autoworkflow 3.1.4 → 3.5.0

package/.claude/skills/auth-clerk.md

@@ -0,0 +1,327 @@
+# Clerk Auth Skill
+
+## Setup (Next.js App Router)
+\`\`\`typescript
+// middleware.ts
+import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server';
+
+const isPublicRoute = createRouteMatcher([
+  '/',
+  '/sign-in(.*)',
+  '/sign-up(.*)',
+  '/api/webhooks(.*)',
+]);
+
+export default clerkMiddleware((auth, req) => {
+  if (!isPublicRoute(req)) {
+    auth().protect();
+  }
+});
+
+export const config = {
+  matcher: ['/((?!.*\\\\..*|_next).*)', '/', '/(api|trpc)(.*)'],
+};
+
+// app/layout.tsx
+import { ClerkProvider } from '@clerk/nextjs';
+
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <ClerkProvider>
+      <html lang="en">
+        <body>{children}</body>
+      </html>
+    </ClerkProvider>
+  );
+}
+\`\`\`
+
+## Server Components
+\`\`\`typescript
+// Get auth in Server Components
+import { auth, currentUser } from '@clerk/nextjs/server';
+import { redirect } from 'next/navigation';
+
+export default async function ProtectedPage() {
+  const { userId, sessionClaims } = auth();
+
+  if (!userId) {
+    redirect('/sign-in');
+  }
+
+  // Get full user object
+  const user = await currentUser();
+
+  return (
+    <div>
+      <h1>Welcome, {user?.firstName}</h1>
+      <p>Email: {user?.emailAddresses[0]?.emailAddress}</p>
+      <p>User ID: {userId}</p>
+    </div>
+  );
+}
+
+// API Route Protection
+import { auth } from '@clerk/nextjs/server';
+import { NextResponse } from 'next/server';
+
+export async function GET() {
+  const { userId } = auth();
+
+  if (!userId) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  // Proceed with authenticated request
+  return NextResponse.json({ userId });
+}
+\`\`\`
+
+## Client Components
+\`\`\`tsx
+'use client';
+
+import {
+  SignIn,
+  SignUp,
+  SignOutButton,
+  SignedIn,
+  SignedOut,
+  UserButton,
+  useUser,
+  useAuth,
+  useClerk,
+} from '@clerk/nextjs';
+
+// Pre-built Components
+export function AuthPage() {
+  return (
+    <div>
+      <SignedOut>
+        <SignIn routing="hash" />
+        {/* Or SignUp for registration */}
+      </SignedOut>
+
+      <SignedIn>
+        <UserButton afterSignOutUrl="/" />
+      </SignedIn>
+    </div>
+  );
+}
+
+// Using hooks
+export function UserProfile() {
+  const { isLoaded, isSignedIn, user } = useUser();
+  const { signOut, getToken } = useAuth();
+  const clerk = useClerk();
+
+  if (!isLoaded) return <div>Loading...</div>;
+
+  if (!isSignedIn) {
+    return <button onClick={() => clerk.openSignIn()}>Sign In</button>;
+  }
+
+  const handleApiCall = async () => {
+    const token = await getToken();
+    // Use token for authenticated API calls
+    const response = await fetch('/api/protected', {
+      headers: { Authorization: \`Bearer \${token}\` },
+    });
+  };
+
+  return (
+    <div>
+      <img src={user.imageUrl} alt={user.fullName ?? ''} />
+      <h1>{user.fullName}</h1>
+      <p>{user.primaryEmailAddress?.emailAddress}</p>
+
+      <button onClick={handleApiCall}>Make API Call</button>
+      <SignOutButton>
+        <button>Sign Out</button>
+      </SignOutButton>
+    </div>
+  );
+}
+
+// Custom Sign In Page
+// app/sign-in/[[...sign-in]]/page.tsx
+export default function SignInPage() {
+  return (
+    <div className="flex items-center justify-center min-h-screen">
+      <SignIn
+        appearance={{
+          elements: {
+            rootBox: 'mx-auto',
+            card: 'shadow-xl',
+          },
+        }}
+      />
+    </div>
+  );
+}
+\`\`\`
+
+## Organizations & Roles
+\`\`\`typescript
