@habityzer/nuxt-symfony-kinde-layer 1.0.0

package/.releaserc.json

@@ -0,0 +1,37 @@
+{
+  "branches": ["master"],
+  "plugins": [
+    ["@semantic-release/commit-analyzer", {
+      "preset": "conventionalcommits",
+      "releaseRules": [
+        {"type": "feat", "release": "minor"},
+        {"type": "fix", "release": "patch"},
+        {"type": "docs", "release": "patch"},
+        {"type": "style", "release": "patch"},
+        {"type": "refactor", "release": "patch"},
+        {"type": "perf", "release": "patch"},
+        {"type": "test", "release": "patch"},
+        {"type": "build", "release": "patch"},
+        {"type": "ci", "release": "patch"},
+        {"type": "chore", "scope": "deps", "release": "patch"},
+        {"type": "chore", "scope": "release", "release": "patch"},
+        {"scope": "breaking", "release": "major"},
+        {"type": "BREAKING CHANGE", "release": "major"}
+      ]
+    }],
+    "@semantic-release/release-notes-generator",
+    ["@semantic-release/changelog", {
+      "changelogFile": "CHANGELOG.md"
+    }],
+    ["@semantic-release/npm", {
+      "npmPublish": false
+    }],
+    ["@semantic-release/git", {
+      "assets": ["package.json", "CHANGELOG.md"],
+      "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}",
+      "gitArgs": ["--no-verify"]
+    }]
+  ],
+  "dryRun": false,
+  "ci": false
+} 

package/.vscode/settings.json

@@ -0,0 +1,10 @@
+{
+    "cSpell.words": [
+        "habityzer",
+        "iconify",
+        "kinde",
+        "nuxi",
+        "symfony",
+        "vueuse"
+    ]
+}

package/CHANGELOG.md

@@ -0,0 +1,6 @@
+# 1.0.0 (2025-10-17)
+
+
+### Features
+
+* Update semantic-release to version 24.2.9 and add it to package.json for improved release management ([76270ec](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/76270ecc4f42276cf9d0547095bf75988c196441))

