Skip to content

Implement client-side API architecture with HttpOnly cookie authentication and Superforms #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 19 commits into
base: master
Choose a base branch
from
Draft

Implement client-side API architecture with HttpOnly cookie authentication and Superforms #99

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
ce962a5
Initial plan
Copilot Dec 6, 2025
a683711
Add client-side API services and auth components with HttpOnly cookie…
Copilot Dec 6, 2025
b8c117c
Add comprehensive documentation and usage examples for client API
Copilot Dec 6, 2025
62f4682
Address code review feedback - fix refresh exclusions and remove unus…
Copilot Dec 6, 2025
c8a2b22
Add comprehensive implementation summary and complete documentation
Copilot Dec 6, 2025
cee17d7
Refactor to use global API instance, Valibot validation, and fix secu…
Copilot Dec 6, 2025
8b50eec
Create singleton for ClientAuthService, use Valibot flatten for type-…
Copilot Dec 6, 2025
06b8964
Improve Valibot usage documentation and error handling based on conte…
Copilot Dec 6, 2025
e2daf00
feat: add shadcn forms
TheRealSeber Dec 6, 2025
db3caf3
Refactor ClientLoginForm to use Sveltekit Superforms with Valibot ada…
Copilot Dec 6, 2025
b7b6d57
Migrate login and register pages to use new Superforms-based client A…
Copilot Dec 6, 2025
8380e8b
Refactor auth forms to use shared schemas and remove unnecessary onSu…
Copilot Dec 7, 2025
2758655
feat: adjust a lot of code
TheRealSeber Dec 7, 2025
dfd9320
fix: some stuff
TheRealSeber Dec 7, 2025
d1d0f75
Merge branch 'master' into copilot/migrate-authentication-functionality
TheRealSeber Jan 11, 2026
4fe9715
feat: migrate a lot
TheRealSeber Jan 19, 2026
d13eb33
fix: CLAUDE.md
TheRealSeber Jan 19, 2026
72a254f
chore: run linters
TheRealSeber Jan 19, 2026
1839292
last changes
TheRealSeber Jan 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
BACKEND_API_URL=http://localhost:8000
PUBLIC_BACKEND_API_URL=http://localhost:8000/api/v1
FILE_STORAGE_URL=http://file-storage:8888
23 changes: 23 additions & 0 deletions .github/copilot-instructions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -859,6 +859,29 @@ pnpm run check # Type checking
- Use `TokenManager` for cookie operations
- All API requests include authentication via `createApiClient(cookies)`

### Client-Side API (Optional Pattern)

For scenarios requiring direct browser-to-backend communication:

- **Global Instance**: Use `getClientApiInstance()` for singleton API client
- **Client Services**: `ClientApiService` and `ClientAuthService`
- **Security**: HttpOnly cookies, automatic token refresh, race condition protection
- **Use Cases**: Real-time features, SPA-like interactions, progressive enhancement

Example:

```typescript
import { getClientApiInstance, ClientAuthService } from '$lib/services';

const apiClient = getClientApiInstance();
if (apiClient) {
const authService = new ClientAuthService(apiClient);
await authService.login({ email, password });
}
```

**Note**: Prefer remote functions for most server-side operations. Use client API only when direct browser-to-backend communication is specifically needed.

## Important Notes

1. **Always use remote functions** for server-side operations - don't use `+page.server.ts` unless absolutely necessary
Expand Down
Loading