Files
jiapu/docs/superpowers/specs/2026-07-11-auth-to-profile-flow-design.md
T
2026-07-11 09:41:32 +08:00

3.4 KiB

Auth To Profile Flow Design

Status

Approved for implementation.

Goal

Complete the PC journey from registration through login and personal-profile retrieval, with one token owner, deterministic redirects, and a single recorded API base address.

Endpoint Configuration

config.js is the sole runtime owner of the API base address. Both development and production currently use http://182.61.18.23:8080. tests/config.test.js must assert that value. The PC integration tracker must record the change on 2026-07-11 and label prior test-domain references as historical rather than current configuration.

Token Contract

utils/ApiClient.js owns token persistence under genealogy_auth_token.

  1. Successful password login and SMS login must receive a nonempty response token, persist it, and then allow navigation to profile.html. The current backend response uses data.access_token; the client also accepts token, accessToken, and tokenValue for declared compatibility.
  2. A login response without a token is an authentication failure. The login page remains in place and no profile navigation occurs.
  3. Successful registration removes any existing token and navigates to login.html. Registration never persists a response token.
  4. A failed registration leaves existing token storage unchanged.
  5. logout() clears token storage in a finally path, so a failed or expired logout request cannot leave a local session behind.

Page Flow

  1. Registration validates fields, obtains WEB_H5_REGISTER captcha proof, posts /genealogy/pc/auth/register, clears token through ApiClient.register(), and redirects to login.html.
  2. Password and SMS login validate fields, obtain WEB_H5_LOGIN captcha proof, post their respective login endpoint, persist the returned token through ApiClient, and redirect to profile.html.
  3. profile.html and profile-data.html check for a token before requesting /genealogy/pc/auth/profile. Without one, they redirect to index.html without making the profile request.
  4. A profile-read or profile-update error with HTTP status 401 or business code 401 clears token storage and redirects to index.html. Other errors remain on the current page and show the existing error message.
  5. Confirmed logout calls /genealogy/pc/auth/logout, clears token regardless of the request outcome, and redirects to index.html.

Ownership

  • config.js: API base address.
  • utils/ApiClient.js: login-token validation, persistence, clearing, and logout cleanup.
  • public/js/profile-pages.js: profile-page token guard and unauthorized redirect.
  • public/js/profile-common.js: confirmed logout action and redirect.
  • docs/pc-api-page-integration-tracker-2026-07-09.md: current address record and end-to-end authentication status.

Verification

Tests must prove the configured address, registration state, both login token paths, missing-token login rejection, logout cleanup after both success and failure, and profile unauthorized classification. Focused configuration, API-client, profile-page, and authentication tests must pass before the full Node test suite is run.

Scope

This flow covers registration, password login, SMS login, profile retrieval and update on the two pages that load /genealogy/pc/auth/profile, and the existing profile logout action. Password reset, phone change, account deactivation, and profile pages without profile API loading remain outside this change.