Skip to content

ResolvingError.md

Latest commit

 

History

History
42 lines (32 loc) · 2.11 KB

ResolvingError.md

File metadata and controls

42 lines (32 loc) · 2.11 KB

I need you to investigate and report — do not ask me questions, I have no coding knowledge. You have full access to the codebase and terminal. Figure everything out yourself. Investigate the authentication system in this backend and produce a file called AUTH_GUIDE.md in the project root. It must contain:

  1. TEST CREDENTIALS Look at the seed script and database. Find or create two working user accounts:
  • One super-admin / platform admin user
  • One hotel-level user For each, list: email, password, role, and tenant/hotel ID if applicable. If the seed script does not set known passwords, modify it to create these two users with simple known passwords (e.g., admin@test.com / Admin123! and hotel@test.com / Hotel123!), re-run the seed, and confirm they exist in the database.
  1. LOGIN FLOW Document exactly how authentication works by reading the code:
  • What endpoint does a client call to log in? What is the request body shape?
  • What does the response contain? (JWT in body? Set-Cookie header? Both?)
  • Are tokens sent as HTTP-only cookies, Authorization headers, or both?
  • What are the exact cookie names if cookies are used?
  • Is the Secure flag set on cookies? (This blocks cookies on http://localhost)
  • Is SameSite set to Strict, Lax, or None?
  • What domain/path are cookies scoped to?
  1. SESSION VALIDATION
  • What does /api/auth/me expect? (Cookie? Authorization header? Both?)
  • What does /api/auth/refresh expect? What causes it to return 403?
  • Is CSRF protection enabled? If yes, how does a client get and send the CSRF token?
  1. CORS CONFIGURATION
  • What origins are allowed?
  • Are credentials (cookies) allowed in CORS?
  • Show me the exact CORS configuration from the code.

  1. PROOF TEST Using httpx or requests in Python, perform this exact sequence and show me the full response (headers + body) for each step:

  2. POST to the login endpoint with the admin credentials

  3. Using whatever tokens/cookies came back, GET /api/auth/me

  4. Using whatever tokens/cookies came back, GET /api/admin/dashboard/summary

If any step fails, diagnose why and fix it. Then re-run and show the successful results. Put everything in AUTH_GUIDE.md.