package/README.md

@@ -0,0 +1,326 @@
+# @habityzer/nuxt-symfony-kinde-layer
+
+Shared Nuxt layer for Symfony + Kinde authentication integration. This layer provides common authentication logic, API proxying, and pre-configured modules for Nuxt projects using Symfony backends with Kinde authentication.
+
+## Features
+
+- ✅ **Symfony API Proxy** - Automatically forwards requests with Kinde auth tokens
+- ✅ **Accept Header Fix** - Properly forwards Accept header for content negotiation (JSON vs Hydra)
+- ✅ **Auth Composable** - Unified authentication state management
+- ✅ **Global Auth Middleware** - Configurable route protection
+- ✅ **E2E Testing Support** - Built-in support for automated testing
+- ✅ **Pre-configured Modules** - Includes @nuxt/ui, @nuxt/image, Pinia, ESLint, and more
+- ✅ **Type-safe** - Full TypeScript support with OpenAPI integration
+
+## Installation
+
+### Using pnpm workspace (recommended for monorepos)
+
+```bash
+# In your project root
+pnpm add @habityzer/nuxt-symfony-kinde-layer
+```
+
+### Or link locally
+
+```bash
+cd /path/to/@habityzer/nuxt-symfony-kinde-layer
+pnpm install
+pnpm link --global
+
+cd /path/to/your-project
+pnpm link --global @habityzer/nuxt-symfony-kinde-layer
+```
+
+## Usage
+
+### 1. Extend the layer in your `nuxt.config.ts`
+
+```typescript
+export default defineNuxtConfig({
+  extends: ['@habityzer/nuxt-symfony-kinde-layer'],
+
+  // Runtime config - expose auth settings for middleware
+  runtimeConfig: {
+    apiBaseUrl: process.env.API_BASE_URL,
+    
+    public: {
+      apiBaseUrl: process.env.API_BASE_URL,
+      
+      // IMPORTANT: Expose auth config for middleware (must match kindeAuth below)
+      kindeAuth: {
+        cookie: {
+          prefix: 'myapp_' // Must match prefix in kindeAuth
+        },
+        middleware: {
+          publicRoutes: ['/', '/blog', '/help']
+        }
+      }
+    }
+  },
+
+  // Configure Kinde authentication module
+  kindeAuth: {
+    authDomain: process.env.NUXT_KINDE_AUTH_DOMAIN,
+    clientId: process.env.NUXT_KINDE_CLIENT_ID,
+    clientSecret: process.env.NUXT_KINDE_CLIENT_SECRET,
+    redirectURL: process.env.NUXT_KINDE_REDIRECT_URL,
+    logoutRedirectURL: process.env.NUXT_KINDE_LOGOUT_REDIRECT_URL,
+    postLoginRedirectURL: '/dashboard',
+    cookie: {
+      prefix: 'myapp_' // IMPORTANT: Must be unique per project to avoid cookie conflicts
+    },
+    middleware: {
+      publicRoutes: ['/', '/blog', '/help'] // Must match publicRoutes in runtimeConfig.public
+    }
+  }
+})
+```
+
+### 2. Environment Variables
+
+Create a `.env` file:
+
+```bash
+# Symfony Backend
+API_BASE_URL=http://localhost:8000
+
+# Kinde Authentication
+NUXT_KINDE_AUTH_DOMAIN=https://your-domain.kinde.com
+NUXT_KINDE_CLIENT_ID=your-client-id
+NUXT_KINDE_CLIENT_SECRET=your-client-secret
+NUXT_KINDE_REDIRECT_URL=http://localhost:3000/api/kinde/callback
+NUXT_KINDE_LOGOUT_REDIRECT_URL=http://localhost:3000
+NUXT_KINDE_POST_LOGIN_REDIRECT_URL=/dashboard
+```
+
+### 3. Use the Auth Composable
+
+```vue
+<script setup lang="ts">
+const {
+  isAuthenticated,
+  currentUser,
+  userDisplayName,
+  userEmail,
+  isPremium,
+  login,
+  logout,
+  fetchUserProfile
+} = useAuth()
+
+// Fetch user profile on mount
+onMounted(async () => {
+  if (isAuthenticated.value) {
+    await fetchUserProfile()
+  }
+})
+</script>
+
+<template>
+  <div>
+    <template v-if="isAuthenticated">
+      <p>Welcome, {{ userDisplayName }}!</p>
+      <p v-if="isPremium">Premium user</p>
+      <button @click="logout">Logout</button>
+    </template>
+    <template v-else>
+      <button @click="login">Login</button>
+    </template>
+  </div>
+</template>
+```
+
+### 4. Call Symfony APIs
+
+The layer automatically proxies requests to `/api/symfony/*`:
+
+```typescript
+// This calls your Symfony backend at /api/users
+const users = await $fetch('/api/symfony/api/users')
+
+// With generated OpenAPI composables
+const { getUsersApi } = useUsersApi()
+const response = await getUsersApi()
+```
+
+## What's Included
+
+### Modules
+
+- `@nuxt/ui` - UI component library
+- `@nuxt/image` - Image optimization
+- `@nuxt/eslint` - Linting
+- `@pinia/nuxt` - State management
+- `@habityzer/nuxt-kinde-auth` - Kinde authentication
+- `@vueuse/core` - Vue composition utilities
+
+### Files
+
+- `server/api/symfony/[...].ts` - Symfony API proxy with auth
+- `app/composables/useAuth.ts` - Authentication composable
+- `app/constants/auth.ts` - Auth constants
+- `app/middleware/auth.global.ts` - Global route protection
+
+## Configuration Options
+
+### Cookie Prefix
+
+**CRITICAL:** Always set a unique cookie prefix per project to avoid cookie conflicts when running multiple projects locally:
+
+```typescript
+// MUST be set in BOTH places:
+runtimeConfig: {
