From e708053eac0d4789477b5cdec10645a4b68874d7 Mon Sep 17 00:00:00 2001
From: Volodymyr Vreshch <vreshch@gmail.com>
Date: Fri, 21 Nov 2025 22:29:54 +0100
Subject: [PATCH 1/4] feat: add ui user auth

---
 .env.example                                  |   6 +
 docs/auth-setup.md                            |  38 ++-
 .../frontend/src/app/auth/callback/page.tsx   |  52 +++++
 .../src/components/auth/LoginButton.tsx       |  66 ++++++
 .../src/components/auth/LoginModal.tsx        |  74 ++++++
 .../frontend/src/components/auth/UserMenu.tsx | 103 +++++++++
 .../frontend/src/components/auth/index.ts     |   3 +
 .../frontend/src/components/layout/Header.tsx |  60 +++++
 packages/frontend/src/lib/auth-api.ts         | 218 ++++++++++++++++++
 packages/frontend/src/lib/hooks/index.ts      |   1 +
 packages/frontend/src/lib/hooks/useAuth.ts    |  45 ++++
 11 files changed, 664 insertions(+), 2 deletions(-)
 create mode 100644 packages/frontend/src/app/auth/callback/page.tsx
 create mode 100644 packages/frontend/src/components/auth/LoginButton.tsx
 create mode 100644 packages/frontend/src/components/auth/LoginModal.tsx
 create mode 100644 packages/frontend/src/components/auth/UserMenu.tsx
 create mode 100644 packages/frontend/src/components/auth/index.ts
 create mode 100644 packages/frontend/src/lib/auth-api.ts
 create mode 100644 packages/frontend/src/lib/hooks/index.ts
 create mode 100644 packages/frontend/src/lib/hooks/useAuth.ts

diff --git a/.env.example b/.env.example
index 5b420f9..44a078a 100644
--- a/.env.example
+++ b/.env.example
@@ -32,3 +32,9 @@ GOOGLE_CLIENT_ID=your-google-client-id
 GOOGLE_CLIENT_SECRET=your-google-client-secret
 GOOGLE_CALLBACK_URL=http://localhost:3001/api/auth/google/callback
 
+# ===================================================================
+# Microsoft OAuth Configuration (Optional)
+# ===================================================================
+MICROSOFT_CLIENT_ID=your-microsoft-client-id
+MICROSOFT_CLIENT_SECRET=your-microsoft-client-secret
+MICROSOFT_CALLBACK_URL=http://localhost:3001/api/auth/microsoft/callback
diff --git a/docs/auth-setup.md b/docs/auth-setup.md
index c16b52d..86bb380 100644
--- a/docs/auth-setup.md
+++ b/docs/auth-setup.md
@@ -86,7 +86,29 @@ GOOGLE_CLIENT_SECRET=your-google-client-secret-here
 GOOGLE_CALLBACK_URL=http://localhost:3001/api/auth/google/callback
 ```
 
-### 5. Build and Start the Server
+### 5. Set Up Microsoft OAuth (Optional)
+
+1. Go to https://portal.azure.com
+2. Navigate to "Azure Active Directory" → "App registrations"
+3. Click "New registration"
+4. Fill in the details:
+   - **Name**: Agentage (Development)
+   - **Supported account types**: Select "Accounts in any organizational directory and personal Microsoft accounts"
+   - **Redirect URI**: Select "Web" and enter `http://localhost:3001/api/auth/microsoft/callback`
+5. Click "Register"
+6. Copy the **Application (client) ID**
+7. Go to "Certificates & secrets" → "New client secret"
+8. Add a description and expiration period, then click "Add"
+9. Copy the **Client Secret** value (you won't be able to see it again)
+10. Add to `.env`:
+
+```bash
+MICROSOFT_CLIENT_ID=your-microsoft-client-id-here
+MICROSOFT_CLIENT_SECRET=your-microsoft-client-secret-here
+MICROSOFT_CALLBACK_URL=http://localhost:3001/api/auth/microsoft/callback
+```
+
+### 6. Build and Start the Server
 
 ```bash
 # Build shared package
@@ -106,6 +128,8 @@ npm run dev
 - `GET /api/auth/github/callback` - GitHub OAuth callback
 - `GET /api/auth/google` - Initiate Google OAuth login
 - `GET /api/auth/google/callback` - Google OAuth callback
+- `GET /api/auth/microsoft` - Initiate Microsoft OAuth login
+- `GET /api/auth/microsoft/callback` - Microsoft OAuth callback
 - `POST /api/auth/logout` - Logout (client-side token removal)
 