+// Server-side organization check
+import { auth } from '@clerk/nextjs/server';
+
+export default async function OrgPage() {
+  const { orgId, orgRole, orgSlug } = auth();
+
+  if (!orgId) {
+    return <div>Please select an organization</div>;
+  }
+
+  if (orgRole !== 'org:admin') {
+    return <div>Admin access required</div>;
+  }
+
+  return <div>Organization: {orgSlug}</div>;
+}
+
+// Client-side organization
+'use client';
+
+import {
+  OrganizationSwitcher,
+  OrganizationProfile,
+  useOrganization,
+  useOrganizationList,
+} from '@clerk/nextjs';
+
+export function OrgDashboard() {
+  const { organization, membership } = useOrganization();
+  const { userMemberships } = useOrganizationList();
+
+  return (
+    <div>
+      <OrganizationSwitcher />
+      {organization && (
+        <div>
+          <h1>{organization.name}</h1>
+          <p>Your role: {membership?.role}</p>
+        </div>
+      )}
+    </div>
+  );
+}
+\`\`\`
+
+## Webhooks
+\`\`\`typescript
+// app/api/webhooks/clerk/route.ts
+import { Webhook } from 'svix';
+import { headers } from 'next/headers';
+import { WebhookEvent } from '@clerk/nextjs/server';
+
+export async function POST(req: Request) {
+  const WEBHOOK_SECRET = process.env.CLERK_WEBHOOK_SECRET;
+
+  if (!WEBHOOK_SECRET) {
+    throw new Error('Missing CLERK_WEBHOOK_SECRET');
+  }
+
+  const headerPayload = headers();
+  const svix_id = headerPayload.get('svix-id');
+  const svix_timestamp = headerPayload.get('svix-timestamp');
+  const svix_signature = headerPayload.get('svix-signature');
+
+  if (!svix_id || !svix_timestamp || !svix_signature) {
+    return new Response('Missing svix headers', { status: 400 });
+  }
+
+  const payload = await req.json();
+  const body = JSON.stringify(payload);
+
+  const wh = new Webhook(WEBHOOK_SECRET);
+  let evt: WebhookEvent;
+
+  try {
+    evt = wh.verify(body, {
+      'svix-id': svix_id,
+      'svix-timestamp': svix_timestamp,
+      'svix-signature': svix_signature,
+    }) as WebhookEvent;
+  } catch (err) {
+    return new Response('Invalid signature', { status: 400 });
+  }
+
+  const eventType = evt.type;
+
+  switch (eventType) {
+    case 'user.created':
+      const { id, email_addresses, first_name, last_name } = evt.data;
+      // Create user in your database
+      await db.user.create({
+        data: {
+          clerkId: id,
+          email: email_addresses[0]?.email_address,
+          name: \`\${first_name} \${last_name}\`,
+        },
+      });
+      break;
+
+    case 'user.updated':
+      // Update user in your database
+      break;
+
+    case 'user.deleted':
+      // Delete user from your database
+      break;
+  }
+
+  return new Response('OK', { status: 200 });
+}
+\`\`\`
+
+## Custom Session Claims
+\`\`\`typescript
+// In Clerk Dashboard, add custom claims to session token
+// Or use middleware to add dynamic claims
+
+// middleware.ts
+import { clerkMiddleware } from '@clerk/nextjs/server';
+
+export default clerkMiddleware(async (auth, req) => {
+  const { userId, sessionClaims } = auth();
+
+  // Access custom claims
+  const role = sessionClaims?.metadata?.role as string;
+
+  if (req.nextUrl.pathname.startsWith('/admin') && role !== 'admin') {
+    return Response.redirect(new URL('/unauthorized', req.url));
+  }
+});
+
+// Access in components
+const { sessionClaims } = auth();
+const userRole = sessionClaims?.metadata?.role;
+\`\`\`
+
+## Environment Variables
+\`\`\`bash
+# .env.local
+NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_...
+CLERK_SECRET_KEY=sk_test_...
+CLERK_WEBHOOK_SECRET=whsec_...