+  public: {
+    kindeAuth: {
+      cookie: {
+        prefix: 'myproject_' // For middleware to read
+      }
+    }
+  }
+},
+
+kindeAuth: {
+  cookie: {
+    prefix: 'myproject_' // For Kinde module (must match above)
+  }
+}
+```
+
+**Why both?**
+- `kindeAuth.cookie.prefix` - Used by the Kinde auth module to set/read cookies
+- `runtimeConfig.public.kindeAuth.cookie.prefix` - Used by the layer's middleware to check authentication
+
+**Without unique prefixes:** If you run `ew-nuxt` and `habityzer-nuxt` locally at the same time, they'll share cookies and cause auth conflicts!
+
+### Public Routes
+
+Configure which routes don't require authentication:
+
+```typescript
+kindeAuth: {
+  middleware: {
+    publicRoutes: [
+      '/',
+      '/blog',
+      '/about',
+      '/legal'
+    ]
+  }
+}
+```
+
+## E2E Testing
+
+The layer supports E2E testing with app tokens:
+
+1. Generate an app token in Symfony:
+   ```bash
+   php bin/console app:token:manage create
+   ```
+
+2. Set the token in your E2E tests:
+   ```typescript
+   // Set cookie
+   await page.context().addCookies([{
+     name: 'kinde_token',
+     value: 'app_your_token_here',
+     domain: 'localhost',
+     path: '/'
+   }])
+   ```
+
+## API Schema Generation
+
+The layer includes OpenAPI tools for generating typed API composables:
+
+```bash
+# Generate TypeScript types from OpenAPI schema
+pnpm generate:types
+
+# Generate API composables
+pnpm generate:api
+
+# Or do both
+pnpm sync:api
+```
+
+Add these scripts to your project's `package.json`:
+
+```json
+{
+  "scripts": {
+    "generate:types": "openapi-typescript ./schema/api.json -o ./app/types/api.ts --default-non-nullable false && eslint ./app/types/api.ts --fix",
+    "generate:api": "pnpm generate:types && nuxt-openapi-composables generate -s ./schema/api.json -o ./app/composables/api --types-import '~/types/api'",
+    "sync:api": "pnpm update:schema && pnpm generate:api"
+  }
+}
+```
+
+## Troubleshooting
+
+### Cookie Name Conflicts
+
+If you see authentication issues, ensure each project has a unique cookie prefix:
+
+```typescript
+// Project A
+kindeAuth: { cookie: { prefix: 'projecta_' } }
+
+// Project B  
+kindeAuth: { cookie: { prefix: 'projectb_' } }
+```
+
+### TypeScript Errors with API Responses
+
+If you get type mismatches between expected Hydra collections and plain arrays, the proxy is correctly forwarding the Accept header. Make sure your OpenAPI schema matches what the API actually returns.
+
+## Architecture & Design Decisions
+
+### Why Constants Are Defined Inline in Server Code
+
+You'll notice that auth constants (`E2E_TOKEN_COOKIE_NAME`, `APP_TOKEN_PREFIX`, `KINDE_ID_TOKEN_COOKIE_NAME`) are defined directly in the server files (`server/api/symfony/[...].ts`) rather than imported from a shared constants file.
+
+**Reason**: Nitro's bundling process for server-side code doesn't support:
+- App aliases like `~` or `@` (these resolve to the consuming project's app directory, not the layer's)
+- Relative imports from external layers during the rollup bundling phase
+- The `#build` alias for accessing layer exports
+
+**Solution**: We define these constants inline in server files while maintaining the shared `app/constants/auth.ts` for client-side code. This is a deliberate architectural choice to ensure reliable builds across all consuming projects.
+
+### Cookie Prefix Configuration
+
+The layer uses a project-specific cookie prefix (e.g., `ew-`, `habityzer_`) to prevent cookie conflicts when running multiple projects locally.
+
+**Implementation**:
+1. Base cookie names are defined without prefixes (`id_token`, `access_token`)
+2. Projects configure their prefix in `nuxt.config.ts`
+3. The prefix is applied dynamically at runtime by middleware and composables
+4. Projects should NOT redefine the cookie constant names - they inherit from the layer
+
+### TypeScript Type Suppressions
+
+You may see `@ts-expect-error` comments for the `cookie` property in configuration files. This is expected and safe.
+
+**Reason**: The `@habityzer/nuxt-kinde-auth` module's TypeScript definitions don't include our custom `cookie.prefix` configuration property, but it works correctly at runtime.
+
+**Solution**: We use `@ts-expect-error` comments to suppress TypeScript errors without compromising type safety elsewhere in the codebase.
+
+### Cache Clearing
+
+If you encounter auto-import issues after updating the layer (especially for composables), clear your Nuxt cache:
+
+```bash
+rm -rf .nuxt node_modules/.cache
+pnpm build
+```
+
+This forces Nuxt to regenerate its auto-import registry and pick up changes from the layer.
+
+## License
+
+MIT
+
+## Contributing
+
+This is a private layer for Habityzer projects. For issues or improvements, contact the team.