 ### Protected Endpoints (Require JWT Token)
@@ -226,7 +250,7 @@ The JWT token contains:
 1. **Use HTTPS**: Always use HTTPS in production
 2. **Strong JWT Secret**: Use a random 32+ character secret
 3. **Update Callback URLs**: Update OAuth callback URLs to production domain
-4. **Rotate Secrets**: Periodically rotate JWT secret
+4. **Rotate Secrets**: Periodically rotate JWT secret and OAuth client secrets
 5. **Monitor Failed Attempts**: Log and monitor failed authentication attempts
 
 ### Environment-Specific Configurations
@@ -234,10 +258,14 @@ The JWT token contains:
 ```bash
 # Development
 GITHUB_CALLBACK_URL=http://localhost:3001/api/auth/github/callback
+GOOGLE_CALLBACK_URL=http://localhost:3001/api/auth/google/callback
+MICROSOFT_CALLBACK_URL=http://localhost:3001/api/auth/microsoft/callback
 FRONTEND_FQDN=localhost:3000
 
 # Production
 GITHUB_CALLBACK_URL=https://api.agentage.io/api/auth/github/callback
+GOOGLE_CALLBACK_URL=https://api.agentage.io/api/auth/google/callback
+MICROSOFT_CALLBACK_URL=https://api.agentage.io/api/auth/microsoft/callback
 FRONTEND_FQDN=agentage.io
 ```
 
@@ -293,6 +321,11 @@ The authentication system creates a `users` collection with this structure:
       id: "67890",
       email: "user@example.com",
       connectedAt: Date
+    },
+    microsoft: {
+      id: "abcdef",
+      email: "user@example.com",
+      connectedAt: Date
     }
   },
   createdAt: Date,
@@ -307,6 +340,7 @@ The following indexes are automatically created:
 - `email` (unique)
 - `providers.github.id` (unique, sparse)
 - `providers.google.id` (unique, sparse)
+- `providers.microsoft.id` (unique, sparse)
 - `role`
 - `isActive`
 
