1.5 KiB
Registration Token State Design
Status
Pending written-spec review.
Goal
Registration creates an account but never creates or retains a browser login state. Only a successful password login or SMS login may persist an authentication token.
Contract Owner
utils/ApiClient.js owns browser token persistence. Pages invoke API methods and redirect according to their existing form configuration; they do not read, write, or clear the token directly.
Required Behavior
login()andloginBySms()persist the token returned by their successful responses undergenealogy_auth_token.register()posts the existing registration request unchanged and returns its response unchanged.- After a successful
register()response,register()clearsgenealogy_auth_token. This applies even when the response includestoken,accessToken, ortokenValue. - If
register()fails, token storage is not changed. register.htmlcontinues redirecting tologin.htmlafterregister()resolves.
Scope
This change does not add a profile-page login guard, 401 redirect handling, or logout UI. Those are separate authentication-lifecycle steps that must consume the same ApiClient token contract.
Verification
The API-client tests must prove that successful registration removes a previously stored token and does not store a token returned by registration. They must also retain coverage showing password and SMS login still store their returned tokens.