package/app/composables/useAuth.ts

@@ -0,0 +1,139 @@
+import { computed, ref, readonly } from 'vue'
+import { E2E_TOKEN_COOKIE_NAME } from '../constants/auth'
+
+interface SymfonyUser {
+  id: number
+  email: string
+  name: string
+  picture?: string | null
+  subscription_tier?: 'free' | 'pro' | 'teams' | 'enterprise'
+  tier?: 'free' | 'pro' | 'teams' | 'enterprise' // Handle potential API variation
+  is_premium: boolean
+  roles?: string[]
+  kinde_id: string
+  google_id?: string | null
+  created_at: string
+  updated_at: string
+}
+
+// Singleton state - shared across all useAuth() calls
+const userProfile = ref<SymfonyUser | null>(null)
+const isLoading = ref(false)
+
+export const useAuth = () => {
+  // Use the base Kinde auth composable from the module
+  const kindeAuth = useKindeAuth()
+
+  // Primary user data (from Symfony API)
+  const currentUser = computed(() => userProfile.value)
+
+  // Get user display name
+  const userDisplayName = computed(() => {
+    if (userProfile.value?.name) return userProfile.value.name
+    if (userProfile.value?.email) return userProfile.value.email
+    return 'User'
+  })
+
+  // Get user email
+  const userEmail = computed(() => {
+    return userProfile.value?.email || null
+  })
+
+  // Get user picture URL
+  const userPicture = computed(() => {
+    return userProfile.value?.picture || null
+  })
+
+  // Get user tier/subscription info
+  const userTier = computed(() => {
+    return userProfile.value?.subscription_tier || userProfile.value?.tier || 'free'
+  })
+
+  const isPremium = computed(() => {
+    return userProfile.value?.is_premium || false
+  })
+
+  // Use login from Kinde module
+  const login = kindeAuth.login
+
+  // Fetch user profile from Symfony API via Nuxt proxy
+  const fetchUserProfile = async (): Promise<SymfonyUser | null> => {
+    // Prevent multiple simultaneous calls
+    if (isLoading.value) {
+      return userProfile.value
+    }
+
+    // If we already have a valid profile, return it
+    if (userProfile.value) {
+      return userProfile.value
+    }
+
+    try {
+      isLoading.value = true
+
+      // Call Symfony API via Nuxt proxy (include /api/ prefix for Symfony routes)
+      const response = await $fetch<SymfonyUser>('/api/symfony/api/authentication', {
+        method: 'GET',
+        // Add retry and error handling options
+        retry: 0, // Don't retry on failure
+        onResponseError({ response }) {
+          // Don't throw on 401 - just log it
+          if (response.status === 401) {
+            console.warn('User not authenticated in Symfony')
+          }
+        }
+      })
+
+      userProfile.value = response
+      return response
+    } catch (error) {
+      // Silently handle auth errors on public pages
+      if (error && typeof error === 'object' && 'statusCode' in error && error.statusCode === 401) {
+        console.debug('Auth check failed - user not logged in')
+      } else {
+        console.error('Failed to fetch user profile:', error)
+      }
+      userProfile.value = null
+      return null
+    } finally {
+      isLoading.value = false
+    }
+  }
+
+  // Logout - clear Symfony profile and use Kinde logout
+  const logout = () => {
+    // Clear local Symfony state
+    userProfile.value = null
+
+    // Clear E2E test token if exists
+    if (import.meta.client) {
+      localStorage.removeItem('e2e_app_token')
+      document.cookie = `${E2E_TOKEN_COOKIE_NAME}=; path=/; max-age=0`
+    }
+
+    // Use Kinde module logout
+    kindeAuth.logout()
+  }
+
+  return {
+    // Core auth state (from Kinde module)
+    isAuthenticated: kindeAuth.isAuthenticated,
+    isLoading: readonly(isLoading),
+
+    // Symfony user data
+    currentUser: readonly(currentUser),
+    userProfile: readonly(userProfile),
+
+    // User info
+    userDisplayName: readonly(userDisplayName),
+    userEmail: readonly(userEmail),
+    userPicture: readonly(userPicture),
+    userTier: readonly(userTier),
+    isPremium: readonly(isPremium),
+
+    // Authentication methods
+    login,
+    logout,
+    fetchUserProfile
+  }
+}

