feat: PKCE auth + CI/CD deploy

- Frontend: PKCE flow (oauth.ts, AuthCallback code exchange, 401 interceptor) - Backend: token introspection via SuperOAuth (no more JWT secret) - User model: superOauthId (unified) replaces oauthId+provider - Cookies httpOnly session + refresh token - POST /auth/refresh endpoint - Gitea CI workflow (vps-runner pattern) - DB_SYNC env var for initial schema creation
2026-03-24 13:01:14 +01:00
parent c1bf793234
commit 8c6777c980
61 changed files with 5850 additions and 66 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -0,0 +1,59 @@
+name: CI/CD — Build & Deploy
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build-and-deploy:
+    name: Build & Deploy
+    runs-on: vps-runner
+
+    steps:
+      - uses: actions/checkout@v4
+
+      # ── Backend ──────────────────────────────────────────────────────────────
+      - name: Install & build backend
+        run: |
+          npm ci
+          npm run build
+
+      - name: Deploy backend
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        run: |
+          mkdir -p /var/www/tetardpg/backend
+          rsync -a --delete dist/ /var/www/tetardpg/backend/dist/
+          rsync -a package.json package-lock.json /var/www/tetardpg/backend/
+          cd /var/www/tetardpg/backend && npm ci --omit=dev
+
+      - name: Restart pm2
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        run: |
+          su - tetardtek-brain -c 'pm2 reload tetardpg-backend --update-env'
+
+      # ── Frontend ─────────────────────────────────────────────────────────────
+      - name: Install & build frontend
+        working-directory: frontend
+        env:
+          VITE_API_URL: https://tetardpg.tetardtek.com/api
+          VITE_OAUTH_URL: https://superoauth.tetardtek.com
+          VITE_OAUTH_CLIENT_ID: tetardpg
+        run: |
+          npm ci
+          npm run build
+
+      - name: Deploy frontend
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        run: |
+          mkdir -p /var/www/tetardpg/frontend/dist
+          rsync -a --delete frontend/dist/ /var/www/tetardpg/frontend/dist/
+
+      # ── Smoke test ───────────────────────────────────────────────────────────
+      - name: Smoke test API
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        run: |
+          sleep 3
+          curl -sf http://localhost:4000/api/health | grep -q '"ok"'
+          echo "✅ API health OK"