[EPIC] Auth & Frontend Remediation #411

New Issue

Closed

opened 2026-02-16 16:56:23 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-16 16:56:23 +00:00

Owner

Copy Link

Summary

Backend auth hardening + frontend OIDC-aware multi-method login.

The Mosaic Stack authentication system has critical gaps that cause silent 500 errors in production and leave the frontend unable to adapt to backend configuration. The frontend login UI is hardcoded for OIDC-only authentication with no fallback, no error display, and no awareness of backend state.

Phases

• Phase 1: Critical Backend Fixes (OIDC validation, error handling, PKCE)
• Phase 2: Auth Config Discovery (GET /auth/config endpoint)
• Phase 3: Backend Hardening (trustedOrigins, CORS, session config)
• Phase 4: Frontend Foundation (auth components)
• Phase 5: Login Page Integration (dynamic provider rendering)
• Phase 6: Error Recovery & Polish (PDA error messages, retry logic, session expiry)

Plan

See for full implementation plan.

## Summary Backend auth hardening + frontend OIDC-aware multi-method login. The Mosaic Stack authentication system has critical gaps that cause silent 500 errors in production and leave the frontend unable to adapt to backend configuration. The frontend login UI is hardcoded for OIDC-only authentication with no fallback, no error display, and no awareness of backend state. ## Phases - Phase 1: Critical Backend Fixes (OIDC validation, error handling, PKCE) - Phase 2: Auth Config Discovery (GET /auth/config endpoint) - Phase 3: Backend Hardening (trustedOrigins, CORS, session config) - Phase 4: Frontend Foundation (auth components) - Phase 5: Login Page Integration (dynamic provider rendering) - Phase 6: Error Recovery & Polish (PDA error messages, retry logic, session expiry) ## Plan See for full implementation plan.

jason.woltje added this to the Auth-Frontend-Remediation (0.0.14) milestone 2026-02-16 16:56:23 +00:00

jason.woltje added the authsecurity labels 2026-02-16 16:56:23 +00:00

jason.woltje referenced this issue 2026-02-16 16:56:37 +00:00

Phase 1: Critical Backend Fixes #412

jason.woltje referenced this issue 2026-02-16 16:56:43 +00:00

Phase 2: Auth Config Discovery Endpoint #413

jason.woltje referenced this issue 2026-02-16 16:56:52 +00:00

Phase 3: Backend Hardening #414

jason.woltje referenced this issue 2026-02-16 16:57:00 +00:00

Phase 4: Frontend Foundation Components #415

jason.woltje referenced this issue 2026-02-16 16:57:11 +00:00

Phase 5: Login Page Integration #416

jason.woltje referenced this issue 2026-02-16 16:57:17 +00:00

Phase 6: Error Recovery & Polish #417

jason.woltje referenced this issue from a commit 2026-02-16 16:58:46 +00:00

chore(#411): bootstrap auth-frontend-remediation tasks from plan

jason.woltje referenced this issue from a commit 2026-02-16 17:10:00 +00:00

chore(#411): Phase 1 complete — 5/5 tasks done, 36 tests passing

jason.woltje referenced this issue from a commit 2026-02-16 17:21:23 +00:00

chore(#411): Phase 2 complete — 4/4 tasks done, 55 auth tests passing

jason.woltje referenced this issue from a commit 2026-02-16 17:28:54 +00:00

chore(#411): Phase 3 complete — 4/4 tasks done, 73 auth tests passing

jason.woltje referenced this issue from a commit 2026-02-16 17:39:55 +00:00

chore(#411): Phase 4 complete — 6/6 tasks done, 54 frontend tests passing

jason.woltje referenced this issue from a commit 2026-02-16 17:58:11 +00:00

chore(#411): Phase 5 complete — 4/4 tasks done, 83 tests passing

jason.woltje referenced this issue from a commit 2026-02-16 18:21:35 +00:00

chore(#411): Phase 6 complete — 4/4 tasks done, 93 tests passing

jason.woltje referenced a pull request that will close this issue 2026-02-16 18:22:00 +00:00

