Migrate auth + data fetching to client-side (keycloak-js + PKCE) #54

New issue

Closed

opened 2026-03-27 00:52:17 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-27 00:52:17 +00:00

Owner

Type

Feature

Lineage

Implements #52. Depends on convention-sveltekit-spa (issue #51).

Repo

forgejo_admin/pal-e-app

User Story

As pal-e-app I want to authenticate via keycloak-js + PKCE and fetch data client-side with Bearer tokens so that I have no server secrets and work as a true SPA.

Context

pal-e-app currently uses Auth.js with server-side Keycloak OIDC sessions and loads all data via +page.server.ts files. This migration converts to keycloak-js client-side auth and client-side fetch() with Bearer tokens, following the proven pattern from mcd-tracker-app. Full spec in #52.

File Targets

Create: src/lib/keycloak.ts, src/lib/api-client.ts
Modify: All +page.svelte files, +layout.svelte, QuickJot.svelte
Remove: All +page.server.ts, src/auth.ts, hooks.server.ts, signin/, signout/, api/ routes, src/lib/api.ts

Acceptance Criteria

keycloak-js handles login/logout/token refresh
All routes load data client-side with Bearer tokens
No +page.server.ts files remain
No $env/dynamic/private imports remain
Auth.js fully removed
TypeScript type interfaces preserved in api-client.ts

Test Expectations

npm run check passes (no type errors)
npm run build succeeds

Constraints

Model auth on ~/mcd-tracker-app/src/lib/keycloak.js
Keep TypeScript
Do not touch svelte.config.js, Dockerfile, or k8s/

Checklist

PR opened
Tests pass
No unrelated changes

#52 — parent issue with full spec
#53 — adapter-static switch (depends on this)

### Type Feature ### Lineage Implements #52. Depends on convention-sveltekit-spa (issue #51). ### Repo `forgejo_admin/pal-e-app` ### User Story As pal-e-app I want to authenticate via keycloak-js + PKCE and fetch data client-side with Bearer tokens so that I have no server secrets and work as a true SPA. ### Context pal-e-app currently uses Auth.js with server-side Keycloak OIDC sessions and loads all data via +page.server.ts files. This migration converts to keycloak-js client-side auth and client-side fetch() with Bearer tokens, following the proven pattern from mcd-tracker-app. Full spec in #52. ### File Targets Create: `src/lib/keycloak.ts`, `src/lib/api-client.ts` Modify: All +page.svelte files, +layout.svelte, QuickJot.svelte Remove: All +page.server.ts, src/auth.ts, hooks.server.ts, signin/, signout/, api/ routes, src/lib/api.ts ### Acceptance Criteria - keycloak-js handles login/logout/token refresh - All routes load data client-side with Bearer tokens - No +page.server.ts files remain - No $env/dynamic/private imports remain - Auth.js fully removed - TypeScript type interfaces preserved in api-client.ts ### Test Expectations - `npm run check` passes (no type errors) - `npm run build` succeeds ### Constraints - Model auth on ~/mcd-tracker-app/src/lib/keycloak.js - Keep TypeScript - Do not touch svelte.config.js, Dockerfile, or k8s/ ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - #52 — parent issue with full spec - #53 — adapter-static switch (depends on this)