diff --git a/packages/frontend/src/app/auth/callback/page.tsx b/packages/frontend/src/app/auth/callback/page.tsx
new file mode 100644
index 0000000..0118f4d
--- /dev/null
+++ b/packages/frontend/src/app/auth/callback/page.tsx
@@ -0,0 +1,52 @@
+'use client';
+
+import { useRouter, useSearchParams } from 'next/navigation';
+import { Suspense, useEffect } from 'react';
+import { authApi } from '../../../lib/auth-api';
+
+function AuthCallbackContent() {
+  const router = useRouter();
+  const searchParams = useSearchParams();
+
+  useEffect(() => {
+    // Extract token from URL query parameter
+    const token = searchParams.get('token');
+
+    if (token) {
+      // Store the JWT token
+      authApi.storeToken(token);
+
+      // Redirect to home page
+      router.push('/');
+    } else {
+      // No token received - redirect to home with error
+      router.push('/?error=auth_failed');
+    }
+  }, [searchParams, router]);
+
+  return (
+    <div className="min-h-screen flex items-center justify-center bg-gray-50">
+      <div className="text-center">
+        <div className="inline-block animate-spin rounded-full h-12 w-12 border-b-2 border-blue-600 mb-4"></div>
+        <p className="text-gray-600 text-lg">Authenticating...</p>
+      </div>
+    </div>
+  );
+}
+
+export default function AuthCallbackPage() {
+  return (
+    <Suspense
+      fallback={
+        <div className="min-h-screen flex items-center justify-center bg-gray-50">
+          <div className="text-center">
+            <div className="inline-block animate-spin rounded-full h-12 w-12 border-b-2 border-blue-600 mb-4"></div>
+            <p className="text-gray-600 text-lg">Loading...</p>
+          </div>
+        </div>
+      }
+    >
+      <AuthCallbackContent />
+    </Suspense>
+  );
+}
diff --git a/packages/frontend/src/components/auth/LoginButton.tsx b/packages/frontend/src/components/auth/LoginButton.tsx
new file mode 100644
index 0000000..9fdc56e
--- /dev/null
+++ b/packages/frontend/src/components/auth/LoginButton.tsx
@@ -0,0 +1,66 @@
+'use client';
+
+interface LoginButtonProps {
+  provider: 'google' | 'github' | 'microsoft';
+  onClick: () => void;
+  className?: string;
+}
+
+const providerConfig = {
+  google: {
+    name: 'Google',
+    icon: (
+      <svg className="w-5 h-5" viewBox="0 0 24 24">
+        <path
+          fill="currentColor"
+          d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"
+        />
+        <path
+          fill="currentColor"
+          d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"
+        />
+        <path
+          fill="currentColor"
+          d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"
+        />
+        <path
+          fill="currentColor"
+          d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"
+        />
+      </svg>
+    ),
+    color: 'bg-white hover:bg-gray-50 text-gray-900 border border-gray-300',
+  },
+  github: {
+    name: 'GitHub',
+    icon: (
+      <svg className="w-5 h-5" fill="currentColor" viewBox="0 0 24 24">
+        <path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z" />
+      </svg>
+    ),
+    color: 'bg-gray-900 hover:bg-gray-800 text-white',
+  },
+  microsoft: {
+    name: 'Microsoft',
+    icon: (
+      <svg className="w-5 h-5" viewBox="0 0 24 24" fill="currentColor">
+        <path d="M11.4 24H0V12.6h11.4V24zM24 24H12.6V12.6H24V24zM11.4 11.4H0V0h11.4v11.4zm12.6 0H12.6V0H24v11.4z" />
+      </svg>
+    ),
+    color: 'bg-blue-600 hover:bg-blue-700 text-white',
+  },
+};
+
+export const LoginButton = ({ provider, onClick, className = '' }: LoginButtonProps) => {
+  const config = providerConfig[provider];
+
+  return (
+    <button
+      onClick={onClick}
+      className={`flex items-center justify-center px-4 py-2 rounded-lg font-medium transition-all focus:outline-none focus:ring-2 focus:ring-offset-2 ${config.color} ${className}`}
+    >
+      {config.icon}
+      <span className="ml-2">Continue with {config.name}</span>
+    </button>
+  );
+};
diff --git a/packages/frontend/src/components/auth/LoginModal.tsx b/packages/frontend/src/components/auth/LoginModal.tsx
new file mode 100644
index 0000000..26d0748
--- /dev/null
+++ b/packages/frontend/src/components/auth/LoginModal.tsx
@@ -0,0 +1,74 @@
+'use client';
+
+import { LoginButton } from './LoginButton';
+
+interface LoginModalProps {
+  isOpen: boolean;
+  onClose: () => void;
+  onLogin: (provider: 'google' | 'github' | 'microsoft') => void;
+}
+
+export const LoginModal = ({ isOpen, onClose, onLogin }: LoginModalProps) => {
+  if (!isOpen) return null;
+
+  return (
+    <>
+      {/* Backdrop */}
+      <div
+        className="fixed inset-0 bg-black bg-opacity-50 z-50 transition-opacity"
+        onClick={onClose}
+        aria-hidden="true"
+      />
+
+      {/* Modal */}
+      <div className="fixed inset-0 z-50 flex items-center justify-center p-4">
+        <div className="bg-white rounded-2xl shadow-2xl max-w-md w-full p-8 relative">
+          {/* Close Button */}
+          <button
+            onClick={onClose}
+            className="absolute top-4 right-4 text-gray-400 hover:text-gray-600 transition-colors"
+            aria-label="Close"
+          >
+            <svg className="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path
+                strokeLinecap="round"
+                strokeLinejoin="round"
+                strokeWidth={2}
+                d="M6 18L18 6M6 6l12 12"
+              />
+            </svg>
+          </button>
+
+          {/* Header */}
+          <div className="text-center mb-8">
+            <h2 className="text-3xl font-bold text-gray-900 mb-2">Welcome to Agentage</h2>
