feat(auth): Add API token refresh for mobile/API clients (Vibe Kanban)#2
Open
jtomaszewski wants to merge 19 commits intodevelopfrom
Open
feat(auth): Add API token refresh for mobile/API clients (Vibe Kanban)#2jtomaszewski wants to merge 19 commits intodevelopfrom
jtomaszewski wants to merge 19 commits intodevelopfrom
Conversation
* feat(544): Add autocomplete in the events selector * feat(544): Add integration test for event autocomplete * feat(544): Add integration test for event autocomplete * feat(544):Update integration test for event autocomplete * fix(544): address PR review comments
…rcato#650) * fix: prevent CrudForm from resetting fields on initialValues reference churn useEffect watching initialValues fired on every reference change even when data was semantically identical, causing edited fields to briefly flash their previous values after save. Added a JSON.stringify snapshot guard so the effect only applies new values when the data actually changes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Adds missing test cases for the snapshot guard fix. --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…pdates (open-mercato#598) * Issue open-mercato#453 - Add module directory scanning and structure updates with enhanced features * Issue open-mercato#453 - Add comprehensive tests for module scanning and subset generation - Introduced detailed test coverage for the `scanModuleDir` and `resolveModuleFile` functionalities, including various edge cases and hierarchy handling. - Added tests for `generateModuleRegistry` and `generateModuleRegistryCli` with module subset scenarios. - Ensured proper handling of app overrides, sorting, deduplication, and file filtering logic. - Verified correctness of generated files under different configurations. * Issue open-mercato#453 - Add tests for handling `translations.ts` and `translations-fields.generated.ts` in module generation * Issue open-mercato#453 - Enhance module scanning to handle empty `folder` config and add corresponding tests * Refactor tests to reuse shared `rootConfig` for empty folder scanning scenarios
* mail agents first pass * improvements * navbar + other fixes * spec update * phase 2 of inbox agent * phase 3 of inbox agent * phase 3 * example * improving docs * updating spec * fix: restore ai dependency + add PR description The `ai` (Vercel AI SDK) package was accidentally removed from @open-mercato/core dependencies. It is required by inbox_ops (llmProvider, translationProvider) and attachments (ocrService). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * last touches * final touches * remove old spec file * change tsx location --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Split the canary workflow so push-to-develop publishes with a
`-develop-{hash}` suffix via a new workflow, while the existing
canary workflow only handles PR-based publishing.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…pen-mercato#709) The create-app template had broken locale files (invalid JSON in en/es, empty de) and the scheduler package was missing from the Verdaccio publish script with a stale version. Sync locale files from the main app and add scheduler to the publish pipeline at version 0.4.4. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Renames the develop-only release workflow to a generic snapshot release that triggers on pushes to both `develop` and `main`. The script auto-detects the branch and uses it as the version suffix (-develop-HASH or -main-HASH). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Delete release-canary.sh and have the canary workflow call release-snapshot.sh with "canary" suffix argument. The script now accepts an optional suffix, defaulting to the current branch name. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Single workflow handles all three triggers: - pull_request → canary suffix - push to develop → develop suffix - push to main → main suffix PR comment step runs only for pull_request events. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…rcato#713) The create-mercato-app CLI is described as the recommended way to build on Open Mercato, yet it was buried under Customization Tutorials. This adds it to the Installation sidebar, setup page, prerequisites page, overview page, and homepage Getting Started section so new users discover it immediately. Also fixes the outdated Node.js version requirement (18 → 24) in the create-app README and prerequisites docs. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Add POST handler to /api/session/refresh accepting JSON body with refreshToken - Return refreshToken in login response when remember=true - Update OpenAPI documentation for both endpoints Closes open-mercato#613 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
jtomaszewski
changed the title
TC-AUTH-017 covers: - Login with remember=true returns refreshToken - Login without remember does not return refreshToken - POST /api/session/refresh returns new accessToken - Error handling for missing/invalid refresh tokens - New access token can be used for authenticated requests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
jtomaszewski
force-pushed
the
vk/3926-feat-auth-add-he
branch
from
126af7c to
8feb02c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds header-based token refresh support for mobile and API clients, addressing the limitation where only browser-based cookie authentication could refresh tokens.
Changes
POST
/api/session/refresh- New endpoint for API/mobile clients{"refreshToken": "..."}in JSON request body{"ok": true, "accessToken": "jwt...", "expiresIn": 28800}auth_tokencookie for hybrid apps (e.g., mobile WebView)Login response extended - When
remember=true, the response now includes therefreshTokenfield in the JSON body, allowing mobile/API clients to store and use it for token refreshExisting behavior preserved - GET
/api/session/refreshcontinues to work for browser clients with cookie-based redirect flowAPI Usage
Login (obtain refresh token):
Refresh (API clients):
Test Plan
remember=truereturnsrefreshTokenrememberdoes not returnrefreshTokenaccessTokenfor valid tokenCloses open-mercato#613
This PR was written using Vibe Kanban