package/app/constants/auth.ts

@@ -0,0 +1,26 @@
+/**
+ * Authentication constants shared across the application
+ */
+
+/**
+ * Cookie name for E2E test authentication token
+ * Used by automated tests to bypass Kinde OAuth flow
+ */
+export const E2E_TOKEN_COOKIE_NAME = 'kinde_token'
+
+/**
+ * Prefix for Symfony app tokens (used in E2E tests)
+ * These are long-lived tokens generated by `php bin/console app:token:manage create`
+ */
+export const APP_TOKEN_PREFIX = 'app_'
+
+/**
+ * Kinde authentication cookie names
+ * These cookies are managed by the @habityzer/nuxt-kinde-auth module
+ * The prefix is configured per-project in nuxt.config.ts
+ *
+ * Note: These constants use placeholder names. The actual cookie names
+ * will have the project-specific prefix (e.g., 'ew-id_token', 'habityzer_id_token')
+ */
+export const KINDE_ID_TOKEN_COOKIE_NAME = 'id_token'
+export const KINDE_ACCESS_TOKEN_COOKIE_NAME = 'access_token'

package/app/middleware/auth.global.ts

@@ -0,0 +1,82 @@
+import { E2E_TOKEN_COOKIE_NAME, KINDE_ID_TOKEN_COOKIE_NAME, KINDE_ACCESS_TOKEN_COOKIE_NAME } from '../constants/auth'
+
+/**
+ * Global auth middleware - checks authentication on route navigation
+ * Redirects to login if accessing protected routes without authentication
+ *
+ * Note: This middleware works alongside the nuxt-kinde-auth module.
+ * It handles E2E testing tokens and uses the module's login endpoints.
+ *
+ * Projects should configure publicRoutes in their nuxt.config.ts:
+ * kindeAuth: {
+ *   middleware: {
+ *     publicRoutes: ['/', '/blog', '/help']
+ *   }
+ * }
+ */
+export default defineNuxtRouteMiddleware(async (to) => {
+  // Get public routes from runtime config (configured per-project)
+  const config = useRuntimeConfig()
+  const kindeConfig = config.public.kindeAuth || {}
+  const publicRoutes: string[] = kindeConfig.middleware?.publicRoutes || ['/']
+
+  // Check if the route is public or a child of public routes
+  const isPublicRoute = publicRoutes.some(route =>
+    to.path === route || to.path.startsWith(`${route}/`)
+  )
+
+  // If it's a public route, allow access
+  if (isPublicRoute) {
+    return
+  }
+
+  // For protected routes, check authentication
+  if (import.meta.server) {
+    // Server-side: Check for auth cookies using Nuxt's useCookie
+    // Note: Cookie names include the project-specific prefix
+    const config = useRuntimeConfig()
+    // @ts-expect-error - cookie property exists in runtime config but not in Kinde module types
+    const cookiePrefix = config.public.kindeAuth?.cookie?.prefix || 'app_'
+
+    const idTokenName = `${cookiePrefix}${KINDE_ID_TOKEN_COOKIE_NAME}`
+    const accessTokenName = `${cookiePrefix}${KINDE_ACCESS_TOKEN_COOKIE_NAME}`
+
+    const idToken = useCookie(idTokenName)
+    const accessToken = useCookie(accessTokenName)
+    const e2eToken = useCookie(E2E_TOKEN_COOKIE_NAME) // E2E test token
+
+    // Allow access if any valid auth token exists
+    if (!idToken.value && !accessToken.value && !e2eToken.value) {
+      // Redirect to module's login endpoint
+      return navigateTo('/api/kinde/login', { external: true })
+    }
+  } else {
+    // Client-side: Check for E2E token first (for tests)
+    const e2eToken = useCookie(E2E_TOKEN_COOKIE_NAME)
+
+    // If E2E token exists, allow access (for automated tests)
+    if (e2eToken.value) {
+      return
+    }
+
+    // Check for auth cookies directly (more reliable than reactive state)
+    const config = useRuntimeConfig()
+    // @ts-expect-error - cookie property exists in runtime config but not in Kinde module types
+    const cookiePrefix = config.public.kindeAuth?.cookie?.prefix || 'app_'
+
+    const idTokenName = `${cookiePrefix}${KINDE_ID_TOKEN_COOKIE_NAME}`
+    const accessTokenName = `${cookiePrefix}${KINDE_ACCESS_TOKEN_COOKIE_NAME}`
+
+    const idToken = useCookie(idTokenName)
+    const accessToken = useCookie(accessTokenName)
+
+    // Allow access if any valid auth token cookie exists
+    if (!idToken.value && !accessToken.value) {
+      // Redirect to module's login endpoint
+      if (import.meta.client) {
+        window.location.href = '/api/kinde/login'
+      }
+      return
+    }
+  }
+})