+            <p className="text-gray-600">Sign in to continue</p>
+          </div>
+
+          {/* Login Buttons */}
+          <div className="space-y-3">
+            <LoginButton provider="google" onClick={() => onLogin('google')} className="w-full" />
+            <LoginButton provider="github" onClick={() => onLogin('github')} className="w-full" />
+            <LoginButton
+              provider="microsoft"
+              onClick={() => onLogin('microsoft')}
+              className="w-full"
+            />
+          </div>
+
+          {/* Terms */}
+          <p className="text-xs text-gray-500 text-center mt-6">
+            By signing in, you agree to our{' '}
+            <a href="/terms" className="text-blue-600 hover:underline">
+              Terms of Service
+            </a>{' '}
+            and{' '}
+            <a href="/privacy" className="text-blue-600 hover:underline">
+              Privacy Policy
+            </a>
+          </p>
+        </div>
+      </div>
+    </>
+  );
+};
diff --git a/packages/frontend/src/components/auth/UserMenu.tsx b/packages/frontend/src/components/auth/UserMenu.tsx
new file mode 100644
index 0000000..0efb639
--- /dev/null
+++ b/packages/frontend/src/components/auth/UserMenu.tsx
@@ -0,0 +1,103 @@
+'use client';
+
+import { useEffect, useRef, useState } from 'react';
+import type { User } from '../../lib/auth-api';
+
+interface UserMenuProps {
+  user: User;
+  onLogout: () => void;
+}
+
+export const UserMenu = ({ user, onLogout }: UserMenuProps) => {
+  const [isOpen, setIsOpen] = useState(false);
+  const menuRef = useRef<HTMLDivElement>(null);
+
+  // Close menu when clicking outside
+  useEffect(() => {
+    function handleClickOutside(event: MouseEvent) {
+      if (menuRef.current && !menuRef.current.contains(event.target as Node)) {
+        setIsOpen(false);
+      }
+    }
+
+    document.addEventListener('mousedown', handleClickOutside);
+    return () => document.removeEventListener('mousedown', handleClickOutside);
+  }, []);
+
+  return (
+    <div className="relative" ref={menuRef}>
+      {/* User Avatar Button */}
+      <button
+        onClick={() => setIsOpen(!isOpen)}
+        className="flex items-center space-x-2 px-3 py-2 rounded-lg hover:bg-gray-100 transition-colors focus:outline-none focus:ring-2 focus:ring-blue-500"
+        aria-label="User menu"
+      >
+        {user.avatar ? (
+          <img
+            src={user.avatar}
+            alt={user.name}
+            className="w-8 h-8 rounded-full border-2 border-gray-200"
+          />
+        ) : (
+          <div className="w-8 h-8 rounded-full bg-blue-600 flex items-center justify-center text-white font-semibold">
+            {user.name.charAt(0).toUpperCase()}
+          </div>
+        )}
+        <span className="hidden md:block text-sm font-medium text-gray-700">{user.name}</span>
+        <svg
+          className={`w-4 h-4 text-gray-500 transition-transform ${isOpen ? 'rotate-180' : ''}`}
+          fill="none"
+          stroke="currentColor"
+          viewBox="0 0 24 24"
+        >
+          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 9l-7 7-7-7" />
+        </svg>
+      </button>
+
+      {/* Dropdown Menu */}
+      {isOpen && (
+        <div className="absolute right-0 mt-2 w-64 bg-white rounded-lg shadow-lg border border-gray-200 py-2 z-50">
+          {/* User Info */}
+          <div className="px-4 py-3 border-b border-gray-200">
+            <p className="text-sm font-medium text-gray-900">{user.name}</p>
+            <p className="text-xs text-gray-500 truncate">{user.email}</p>
+          </div>
+
+          {/* Connected Providers */}
+          <div className="px-4 py-2 border-b border-gray-200">
+            <p className="text-xs font-medium text-gray-500 mb-2">Connected accounts</p>
+            <div className="flex flex-wrap gap-2">
+              {user.providers.map((provider) => (
+                <span
+                  key={provider}
+                  className="inline-flex items-center px-2 py-1 rounded-md bg-gray-100 text-xs font-medium text-gray-700 capitalize"
+                >
+                  {provider}
+                </span>
+              ))}
+            </div>
+          </div>
+
+          {/* Logout Button */}
+          <button
+            onClick={() => {
+              setIsOpen(false);
+              onLogout();
+            }}
+            className="w-full px-4 py-2 text-left text-sm text-red-600 hover:bg-red-50 transition-colors flex items-center"
+          >
+            <svg className="w-4 h-4 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path
+                strokeLinecap="round"
+                strokeLinejoin="round"
+                strokeWidth={2}
+                d="M17 16l4-4m0 0l-4-4m4 4H7m6 4v1a3 3 0 01-3 3H6a3 3 0 01-3-3V7a3 3 0 013-3h4a3 3 0 013 3v1"
+              />
+            </svg>
+            Sign out
+          </button>
+        </div>
+      )}
+    </div>
+  );
+};
diff --git a/packages/frontend/src/components/auth/index.ts b/packages/frontend/src/components/auth/index.ts
new file mode 100644
index 0000000..74bc8e3
--- /dev/null
+++ b/packages/frontend/src/components/auth/index.ts
@@ -0,0 +1,3 @@
+export { LoginButton } from './LoginButton';
+export { LoginModal } from './LoginModal';
+export { UserMenu } from './UserMenu';
diff --git a/packages/frontend/src/components/layout/Header.tsx b/packages/frontend/src/components/layout/Header.tsx
index 24e3305..03e4fa3 100644
--- a/packages/frontend/src/components/layout/Header.tsx
+++ b/packages/frontend/src/components/layout/Header.tsx
@@ -2,6 +2,8 @@
 
