85a935f3a5f268ffbec3cc1d7894378ea56096d3
- Enhanced Date/Time Handling with null/sentinel date logic (1900-01-01) - Added 'See Notes' display for sentinel dates with related note fields - Documented date entry normalization and validation rules - Added Boolean Field Handling guidelines - Added Calculated Fields documentation (Active, Due_Date_Counter) - Added Due_Date_ASAP field specification for urgent job tracking - Added Pending Schema Updates section - Version bump to 1.0.0-alpha2
Auth Login Patterns
Selector: Set this once per project.
ACTIVE_LOGIN_METHOD=pb-oauth-via-microsoft
(Other methods can be added; only one should be active.)
Shared Rules (All Methods)
- Serve frontend from the project’s
frontendfolder; show login UI only when not authenticated. - Secrets come from
.env; never hardcode or log secrets/tokens. - Token storage: use in-memory auth store (avoid localStorage/sessionStorage unless explicitly required).
- On logout, clear the auth store and hide the protected UI.
- Log only context + message; exclude raw tokens or secrets.
Method: pb-oauth-via-microsoft (PocketBase + Microsoft)
Frontend
- Use PocketBase SDK OAuth (
provider: 'microsoft'). - Show login button when
!pb.authStore.isValid; hide the form until valid. - On success: keep token in
pb.authStore; display user email; show logout. - On logout:
pb.authStore.clear(); hide protected UI.
Backend
- Endpoints expecting auth (e.g.,
/api/submit) must receivepbToken. - Call
setUserPocketBaseAuth(pbToken)before PocketBase operations. - Required
.envkeys:CLIENT_ID,CLIENT_SECRET,TENANT_ID,REDIRECT_URI,PB_DB,PB_COLLECTION,PB_AUTH_COLLECTION. - Validate token via PocketBase client; reject if missing/invalid.
- Do not log tokens; log context and error message only.
UI States
- Logged out: show login UI only.
- Logged in: hide login UI, show form/app content.
- Errors: show a visible error container; avoid alert loops.
Security
- Enforce CORS as needed; HTTPS in production.
- Keep
.envout of version control; use deploy-time secrets.
Method: pb-and-graph-via-microsoft (PocketBase + Microsoft Graph)
Frontend
- Same UI pattern as
pb-oauth-via-microsoft(PocketBase OAuthprovider: 'microsoft'). - Show login when
!pb.authStore.isValid; hide protected UI until valid. - On success: keep token in
pb.authStore; display user email; show logout; on logout clear auth store.
Backend
- Expect
pbTokenon protected endpoints; callsetUserPocketBaseAuth(pbToken)before PB operations. - Acquire Graph token via client credentials for Excel sync.
- Required
.envkeys:- Azure AD:
CLIENT_ID,CLIENT_SECRET,TENANT_ID,REDIRECT_URI - PocketBase:
PB_DB,PB_COLLECTION,PB_AUTH_COLLECTION - Graph/Excel:
DRIVE_ID,ITEM_ID,EXCEL_TABLE,EXCEL_TABLE_WRITEBACK(if used)
- Azure AD:
- Use Graph scope:
https://graph.microsoft.com/.default - Do not log tokens; log context + message only.
Token Handling
- PocketBase token (user): stored in memory via
pb.authStore; sent to backend aspbToken. - Graph token (app): obtained server-side via client credentials; never exposed to frontend; short-lived, fetched on demand.
UI States
- Logged out: show login UI only.
- Logged in: hide login UI, show form/app content.
- Errors: show visible error container; avoid alert loops.
Security
- Enforce CORS as needed; HTTPS in production.
- Keep
.envout of version control; use deploy-time secrets. - Do not log raw tokens or secrets.
Method: PBandGraphOauth (PocketBase + Microsoft Graph OAuth)
Frontend
- Use PocketBase SDK OAuth (
provider: 'microsoft'). - Show login button when
!pb.authStore.isValid; hide protected UI until valid. - On success: keep token in
pb.authStore; display user email; show logout. - On logout:
pb.authStore.clear(); hide protected UI.
Backend
- Endpoints expecting auth (e.g.,
/api/submit) must receivepbTokenfrom the frontend. - Call
setUserPocketBaseAuth(pbToken)before PocketBase operations. - Obtain a Microsoft Graph access token using Azure AD app credentials.
- Required
.envkeys (exactly from current.env):- Azure AD:
CLIENT_ID,CLIENT_SECRET,TENANT_ID,REDIRECT_URI - PocketBase:
PB_DB,PB_COLLECTION,PB_AUTH_COLLECTION
- Azure AD:
- Graph token scope:
https://graph.microsoft.com/.default. - Never log raw tokens or secrets; log only context + messages.
Token Handling
- PocketBase token (user): stored in memory via
pb.authStore; sent to backend aspbTokenon protected calls. - Graph token (app): acquired server-side via client credentials using
CLIENT_ID/CLIENT_SECRET/TENANT_ID; never exposed to the frontend.
UI States
- Logged out: show login UI only.
- Logged in: hide login UI; show protected UI.
- Errors: show a visible error container; avoid alert loops.
Security
- Enforce CORS as needed; HTTPS in production.
- Keep
.envout of version control; use deploy-time secrets. - Do not log raw tokens or secrets.
Adding Another Method (Template)
# Example selector
ACTIVE_LOGIN_METHOD=custom-sso
Frontend:
- Describe SDK/flow
- Show/hide rules
- Token storage rules
Backend:
- How tokens are validated
- Required .env keys
- How errors are logged/returned
Security:
- CORS/HTTPS rules
- Logging redactions
How to Use
- Copy this folder into a new project (outside your app code) or reference it as the canonical auth guide.
- Set
ACTIVE_LOGIN_METHODto the one in use. - Follow only the active method; do not mix flows.
- Keep .env values in deploy-time secrets; never commit them.
Description
Languages
HTML
82%
TypeScript
18%