ldraney/westside-app
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases Packages Wiki Activity Actions

Update jersey and checkout pages to support session auth without token #198

New issue
Closed
opened 2026-03-29 23:12:01 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-29 23:12:01 +00:00
Contributor
Copy link

Type

Feature

Lineage

Child of forgejo_admin/westside-landing#196 (spike: player self-service jersey ordering).
Depends on: backend dual-auth ticket (basketball-api).
Story: WS-S18

Repo

forgejo_admin/westside-landing

User Story

As a logged-in parent
I want the jersey and checkout pages to work with my Keycloak session
So that I don't need the email token link to complete an order

Context

The jersey page (jersey/+page.svelte) and checkout page (checkout/+page.svelte) currently require a ?token= URL param and use raw fetch() (not apiFetch) for API calls. If no token is present, they show an "Invalid Link" error.

For session-based flow, these pages need a second entry mode: ?player_id=123 with Keycloak Bearer auth via apiFetch. The existing token flow must remain untouched.

Key code paths to modify:

  • jersey/+page.svelte line 110-111: token extraction from URL
  • jersey/+page.svelte line 206: raw fetch() call to /jersey/checkout?token=...
  • checkout/+page.svelte line 27-28: token extraction from URL
  • checkout/+page.svelte line 86: raw fetch() call to /checkout/create-session?token=...

File Targets

Files the agent should modify or create:

  • src/routes/(app)/jersey/+page.svelte — add player_id URL param support; use apiFetch when in session mode; replace "Invalid Link" with signin redirect when session mode and not authenticated
  • src/routes/(app)/checkout/+page.svelte — same changes as jersey page

Files the agent should NOT touch:

  • src/routes/(app)/jersey/success/+page.svelte — unrelated
  • src/routes/(app)/jersey/cancel/+page.svelte — unrelated
  • src/routes/(app)/checkout/success/+page.svelte — unrelated
  • src/routes/(app)/checkout/cancel/+page.svelte — unrelated

Acceptance Criteria

  • When I visit /jersey?player_id=5 while logged in, then the jersey page loads using Keycloak session auth
  • When I visit /jersey?token=abc123, then the existing token flow works unchanged
  • When I visit /jersey?player_id=5 while NOT logged in, then I'm redirected to /signin
  • When I visit /checkout?player_id=5&category=jersey while logged in, then checkout works with session auth
  • When I visit /checkout?token=abc123&category=jersey, then existing token flow works unchanged
  • API calls in session mode use apiFetch (which injects Bearer token from Keycloak)

Test Expectations

  • Manual test: jersey page with ?player_id= while authenticated
  • Manual test: jersey page with ?token= (existing flow)
  • Manual test: checkout page with both auth modes
  • Manual test: unauthenticated access with ?player_id= redirects to signin
  • Run command: npm run build (SvelteKit build check)

Constraints

  • Must import apiFetch from $lib/api.js and isAuthenticated from $lib/keycloak.js for session mode
  • Token mode continues to use raw fetch() (no Keycloak dependency for email-link users)
  • Both modes must be detectable from URL params alone (no hidden state)

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • westside-basketball — project this affects
  • forgejo_admin/westside-landing#196 — parent spike issue
### Type Feature ### Lineage Child of `forgejo_admin/westside-landing#196` (spike: player self-service jersey ordering). Depends on: backend dual-auth ticket (basketball-api). Story: WS-S18 ### Repo `forgejo_admin/westside-landing` ### User Story As a logged-in parent I want the jersey and checkout pages to work with my Keycloak session So that I don't need the email token link to complete an order ### Context The jersey page (`jersey/+page.svelte`) and checkout page (`checkout/+page.svelte`) currently require a `?token=` URL param and use raw `fetch()` (not `apiFetch`) for API calls. If no token is present, they show an "Invalid Link" error. For session-based flow, these pages need a second entry mode: `?player_id=123` with Keycloak Bearer auth via `apiFetch`. The existing token flow must remain untouched. Key code paths to modify: - `jersey/+page.svelte` line 110-111: token extraction from URL - `jersey/+page.svelte` line 206: raw `fetch()` call to `/jersey/checkout?token=...` - `checkout/+page.svelte` line 27-28: token extraction from URL - `checkout/+page.svelte` line 86: raw `fetch()` call to `/checkout/create-session?token=...` ### File Targets Files the agent should modify or create: - `src/routes/(app)/jersey/+page.svelte` — add `player_id` URL param support; use `apiFetch` when in session mode; replace "Invalid Link" with signin redirect when session mode and not authenticated - `src/routes/(app)/checkout/+page.svelte` — same changes as jersey page Files the agent should NOT touch: - `src/routes/(app)/jersey/success/+page.svelte` — unrelated - `src/routes/(app)/jersey/cancel/+page.svelte` — unrelated - `src/routes/(app)/checkout/success/+page.svelte` — unrelated - `src/routes/(app)/checkout/cancel/+page.svelte` — unrelated ### Acceptance Criteria - [ ] When I visit `/jersey?player_id=5` while logged in, then the jersey page loads using Keycloak session auth - [ ] When I visit `/jersey?token=abc123`, then the existing token flow works unchanged - [ ] When I visit `/jersey?player_id=5` while NOT logged in, then I'm redirected to `/signin` - [ ] When I visit `/checkout?player_id=5&category=jersey` while logged in, then checkout works with session auth - [ ] When I visit `/checkout?token=abc123&category=jersey`, then existing token flow works unchanged - [ ] API calls in session mode use `apiFetch` (which injects Bearer token from Keycloak) ### Test Expectations - [ ] Manual test: jersey page with `?player_id=` while authenticated - [ ] Manual test: jersey page with `?token=` (existing flow) - [ ] Manual test: checkout page with both auth modes - [ ] Manual test: unauthenticated access with `?player_id=` redirects to signin - Run command: `npm run build` (SvelteKit build check) ### Constraints - Must import `apiFetch` from `$lib/api.js` and `isAuthenticated` from `$lib/keycloak.js` for session mode - Token mode continues to use raw `fetch()` (no Keycloak dependency for email-link users) - Both modes must be detectable from URL params alone (no hidden state) ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `westside-basketball` — project this affects - `forgejo_admin/westside-landing#196` — parent spike issue
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
251-docs-populate-ws-s26-prospect-user-story
252-docs-create-arch-landing-site-architectu
236-fix-jersey-image-urls
hotfix-jersey-image-urls
232-improve-public-roster-page-accuracy-and
180-fix-jersey-deadline
142-validate-coach-login-and-read-only-roste
139-fix-admin-dashboard-stats-showing-all-ze
129-validate-girls-draft-board-coach-login-a
204-auto-tag-update
deploy-update-image-tag
110-fix-harbor-push-target
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend
No labels
domain:backend
domain:devops
domain:frontend
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/westside-app#198
No description provided.