package/commitlint.config.js

@@ -0,0 +1,32 @@
+export default {
+  extends: ['@commitlint/config-conventional'],
+  rules: {
+    'body-leading-blank': [1, 'always'],
+    'body-max-line-length': [2, 'always', 500],
+    'footer-leading-blank': [1, 'always'],
+    'footer-max-line-length': [2, 'always', 500],
+    'header-max-length': [2, 'always', 100],
+    'subject-case': [0, 'never'],
+    'subject-empty': [2, 'never'],
+    'subject-full-stop': [2, 'never', '.'],
+    'type-case': [2, 'always', 'lower-case'],
+    'type-empty': [2, 'never'],
+    'type-enum': [
+      2,
+      'always',
+      [
+        'build',
+        'chore',
+        'ci',
+        'docs',
+        'feat',
+        'fix',
+        'perf',
+        'refactor',
+        'revert',
+        'style',
+        'test'
+      ]
+    ]
+  }
+}

package/eslint.config.mjs

@@ -0,0 +1,6 @@
+// @ts-check
+import withNuxt from './node_modules/.cache/nuxt/.nuxt/eslint.config.mjs'
+
+export default withNuxt(
+  // Your custom configs here
+)

package/nuxt.config.ts

@@ -0,0 +1,77 @@
+// https://nuxt.com/docs/guide/going-further/layers
+export default defineNuxtConfig({
+
+  // Pre-configure shared modules that all projects will use
+  modules: [
+    '@nuxt/eslint',
+    '@nuxt/ui',
+    '@nuxt/image',
+    '@habityzer/nuxt-kinde-auth',
+    '@pinia/nuxt'
+  ],
+
+  devtools: { enabled: true },
+
+  // Default runtime config (projects can override)
+  runtimeConfig: {
+    // Server-only (private) runtime config
+    apiBaseUrl: '',
+
+    public: {
+      // Public runtime config (exposed to client-side)
+      apiBaseUrl: '',
+      apiPrefix: '/api/symfony', // API endpoint prefix for useOpenApi
+
+      // Expose kindeAuth config for middleware (will be merged with project config)
+      kindeAuth: {
+        // @ts-expect-error - cookie property exists in runtime but not in Kinde module types
+        cookie: {
+          prefix: 'app_' // Default, projects override this
+        },
+        middleware: {
+          publicRoutes: [] // Default, projects override this
+        }
+      }
+    }
+  },
+  compatibilityDate: '2025-01-17',
+
+  // ESLint configuration
+  eslint: {
+    config: {
+      stylistic: {
+        commaDangle: 'never',
+        braceStyle: '1tbs'
+      }
+    }
+  },
+
+  // Default Kinde configuration (projects MUST override with their credentials)
+  kindeAuth: {
+    authDomain: '', // Project must provide
+    clientId: '', // Project must provide
+    clientSecret: '', // Project must provide
+    redirectURL: '', // Project must provide
+    logoutRedirectURL: '', // Project must provide
+    postLoginRedirectURL: '/dashboard', // Default, can be overridden
+    cookie: {
+      prefix: 'app_', // Projects MUST override this
+      httpOnly: false, // Allow client-side deletion for logout
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax' as const,
+      path: '/',
+      maxAge: 60 * 60 * 24 * 7 // 7 days
+    },
+    middleware: {
+      enabled: false, // Disabled - using custom middleware from layer
+      global: false,
+      publicRoutes: [] // Projects can override
+    },
+    debug: {
+      enabled: process.env.NODE_ENV !== 'production'
+    }
+  },
+
+  // Pinia configuration
+  pinia: {}
+})