+
+# Custom pages (optional)
+NEXT_PUBLIC_CLERK_SIGN_IN_URL=/sign-in
+NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up
+NEXT_PUBLIC_CLERK_AFTER_SIGN_IN_URL=/dashboard
+NEXT_PUBLIC_CLERK_AFTER_SIGN_UP_URL=/onboarding
+\`\`\`
+
+## ❌ DON'T
+- Expose CLERK_SECRET_KEY to client
+- Skip webhook signature verification
+- Forget middleware for protected routes
+- Store sensitive data in public metadata
+
+## ✅ DO
+- Use clerkMiddleware for route protection
+- Sync user data via webhooks
+- Use organizations for multi-tenant apps
+- Use session claims for role-based access
+- Customize appearance to match your brand

package/.claude/skills/auth-firebase.md

@@ -0,0 +1,367 @@
+# Firebase Auth Skill
+
+## Setup
+\`\`\`typescript
+// lib/firebase.ts
+import { initializeApp, getApps } from 'firebase/app';
+import { getAuth } from 'firebase/auth';
+import { getFirestore } from 'firebase/firestore';
+
+const firebaseConfig = {
+  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,
+  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,
+  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,
+  storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET,
+  messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID,
+  appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID,
+};
+
+// Initialize Firebase (prevent multiple instances)
+const app = getApps().length === 0 ? initializeApp(firebaseConfig) : getApps()[0];
+
+export const auth = getAuth(app);
+export const db = getFirestore(app);
+\`\`\`
+
+## Authentication Methods
+\`\`\`typescript
+import {
+  createUserWithEmailAndPassword,
+  signInWithEmailAndPassword,
+  signInWithPopup,
+  signInWithRedirect,
+  GoogleAuthProvider,
+  GithubAuthProvider,
+  sendPasswordResetEmail,
+  sendEmailVerification,
+  updateProfile,
+  signOut,
+} from 'firebase/auth';
+import { auth } from '@/lib/firebase';
+
+// Email/Password Sign Up
+async function signUp(email: string, password: string, displayName: string) {
+  const { user } = await createUserWithEmailAndPassword(auth, email, password);
+
+  // Update profile with display name
+  await updateProfile(user, { displayName });
+
+  // Send verification email
+  await sendEmailVerification(user);
+
+  return user;
+}
+
+// Email/Password Sign In
+async function signIn(email: string, password: string) {
+  const { user } = await signInWithEmailAndPassword(auth, email, password);
+  return user;
+}
+
+// Google Sign In (Popup)
+async function signInWithGoogle() {
+  const provider = new GoogleAuthProvider();
+  provider.addScope('profile');
+  provider.addScope('email');
+
+  const { user } = await signInWithPopup(auth, provider);
+  return user;
+}
+
+// Google Sign In (Redirect - better for mobile)
+async function signInWithGoogleRedirect() {
+  const provider = new GoogleAuthProvider();
+  await signInWithRedirect(auth, provider);
+}
+
+// GitHub Sign In
+async function signInWithGitHub() {
+  const provider = new GithubAuthProvider();
+  provider.addScope('read:user');
+
+  const { user } = await signInWithPopup(auth, provider);
+  return user;
+}
+
+// Password Reset
+async function resetPassword(email: string) {
+  await sendPasswordResetEmail(auth, email, {
+    url: \`\${window.location.origin}/login\`,
+  });
+}
+
+// Sign Out
+async function logout() {
+  await signOut(auth);
+}
+\`\`\`
+
+## Auth State Listener
+\`\`\`typescript
+import { onAuthStateChanged, User } from 'firebase/auth';
+import { auth } from '@/lib/firebase';
+
+// React Hook
+import { useState, useEffect, createContext, useContext } from 'react';
+
+interface AuthContextType {
+  user: User | null;
+  loading: boolean;
+}
+
+const AuthContext = createContext<AuthContextType>({ user: null, loading: true });
+
+export function AuthProvider({ children }: { children: React.ReactNode }) {
+  const [user, setUser] = useState<User | null>(null);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    const unsubscribe = onAuthStateChanged(auth, (user) => {
+      setUser(user);
+      setLoading(false);
+    });
+
+    return () => unsubscribe();
+  }, []);
+
+  return (
+    <AuthContext.Provider value={{ user, loading }}>
+      {children}
+    </AuthContext.Provider>
+  );
+}
+
+export function useAuth() {
+  const context = useContext(AuthContext);
+  if (!context) {
+    throw new Error('useAuth must be used within AuthProvider');
+  }
+  return context;
+}
+
+// Usage
+function ProtectedComponent() {
+  const { user, loading } = useAuth();
+
+  if (loading) return <div>Loading...</div>;
+  if (!user) return <div>Please sign in</div>;
+
+  return <div>Welcome, {user.displayName}</div>;
+}
+\`\`\`
+
+## Protected Routes
+\`\`\`tsx
+'use client';
+
+import { useAuth } from '@/hooks/useAuth';
+import { useRouter } from 'next/navigation';
+import { useEffect } from 'react';
+
+export function ProtectedRoute({ children }: { children: React.ReactNode }) {
+  const { user, loading } = useAuth();
+  const router = useRouter();
+
+  useEffect(() => {
+    if (!loading && !user) {
+      router.push('/login');
+    }