 import Link from 'next/link';
 import { useState } from 'react';
+import { useAuth } from '../../lib/hooks';
+import { LoginModal, UserMenu } from '../auth';
 
 // Logo Component - Enhanced/Premium Style
 const Logo = () => (
@@ -30,6 +32,8 @@ const Logo = () => (
 
 export const Header = () => {
   const [isMobileMenuOpen, setIsMobileMenuOpen] = useState(false);
+  const [isLoginModalOpen, setIsLoginModalOpen] = useState(false);
+  const { user, isAuthenticated, isLoading, login, logout } = useAuth();
 
   const toggleMobileMenu = () => {
     setIsMobileMenuOpen(!isMobileMenuOpen);
@@ -148,6 +152,23 @@ export const Header = () => {
 
             {/* Right Section - Enhanced Actions */}
             <div className="flex items-center space-x-3">
+              {/* Auth Section */}
+              {isLoading ? (
+                // Loading skeleton
+                <div className="w-8 h-8 rounded-full bg-gray-200 animate-pulse" />
+              ) : isAuthenticated && user ? (
+                // Authenticated: Show user menu
+                <UserMenu user={user} onLogout={logout} />
+              ) : (
+                // Not authenticated: Show login button
+                <button
+                  onClick={() => setIsLoginModalOpen(true)}
+                  className="hidden sm:block px-4 py-2 text-gray-700 hover:text-blue-600 border border-gray-300 hover:border-blue-600 rounded-xl font-medium transition-all"
+                >
+                  Login
+                </button>
+              )}
+
               {/* Get Started button */}
               <Link
                 href="/documentation"
@@ -270,6 +291,35 @@ export const Header = () => {
                   Contact
                 </a>
                 <div className="pt-4 border-t border-gray-200 space-y-3">
+                  {/* Auth Section */}
+                  {isAuthenticated && user ? (
+                    <div className="space-y-3">
+                      <div className="px-4 py-3 bg-gray-50 rounded-lg">
+                        <p className="text-sm font-medium">{user.name}</p>
+                        <p className="text-xs text-gray-500">{user.email}</p>
+                      </div>
+                      <button
+                        onClick={() => {
+                          toggleMobileMenu();
+                          logout();
+                        }}
+                        className="w-full px-4 py-2 text-red-600 border border-red-300 hover:bg-red-50 rounded-lg font-medium transition-all"
+                      >
+                        Sign Out
+                      </button>
+                    </div>
+                  ) : (
+                    <button
+                      onClick={() => {
+                        toggleMobileMenu();
+                        setIsLoginModalOpen(true);
+                      }}
+                      className="w-full px-4 py-3 text-gray-700 border border-gray-300 hover:border-blue-600 rounded-xl font-medium transition-all text-center"
+                    >
+                      Login
+                    </button>
+                  )}
+
                   {/* Get Started */}
                   <Link
                     href="/documentation"
@@ -310,6 +360,16 @@ export const Header = () => {
           )}
         </div>
       </div>
+
+      {/* Login Modal */}
+      <LoginModal
+        isOpen={isLoginModalOpen}
+        onClose={() => setIsLoginModalOpen(false)}
+        onLogin={(provider) => {
+          setIsLoginModalOpen(false);
+          login(provider);
+        }}
+      />
     </header>
   );
 };
diff --git a/packages/frontend/src/lib/auth-api.ts b/packages/frontend/src/lib/auth-api.ts
new file mode 100644
index 0000000..678d4a3
--- /dev/null
+++ b/packages/frontend/src/lib/auth-api.ts
@@ -0,0 +1,218 @@
+/**
+ * Authentication API client
+ * Handles OAuth authentication flow with JWT tokens
+ */
+
+const getApiBaseUrl = () => {
+  // Always use relative URLs in the browser to leverage Next.js rewrites
+  return '/api';
+};
+
+export interface User {
+  id: string;
+  email: string;
+  name: string;
+  avatar?: string;
+  role: 'user' | 'admin';
+  providers: string[];
+  createdAt?: string;
+  updatedAt?: string;
+}
+
+export interface AuthStatusResponse {
+  authenticated: boolean;
+  user?: {
+    userId: string;
+    email: string;
+    role: 'user' | 'admin';
+  };
+}
+
+export interface MeResponse {
+  user: User;
+  authenticated: boolean;
+}
+
+export interface ProvidersResponse {
+  providers: Array<{
+    name: string;
+    email: string;
+    connectedAt: string;
+  }>;
+}
+
+/**
+ * Get JWT token from localStorage
+ */
+const getToken = (): string | null => {
+  if (typeof window === 'undefined') return null;
+  return localStorage.getItem('agentage_token');
+};
+
+/**
+ * Set JWT token in localStorage
+ */
+const setToken = (token: string): void => {
+  if (typeof window === 'undefined') return;
+  localStorage.setItem('agentage_token', token);