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@habityzer/nuxt-symfony-kinde-layer",
+  "version": "1.0.0",
+  "description": "Shared Nuxt layer for Symfony + Kinde authentication integration",
+  "type": "module",
+  "main": "./nuxt.config.ts",
+  "keywords": [
+    "nuxt",
+    "nuxt-layer",
+    "symfony",
+    "kinde",
+    "authentication"
+  ],
+  "author": "Habityzer",
+  "license": "MIT",
+  "dependencies": {
+    "@habityzer/nuxt-kinde-auth": "^1.2.0",
+    "@pinia/nuxt": "^0.11.2",
+    "@nuxt/ui": "^4.0.1",
+    "@nuxt/image": "^1.11.0",
+    "@nuxt/eslint": "^1.9.0",
+    "@vueuse/core": "^13.9.0",
+    "nuxt": "^4.1.3",
+    "vue": "^3.5.22",
+    "vue-router": "^4.6.0"
+  },
+  "devDependencies": {
+    "@commitlint/config-conventional": "^19.8.1",
+    "commitlint": "^19.8.1",
+    "conventional-changelog-conventionalcommits": "^9.1.0",
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/commit-analyzer": "^13.0.1",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/release-notes-generator": "^14.1.0",
+    "@habityzer/nuxt-openapi-composables": "^1.1.0",
+    "@iconify-json/heroicons": "^1.2.3",
+    "openapi-typescript": "^7.10.0",
+    "typescript": "^5.9.3",
+    "eslint": "^9.37.0",
+    "semantic-release": "^24.2.9"
+  },
+  "peerDependencies": {
+    "nuxt": "^3.0.0 || ^4.0.0"
+  },
+  "scripts": {
+    "dev": "nuxi dev --dotenv .env.example",
+    "build": "nuxt build",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "release": " HUSKY=0 semantic-release"
+  }
+}

package/pnpm-workspace.yaml

@@ -0,0 +1,5 @@
+onlyBuiltDependencies:
+  - '@tailwindcss/oxide'
+  - sharp
+  - unrs-resolver
+  - vue-demi

package/public/robots.txt

@@ -0,0 +1,2 @@
+User-Agent: *
+Disallow:

package/server/api/symfony/[...].ts

@@ -0,0 +1,150 @@
+/**
+ * Symfony API Proxy - Forwards requests to Symfony backend with authentication
+ *
+ * Usage: /api/symfony/* -> proxies to Symfony backend
+ *
+ * Features:
+ * - Forwards Kinde authentication tokens
+ * - Supports E2E testing with app tokens
+ * - Properly forwards Accept and Content-Type headers for API negotiation
+ * - Handles query parameters
+ *
+ * @see .cursorrules for proxy best practices
+ */
+
+// Auth constants (defined inline to avoid import issues during Nitro bundling)
+const E2E_TOKEN_COOKIE_NAME = 'kinde_token'
+const APP_TOKEN_PREFIX = 'app_'
+const KINDE_ID_TOKEN_COOKIE_NAME = 'id_token'
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig()
+
+  // Get the path (remove /api/symfony prefix)
+  let path = event.context.params?.path || event.path.replace('/api/symfony', '')
+
+  // Ensure path starts with / (for catch-all routes it might not)
+  if (!path.startsWith('/')) {
+    path = `/${path}`
+  }
+
+  let token: string | undefined
+
+  // Check for E2E test token first (from cookie)
+  // Only use E2E token if it's a valid app token (starts with APP_TOKEN_PREFIX)
+  const e2eToken = getCookie(event, E2E_TOKEN_COOKIE_NAME)
+  if (e2eToken && e2eToken.startsWith(APP_TOKEN_PREFIX)) {
+    token = e2eToken
+  } else {
+    // Use Kinde authentication from the module
+    const kinde = event.context.kinde
+
+    if (!kinde?.client || !kinde?.sessionManager) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: 'Kinde authentication not initialized. Module may not be loaded correctly.'
+      })
+    }
+
+    const { client, sessionManager } = kinde
+
+    try {
+      // Try to get access token first
+      let accessToken: string | null = null
+      try {
+        accessToken = await client.getToken(sessionManager)
+      } catch {
+        // Silent - will try id_token fallback
+      }
+
+      // If access token is not available, try id_token as fallback
+      if (!accessToken || accessToken.trim() === '') {
+        const idToken = await sessionManager.getSessionItem(KINDE_ID_TOKEN_COOKIE_NAME) as string | undefined
+
+        if (idToken) {
+          token = idToken
+        }
+      } else {
+        token = accessToken
+      }
+
+      if (!token || token.trim() === '') {
+        throw createError({
+          statusCode: 401,
+          statusMessage: 'Unauthorized - Please log in'
+        })
+      }
+    } catch (error) {
+      console.error('❌ [SYMFONY PROXY] Auth error:', error)
+      throw createError({
+        statusCode: 401,
+        statusMessage: error instanceof Error ? error.message : 'Authentication failed'
+      })
+    }
+  }
+
+  if (!token) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'No authentication token available'
+    })
+  }
+
+  try {
+    // Get request method and body
+    const method = event.method
+    const body = method !== 'GET' && method !== 'HEAD' ? await readBody(event) : undefined
+
+    // Get query parameters from original request
+    const query = getQuery(event)
+
+    // Prepare headers for Symfony
+    // IMPORTANT: Forward Content-Type and Accept headers for proper API negotiation
+    const headers: Record<string, string> = {
+      Authorization: `Bearer ${token}`
+    }
+
+    // Forward Content-Type header
+    const contentType = getHeader(event, 'content-type')
+    if (contentType) {
+      headers['Content-Type'] = contentType
+    }
+
+    // Forward Accept header (CRITICAL for content negotiation)
+    // Without this, backend returns default format instead of requested format (e.g., JSON vs Hydra)
+    const accept = getHeader(event, 'accept')
+    if (accept) {
+      headers['Accept'] = accept
+    }
+
+    // Forward request to Symfony with Kinde token
+    const response = await $fetch(path, {
+      baseURL: config.apiBaseUrl as string,
+      method,
+      headers,
+      body,
+      query
+    })
+
+    return response
+  } catch (error) {
+    console.error('❌ [SYMFONY PROXY] Symfony API error:', {
+      path,
+      statusCode: error && typeof error === 'object' && 'statusCode' in error ? error.statusCode : 'unknown',
+      message: error instanceof Error ? error.message : 'unknown'
+    })
+    // Handle Symfony API errors
+    const statusCode = error && typeof error === 'object' && 'statusCode' in error ? (error.statusCode as number) : 500
+    const statusMessage = error && typeof error === 'object' && 'statusMessage' in error
+      ? (error.statusMessage as string)
+      : error instanceof Error
+        ? error.message
+        : 'Symfony API error'
+    const data = error && typeof error === 'object' && 'data' in error ? error.data : undefined
+
+    throw createError({
+      statusCode,
+      statusMessage,
+      data
+    })
+  }
+})

