diff --git a/docs/ROO-HANDOVER.md b/docs/ROO-HANDOVER.md index 02ea320..d145672 100644 --- a/docs/ROO-HANDOVER.md +++ b/docs/ROO-HANDOVER.md @@ -6,6 +6,35 @@ --- +## ✅ LOGIN WORKING — 2026-06-13 (update 2) — full auth flow verified + +After deploy, login showed a client-side "Oops! Something went wrong" error boundary. +Four more root causes, all fixed and verified (`signin → 302 → /dashboard`, session +populated with `role: ADMIN` + `clubId`): + +4. **NextAuth `MissingSecret` → "Oops" error boundary** — override env (TrueNAS, not git) + NextAuth v5 (Auth.js) reads **`AUTH_SECRET`**, not `NEXTAUTH_SECRET`. The runtime env had + only `NEXTAUTH_SECRET`, so `signIn` threw `MissingSecret` → the React error boundary fired. + Added `AUTH_SECRET` (+ `AUTH_TRUST_HOST=true`) to the frontend service in the TrueNAS override. + +5. **No seed data** — DB had 0 users. Seeded club + admin (`admin@test.de`). The seed comment's + BCrypt hash was for "password", not "test123" — regenerated a correct hash for `test123`. + +6. **Backend HTTP 500 after successful auth: `Illegal base64 character: '-'`** — commit `dac884c` + `JwtService.getSigningKey()` does `Decoders.BASE64.decode(secret)`. The compose secret + `docker-dev-secret-key-...-for-hmac` is plaintext with hyphens (not valid base64), so signing + the JWT threw once credentials passed. Replaced with a real base64 secret (`openssl rand -base64 48`). + +7. **NextAuth `CredentialsSignin` — API/frontend contract mismatch** — commit `281adda` + `authorize()` read `data.member.id/email/clubName/clubId`, but the backend `LoginResponse` is + **flat**: `{ accessToken, refreshToken, expiresIn, role }` — no `member` object. Accessing + `data.member.id` on `undefined` threw → `authorize` returned null. Fixed by decoding the JWT + payload for identity claims (`sub`=userId, `email`, `tenant_id`=clubId) + the flat `role`. + +**Login credentials:** `admin@test.de` / `test123` (dev seed). + +--- + ## ✅ RESOLVED — 2026-06-13 — CannaManage live at http://192.168.188.119:3000 All blocking issues fixed. Stack is up on TrueNAS (backend + db healthy, frontend serving).