fix(#411): auth & frontend remediation — all 6 phases complete #418

jason.woltje referenced this issue from a commit 2026-02-16 18:38:24 +00:00

fix(#411): remediate backend review findings — COOKIE_DOMAIN, TRUSTED_ORIGINS validation, verifySession

jason.woltje referenced this issue from a commit 2026-02-16 18:38:24 +00:00

fix(#411): remediate frontend review findings — wire fetchWithRetry, fix error handling

jason.woltje referenced this issue from a commit 2026-02-16 18:38:24 +00:00

test(#411): add missing test coverage — getAccessToken, isAdmin, null cases, getClientIp

jason.woltje referenced this issue from a commit 2026-02-16 18:38:24 +00:00

chore(#411): Phase 7 complete — review remediation done, 297 tests passing

jason.woltje closed this issue 2026-02-16 18:38:50 +00:00

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): QA-001 — let infrastructure errors propagate through AuthGuard

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): QA-002 — invert verifySession error classification + health check escalation

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): QA-004 — HttpException for session guard + PDA-friendly auth error

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): QA-005 — production logging, error classification, session-expired state

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): QA-008 — derive KNOWN_CODES from ERROR_MESSAGES keys

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): QA-007 — explicit error state on login config fetch failure

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): QA-010 — fix minor JSDoc and comment issues across auth files

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): QA-009 — fix .env.example OIDC vars and test assertion

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): QA-012 — clamp RetryOptions to sensible ranges

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

refactor(#411): QA-011 — unify request-with-user types into AuthenticatedRequest

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

test(#411): QA-014 — add verifySession non-Error thrown value tests

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

test(#411): QA-015 — add credentials fallback test + fix refreshSession test name

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): narrow verifySession allowlist — prevent false-positive infra error classification

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): classifyAuthError — return null for normal 401/session-expired instead of 'backend'

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): add runtime null checks in auth controller — defense-in-depth for AuthenticatedRequest

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): sanitize login error messages through parseAuthError — prevent raw error leakage

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

fix(#411): sanitize Bearer tokens in verifySession logs + warn on non-Error thrown values

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

test(#411): add AuthGuard user validation branch tests — malformed/missing/null user data

jason.woltje referenced this issue from a commit 2026-02-16 22:34:01 +00:00

chore(#411): Phase 13 complete — QA round 2 remediation done, 272 tests passing

jason.woltje referenced this issue from a commit 2026-02-16 23:00:03 +00:00

fix(#411): resolve CI lint errors — prettier, unused directives, no-base-to-string

jason.woltje referenced this issue from a commit 2026-02-16 23:08:32 +00:00

fix(#411): wrap login page useSearchParams in Suspense boundary

jason.woltje referenced this issue from a commit 2026-02-16 23:11:43 +00:00

Merge pull request 'fix(#411): auth & frontend remediation — all 6 phases complete' (#418) from fix/auth-frontend-remediation into develop

jason.woltje referenced this issue 2026-02-17 18:46:20 +00:00

bootstrap mosaic-stack to Mosaic standards layer #420

jason.woltje referenced this issue from a commit 2026-02-17 20:21:30 +00:00

fix(#411): complete 2026-02-17 remediation sweep

jason.woltje referenced this issue from a commit 2026-02-17 20:21:30 +00:00

docs(#411): normalize AGENTS standards paths

jason.woltje referenced this issue 2026-02-17 20:23:46 +00:00

fix(#411): complete auth/frontend remediation and review hardening #421

jason.woltje referenced this issue from a commit 2026-02-17 20:29:07 +00:00

fix(#411): resolve CI lint crash from ajv override

jason.woltje referenced this issue from a commit 2026-02-17 21:24:16 +00:00

Merge pull request 'fix(#411): complete auth/frontend remediation and review hardening' (#421) from fix/auth-frontend-remediation into develop

jason.woltje referenced this issue 2026-02-17 22:23:30 +00:00

feat: finalize orchestrator observability and mosaic rails integration #422

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label auth security

Milestone

No items

No Milestone Auth-Frontend-Remediation (0.0.14)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#411