Manages authentication flow for MutuaPIX (Laravel Sanctum + Next.js), handles mock mode security, and validates environment configurations
This skill manages the complete authentication system for MutuaPIX, covering:
Authentication Flow:
1. GET /sanctum/csrf-cookie → Receives XSRF-TOKEN cookie
2. POST /api/v1/login {email, password, X-XSRF-TOKEN header}
3. Backend validates credentials
4. Returns {token, user} (token expires in 24h)
5. All requests include: Authorization: Bearer {token}
Configuration:
matrix.mutuapix.comwebFiles:
backend/routes/api/auth.php - Authentication routesbackend/app/Http/Controllers/Auth/AuthController.php - Login/logout logicbackend/config/sanctum.php - Sanctum configurationbackend/config/cors.php - CORS settingsState Management:
frontend/src/stores/authStore.tsAuthorization: Bearer {token}Files:
frontend/src/stores/authStore.ts - Authentication statefrontend/src/services/auth.service.ts - API callsfrontend/src/hooks/useAuth.ts - Authentication hookfrontend/src/providers/AuthProvider.tsx - Auth context providerPurpose: Allow frontend development without running backend API Problem: Implementation has security vulnerabilities if not properly configured
src/lib/env.ts)// ✅ CORRECT: Uses NEXT_PUBLIC_NODE_ENV for client-side detection
export const IS_PRODUCTION = process.env.NEXT_PUBLIC_NODE_ENV === 'production';
export const IS_DEVELOPMENT = !IS_PRODUCTION;
⚠️ WHY THIS IS CRITICAL:
process.env.NODE_ENV is undefined in Next.js client-side codeNEXT_PUBLIC_* variables are replaced at build timeprocess.env.NODE_ENV always evaluated to false (insecure!)File: frontend/src/stores/authStore.ts:91-96
❌ INSECURE (Current State):