admin/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-02-04 21:53:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
9bc587aaaeb7578ca4b1127fba72c8bb516653dc
everything-claude-code/examples/sessions/2026-01-20-feature-auth.tmp
Affaan Mustafa 6bf102dbaa feat: add continuous learning skill with session examples 
Stop hook-based pattern extraction - no README, comments in .sh file.
2026-01-20 18:33:33 -08:00

77 lines
2.2 KiB
Plaintext
Raw Blame History

# Session: Auth Feature Implementation
**Date:** 2026-01-20
**Started:** 14:30
**Last Updated:** 17:45
---
## Current State
Working on JWT authentication flow for the API. Main goal is replacing session-based auth with stateless tokens.
### Completed
- [x] Set up JWT signing with RS256
- [x] Created `/auth/login` endpoint
- [x] Added refresh token rotation
- [x] Fixed token expiry bug (was using seconds, needed milliseconds)
### In Progress
- [ ] Add rate limiting to auth endpoints
- [ ] Implement token blacklist for logout
### Blockers Encountered
1. **jsonwebtoken version mismatch** - v9.x changed the `verify()` signature, had to update error handling
2. **Redis TTL for refresh tokens** - Was setting TTL in seconds but passing milliseconds
### Key Decisions Made
- Using RS256 over HS256 for better security with distributed services
- Storing refresh tokens in Redis with 7-day TTL
- Access tokens expire in 15 minutes
### Code Locations Modified
- `src/middleware/auth.js` - JWT verification middleware
- `src/routes/auth.js` - Login/logout/refresh endpoints
- `src/services/token.service.js` - Token generation and validation
### Notes for Next Session
- Need to add CSRF protection for cookie-based token storage
- Consider adding fingerprinting for refresh token binding
- Review rate limit values with team
### Context to Load
```
src/middleware/
src/routes/auth.js
src/services/token.service.js
```
---
## Session Log
**14:30** - Started session, goal is JWT implementation
**14:45** - Set up basic JWT signing. Using RS256 with key pair stored in env vars.
**15:20** - Login endpoint working. Discovered jsonwebtoken v9 breaking change - `verify()` now throws different error types. Updated catch block:
```javascript
// Old (v8)
if (err.name === 'TokenExpiredError') { ... }
// New (v9)
if (err instanceof jwt.TokenExpiredError) { ... }
```
**16:00** - Refresh token rotation working but tokens expiring immediately. Bug: was passing `Date.now()` (milliseconds) to `expiresIn` which expects seconds. Fixed:
```javascript
// Wrong
expiresIn: Date.now() + 900000
// Correct
expiresIn: '15m'
```
**17:30** - Auth flow complete. Login -> access token -> refresh -> new tokens. Ready for rate limiting tomorrow.
**17:45** - Saving session state.
Reference in New Issue View Git Blame Copy Permalink