+};
+
+/**
+ * Remove JWT token from localStorage
+ */
+const removeToken = (): void => {
+  if (typeof window === 'undefined') return;
+  localStorage.removeItem('agentage_token');
+};
+
+export const authApi = {
+  /**
+   * Get current user authentication status
+   */
+  async getAuthStatus(): Promise<AuthStatusResponse> {
+    try {
+      const token = getToken();
+      const headers: HeadersInit = {};
+
+      if (token) {
+        headers['Authorization'] = `Bearer ${token}`;
+      }
+
+      const response = await fetch(`${getApiBaseUrl()}/auth/status`, {
+        headers,
+        credentials: 'include',
+      });
+
+      if (!response.ok) {
+        return { authenticated: false };
+      }
+
+      return await response.json();
+    } catch (error) {
+      console.error('Auth status check failed:', error);
+      return { authenticated: false };
+    }
+  },
+
+  /**
+   * Get current user details
+   */
+  async getCurrentUser(): Promise<User | null> {
+    try {
+      const token = getToken();
+
+      if (!token) {
+        return null;
+      }
+
+      const response = await fetch(`${getApiBaseUrl()}/auth/me`, {
+        headers: {
+          Authorization: `Bearer ${token}`,
+        },
+        credentials: 'include',
+      });
+
+      if (!response.ok) {
+        // Token invalid, remove it
+        removeToken();
+        return null;
+      }
+
+      const data: MeResponse = await response.json();
+      return data.user;
+    } catch (error) {
+      console.error('Get user failed:', error);
+      return null;
+    }
+  },
+
+  /**
+   * Initiate OAuth login
+   */
+  loginWithProvider(provider: 'google' | 'github' | 'microsoft') {
+    window.location.href = `${getApiBaseUrl()}/auth/${provider}`;
+  },
+
+  /**
+   * Logout current user
+   */
+  async logout(): Promise<void> {
+    try {
+      const token = getToken();
+
+      if (token) {
+        await fetch(`${getApiBaseUrl()}/auth/logout`, {
+          method: 'POST',
+          headers: {
+            Authorization: `Bearer ${token}`,
+          },
+          credentials: 'include',
+        });
+      }
+    } catch (error) {
+      console.error('Logout failed:', error);
+    } finally {
+      // Always remove token and redirect
+      removeToken();
+      window.location.href = '/';
+    }
+  },
+
+  /**
+   * Get user's connected OAuth providers
+   */
+  async getProviders(): Promise<ProvidersResponse['providers']> {
+    try {
+      const token = getToken();
+
+      if (!token) {
+        return [];
+      }
+
+      const response = await fetch(`${getApiBaseUrl()}/auth/providers`, {
+        headers: {
+          Authorization: `Bearer ${token}`,
+        },
+        credentials: 'include',
+      });
+
+      if (!response.ok) {
+        return [];
+      }
+
+      const data: ProvidersResponse = await response.json();
+      return data.providers;
+    } catch (error) {
+      console.error('Get providers failed:', error);
+      return [];
+    }
+  },
+
+  /**
+   * Store JWT token from OAuth callback
+   */
+  storeToken(token: string): void {
+    setToken(token);
+  },
+
+  /**
+   * Check if user has a valid token
+   */
+  hasToken(): boolean {
+    return !!getToken();
+  },
+
+  /**
+   * Remove token
+   */
+  removeToken(): void {
+    removeToken();
+  },
+
+  /**
+   * Get token
+   */
+  getToken(): string | null {
+    return getToken();
+  },
+};
diff --git a/packages/frontend/src/lib/hooks/index.ts b/packages/frontend/src/lib/hooks/index.ts
new file mode 100644
index 0000000..77e9d9f
--- /dev/null
+++ b/packages/frontend/src/lib/hooks/index.ts
@@ -0,0 +1 @@
+export { useAuth } from './useAuth';
diff --git a/packages/frontend/src/lib/hooks/useAuth.ts b/packages/frontend/src/lib/hooks/useAuth.ts
new file mode 100644
index 0000000..9b2b8fa
--- /dev/null
+++ b/packages/frontend/src/lib/hooks/useAuth.ts
@@ -0,0 +1,45 @@
+'use client';
+
+import { useEffect, useState } from 'react';
+import { authApi, type User } from '../auth-api';
+
+export function useAuth() {
+  const [user, setUser] = useState<User | null>(null);
+  const [isAuthenticated, setIsAuthenticated] = useState(false);
+  const [isLoading, setIsLoading] = useState(true);
+
+  useEffect(() => {
+    checkAuthStatus();
+  }, []);
+
+  async function checkAuthStatus() {
+    try {
+      const currentUser = await authApi.getCurrentUser();
+      setIsAuthenticated(!!currentUser);
+      setUser(currentUser);
+    } catch (error) {
+      console.error('Auth check failed:', error);
+      setIsAuthenticated(false);
+      setUser(null);
+    } finally {
+      setIsLoading(false);
+    }
+  }
+
+  function login(provider: 'google' | 'github' | 'microsoft') {
+    authApi.loginWithProvider(provider);
+  }
+
+  async function logout() {
+    await authApi.logout();
+  }
+
+  return {
+    user,
+    isAuthenticated,
+    isLoading,
+    login,
+    logout,
+    refresh: checkAuthStatus,
+  };
+}