+  }, [user, loading, router]);
+
+  if (loading) {
+    return <div>Loading...</div>;
+  }
+
+  if (!user) {
+    return null;
+  }
+
+  return <>{children}</>;
+}
+
+// Usage in page
+export default function DashboardPage() {
+  return (
+    <ProtectedRoute>
+      <Dashboard />
+    </ProtectedRoute>
+  );
+}
+\`\`\`
+
+## ID Tokens for API Auth
+\`\`\`typescript
+// Client: Get ID token for API calls
+async function getIdToken() {
+  const user = auth.currentUser;
+  if (!user) throw new Error('Not authenticated');
+
+  const token = await user.getIdToken();
+  return token;
+}
+
+// API call with token
+async function fetchProtectedData() {
+  const token = await getIdToken();
+
+  const response = await fetch('/api/protected', {
+    headers: {
+      Authorization: \`Bearer \${token}\`,
+    },
+  });
+
+  return response.json();
+}
+
+// Server: Verify ID token (API route)
+// app/api/protected/route.ts
+import { getAuth } from 'firebase-admin/auth';
+import { initializeApp, getApps, cert } from 'firebase-admin/app';
+
+// Initialize Firebase Admin
+if (getApps().length === 0) {
+  initializeApp({
+    credential: cert({
+      projectId: process.env.FIREBASE_PROJECT_ID,
+      clientEmail: process.env.FIREBASE_CLIENT_EMAIL,
+      privateKey: process.env.FIREBASE_PRIVATE_KEY?.replace(/\\\\n/g, '\\n'),
+    }),
+  });
+}
+
+export async function GET(request: Request) {
+  const authHeader = request.headers.get('Authorization');
+
+  if (!authHeader?.startsWith('Bearer ')) {
+    return Response.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const token = authHeader.split('Bearer ')[1];
+
+  try {
+    const decodedToken = await getAuth().verifyIdToken(token);
+    const userId = decodedToken.uid;
+
+    // Proceed with authenticated request
+    return Response.json({ userId });
+  } catch (error) {
+    return Response.json({ error: 'Invalid token' }, { status: 401 });
+  }
+}
+\`\`\`
+
+## Custom Claims (Roles)
+\`\`\`typescript
+// Server-side: Set custom claims (Firebase Admin)
+import { getAuth } from 'firebase-admin/auth';
+
+async function setUserRole(uid: string, role: string) {
+  await getAuth().setCustomUserClaims(uid, { role });
+}
+
+// Client-side: Check claims
+async function checkAdmin() {
+  const user = auth.currentUser;
+  if (!user) return false;
+
+  const tokenResult = await user.getIdTokenResult();
+  return tokenResult.claims.role === 'admin';
+}
+
+// Force token refresh after claims change
+await auth.currentUser?.getIdToken(true);
+\`\`\`
+
+## Firestore Security Rules
+\`\`\`javascript
+// firestore.rules
+rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+    // Users can only access their own data
+    match /users/{userId} {
+      allow read, write: if request.auth != null && request.auth.uid == userId;
+    }
+
+    // Posts are readable by all, writable by author
+    match /posts/{postId} {
+      allow read: if true;
+      allow create: if request.auth != null;
+      allow update, delete: if request.auth != null
+        && request.auth.uid == resource.data.authorId;
+    }
+
+    // Admin-only access
+    match /admin/{document=**} {
+      allow read, write: if request.auth != null
+        && request.auth.token.role == 'admin';
+    }
+  }
+}
+\`\`\`
+
+## Phone Authentication
+\`\`\`typescript
+import {
+  RecaptchaVerifier,
+  signInWithPhoneNumber,
+  ConfirmationResult,
+} from 'firebase/auth';
+
+let confirmationResult: ConfirmationResult;
+
+// Setup reCAPTCHA
+function setupRecaptcha() {
+  window.recaptchaVerifier = new RecaptchaVerifier(auth, 'recaptcha-container', {
+    size: 'invisible',
+    callback: () => {
+      // reCAPTCHA solved
+    },
+  });
+}
+
+// Send OTP
+async function sendOTP(phoneNumber: string) {
+  const appVerifier = window.recaptchaVerifier;
+  confirmationResult = await signInWithPhoneNumber(auth, phoneNumber, appVerifier);
+}
+
+// Verify OTP
+async function verifyOTP(code: string) {
+  const result = await confirmationResult.confirm(code);
+  return result.user;
+}
+\`\`\`
+
+## User Profile Updates
+\`\`\`typescript
+import { updateProfile, updateEmail, updatePassword, User } from 'firebase/auth';
+
+async function updateUserProfile(user: User, data: { displayName?: string; photoURL?: string }) {
+  await updateProfile(user, data);
+}
+
+async function updateUserEmail(user: User, newEmail: string) {
+  await updateEmail(user, newEmail);
+  // User needs to re-verify email
+}
+
+async function updateUserPassword(user: User, newPassword: string) {
+  await updatePassword(user, newPassword);
+}
+\`\`\`
+
+## ❌ DON'T
+- Store Firebase config with private keys on client
+- Skip email verification for sensitive apps
+- Use currentUser without waiting for auth state
+- Expose Firebase Admin credentials to client
+- Skip Firestore security rules
+
+## ✅ DO
+- Use onAuthStateChanged for auth state
+- Verify ID tokens on server for API calls
+- Use custom claims for role-based access
+- Implement proper Firestore security rules
+- Handle all auth errors gracefully
+- Force token refresh after claims change