package/server/utils/auth-constants.ts

@@ -0,0 +1,23 @@
+/**
+ * Authentication constants for server-side code
+ * These are duplicated from app/constants/auth.ts to avoid import issues in Nitro bundling
+ */
+
+/**
+ * Cookie name for E2E test authentication token
+ * Used by automated tests to bypass Kinde OAuth flow
+ */
+export const E2E_TOKEN_COOKIE_NAME = 'kinde_token'
+
+/**
+ * Prefix for Symfony app tokens (used in E2E tests)
+ * These are long-lived tokens generated by `php bin/console app:token:manage create`
+ */
+export const APP_TOKEN_PREFIX = 'app_'
+
+/**
+ * Kinde authentication cookie names (base names without prefix)
+ * The prefix is configured per-project in nuxt.config.ts and applied dynamically
+ */
+export const KINDE_ID_TOKEN_COOKIE_NAME = 'id_token'
+export const KINDE_ACCESS_TOKEN_COOKIE_NAME = 'access_token'

package/tsconfig.json

@@ -0,0 +1,18 @@
+{
+  // https://nuxt.com/docs/guide/concepts/typescript
+  "files": [],
+  "references": [
+    {
+      "path": "./.nuxt/tsconfig.app.json"
+    },
+    {
+      "path": "./.nuxt/tsconfig.server.json"
+    },
+    {
+      "path": "./.nuxt/tsconfig.shared.json"
+    },
+    {
+      "path": "./.nuxt/tsconfig.node.json"
+    }
+  ]
+}

package/types/kinde-auth.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Type augmentation for @habityzer/nuxt-kinde-auth module
+ * Adds custom configuration options we use in the layer
+ */
+declare module '@habityzer/nuxt-kinde-auth' {
+  interface ModuleOptions {
+    cookie?: {
+      prefix?: string
+    }
+    middleware?: {
+      enabled?: boolean
+      global?: boolean
+      publicRoutes?: string[]
+    }
+    debug?: {
+      enabled?: boolean
+    }
+  }
+}
+
+export {}