From 815cbe38062252a1ee0ac20201f262436429d86c Mon Sep 17 00:00:00 2001
From: Volodymyr Vreshch <vreshch@gmail.com>
Date: Fri, 21 Nov 2025 23:13:22 +0100
Subject: [PATCH 2/4] feat: add the ms login

---
 package-lock.json                             | 23 ++++++
 packages/backend/package.json                 |  2 +
 packages/backend/src/routes/auth/index.ts     | 54 ++++++++++++++
 packages/backend/src/services/app.services.ts |  5 +-
 .../src/services/oauth/oauth.service.ts       | 71 +++++++++++++++++++
 scripts/dev.sh                                |  6 +-
 6 files changed, 156 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 8b51929..f37c1e2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2024,6 +2024,16 @@
         "@types/passport-oauth2": "*"
       }
     },
+    "node_modules/@types/passport-microsoft": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@types/passport-microsoft/-/passport-microsoft-2.1.1.tgz",
+      "integrity": "sha512-mtxO0nUt8PSAQd1MPD4JZXacYRx9MXYCTFjKyBEarmCJYyJlKHMwBRYltBEi/zpvC6xYX0LgK1AFXp+hQI+DEw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/passport-oauth2": "*"
+      }
+    },
     "node_modules/@types/passport-oauth2": {
       "version": "1.8.0",
       "resolved": "https://registry.npmjs.org/@types/passport-oauth2/-/passport-oauth2-1.8.0.tgz",
@@ -8256,6 +8266,17 @@
         "node": ">= 0.4.0"
       }
     },
+    "node_modules/passport-microsoft": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/passport-microsoft/-/passport-microsoft-2.1.0.tgz",
+      "integrity": "sha512-7bOcjEmZCHg5qD55iHaMD/mgBxPtXLbqAwmKox5IsqOSEU50WJk5nQKK4lxKdBHLZ0hf+gzrFgDsTybJP18/JA==",
+      "dependencies": {
+        "passport-oauth2": "1.8.0"
+      },
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
     "node_modules/passport-oauth2": {
       "version": "1.8.0",
       "resolved": "https://registry.npmjs.org/passport-oauth2/-/passport-oauth2-1.8.0.tgz",
@@ -10794,6 +10815,7 @@
         "passport": "^0.7.0",
         "passport-github2": "^0.1.12",
         "passport-google-oauth20": "^2.0.0",
+        "passport-microsoft": "^2.1.0",
         "semver": "^7.7.3",
         "zod": "^3.25.67"
       },
@@ -10807,6 +10829,7 @@
         "@types/passport": "^1.0.17",
         "@types/passport-github2": "^1.2.9",
         "@types/passport-google-oauth20": "^2.0.0",
+        "@types/passport-microsoft": "^2.1.1",
         "@types/semver": "^7.7.1",
         "@typescript-eslint/eslint-plugin": "^8.39.0",
         "@typescript-eslint/parser": "^8.39.0",
diff --git a/packages/backend/package.json b/packages/backend/package.json
index 94a7c87..ca39e87 100644
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@@ -26,6 +26,7 @@
     "passport": "^0.7.0",
     "passport-github2": "^0.1.12",
     "passport-google-oauth20": "^2.0.0",
+    "passport-microsoft": "^2.1.0",
     "semver": "^7.7.3",
     "zod": "^3.25.67"
   },
@@ -39,6 +40,7 @@
     "@types/passport": "^1.0.17",
     "@types/passport-github2": "^1.2.9",
     "@types/passport-google-oauth20": "^2.0.0",
+    "@types/passport-microsoft": "^2.1.1",
     "@types/semver": "^7.7.1",
     "@typescript-eslint/eslint-plugin": "^8.39.0",
     "@typescript-eslint/parser": "^8.39.0",
diff --git a/packages/backend/src/routes/auth/index.ts b/packages/backend/src/routes/auth/index.ts
index d7b6929..e63f472 100644
--- a/packages/backend/src/routes/auth/index.ts
+++ b/packages/backend/src/routes/auth/index.ts
@@ -133,6 +133,60 @@ export const getAuthRouter = (serviceProvider: ServiceProvider<AppServiceMap>) =
     }
   );
 
