feat(mobile): bootstrap mobile app (PWA + Capacitor + backend auth/CORS)
Implements the §12 bootstrap from docs/mobile-app-plan.md. Backend (§6): - auth: optional returnToken flag on login returns the JWT in the body (data.authToken) for native Keychain/Keystore + Bearer; web cookie flow unchanged. - main.ts: explicit CORS allowlist (APP_URL + CORS_ALLOWED_ORIGINS env + Capacitor WebView origins), credentials enabled, replaces open enableCors(). - optional OpenAPI/Swagger at /api/docs behind SWAGGER_ENABLED. - env: CORS_ALLOWED_ORIGINS, SWAGGER_ENABLED, CAP_SERVER_URL. PWA: - manifest metadata, hand-rolled service worker (network-first nav, SWR assets, never intercepts /api,/socket.io,/collab), prod-only registration, apple-touch-icon. Capacitor: - capacitor.config.ts (webDir apps/client/dist; iOS via CAP_SERVER_URL to avoid bundling the AGPL client in the .ipa, see plan §9), cap:* scripts, deps, .gitignore for native dirs. - docs/mobile-bootstrap.md documenting what is done and the remaining manual steps (cap add ios/android, APNs/FCM, stores). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
committed by
claude code agent 227
parent
e05495ba4f
commit
caeb555039
@@ -97,6 +97,12 @@ export class AuthController {
|
||||
} else if (mfaResult.authToken) {
|
||||
// User doesn't have MFA and workspace doesn't require it
|
||||
this.setAuthCookie(res, mfaResult.authToken);
|
||||
// Opt-in body token for native clients (Bearer auth). The response is
|
||||
// wrapped by TransformHttpResponseInterceptor, so clients read it at
|
||||
// `data.authToken`. Web clients omit returnToken and keep the cookie.
|
||||
if (loginInput.returnToken) {
|
||||
return { authToken: mfaResult.authToken };
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
@@ -104,6 +110,12 @@ export class AuthController {
|
||||
|
||||
const authToken = await this.authService.login(loginInput, workspace.id);
|
||||
this.setAuthCookie(res, authToken);
|
||||
// Opt-in body token for native clients (Bearer auth). The response is wrapped
|
||||
// by TransformHttpResponseInterceptor, so clients read it at `data.authToken`.
|
||||
// Web clients omit returnToken and keep using the httpOnly cookie only.
|
||||
if (loginInput.returnToken) {
|
||||
return { authToken };
|
||||
}
|
||||
}
|
||||
|
||||
@UseGuards(SetupGuard)
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import { IsEmail, IsNotEmpty, IsString } from 'class-validator';
|
||||
import { IsBoolean, IsEmail, IsNotEmpty, IsOptional, IsString } from 'class-validator';
|
||||
|
||||
export class LoginDto {
|
||||
@IsNotEmpty()
|
||||
@@ -8,4 +8,13 @@ export class LoginDto {
|
||||
@IsNotEmpty()
|
||||
@IsString()
|
||||
password: string;
|
||||
|
||||
// When true, the access token is returned in the response body (in addition
|
||||
// to the httpOnly cookie) so native/mobile clients can store it in
|
||||
// Keychain/Keystore and send it as 'Authorization: Bearer'. Web clients omit
|
||||
// this flag and keep using the cookie. Opt-in only: the token is never put in
|
||||
// the body otherwise.
|
||||
@IsOptional()
|
||||
@IsBoolean()
|
||||
returnToken?: boolean;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user