901-1c2f-4253-819a-332460757b44
Move Google font @import to the top of index.css so it precedes Tailwind directives and avoid CSS parse error.
X-Lovable-Edit-ID: edt-61ca6e61-d390-47b8-8731-1cb35a116ac9
JamesBhattarai
HawkveltGiteaAdmin
nexgen_mirrors
coryHawkvelt
gpt-engineer-app[bot]