+  // ===================================================================
+  // Microsoft OAuth Routes
+  // ===================================================================
+
+  router.get('/microsoft', async (req: Request, res: Response, next) => {
+    try {
+      const logger = await serviceProvider.get('logger');
+      logger.info('Microsoft OAuth initiated', {
+        ip: req.ip,
+        userAgent: req.get('User-Agent'),
+      });
+
+      passport.authenticate('microsoft', { scope: ['user.read'] })(req, res, next);
+    } catch (error) {
+      next(error);
+    }
+  });
+
+  router.get(
+    '/microsoft/callback',
+    passport.authenticate('microsoft', { session: false, failureRedirect: '/login' }),
+    async (req: Request, res: Response, next) => {
+      try {
+        const logger = await serviceProvider.get('logger');
+        const jwtService = await serviceProvider.get('jwt');
+        const config = await serviceProvider.get('config');
+
+        if (!req.user) {
+          return res.status(401).json({ error: 'Authentication failed' });
+        }
+
+        // Generate JWT token
+        const token = jwtService.generateToken({
+          userId: req.user.id || req.user._id?.toString() || '',
+          email: req.user.email,
+          role: req.user.role,
+        });
+
+        logger.info('Microsoft OAuth callback successful - JWT generated', {
+          userId: req.user.id,
+          email: req.user.email,
+        });
+
+        // Redirect to frontend with token
+        const frontendFqdn = config.get('FRONTEND_FQDN', 'localhost:3000');
+        const protocol = process.env.NODE_ENV === 'production' ? 'https' : 'http';
+        const redirectUrl = `${protocol}://${frontendFqdn}/auth/callback?token=${token}`;
+        res.redirect(redirectUrl);
+      } catch (error) {
+        next(error);
+      }
+    }
+  );
+
   // ===================================================================
   // User Info & Management Routes (JWT-protected)
   // ===================================================================
diff --git a/packages/backend/src/services/app.services.ts b/packages/backend/src/services/app.services.ts
index 8b3a128..32be284 100644
--- a/packages/backend/src/services/app.services.ts
+++ b/packages/backend/src/services/app.services.ts
@@ -87,8 +87,9 @@ export class ServiceProvider<T extends Record<string, Service>> {
 function createConfigService(): ConfigService {
   return {
     async initialize() {
-      // Load .env file
-      require('dotenv').config();
+      // Load .env file from workspace root
+      const path = require('path');
+      require('dotenv').config({ path: path.resolve(__dirname, '../../../../.env') });
     },
     get(key: string, defaultValue = ''): string {
       return process.env[key] || defaultValue;
diff --git a/packages/backend/src/services/oauth/oauth.service.ts b/packages/backend/src/services/oauth/oauth.service.ts
index a64f7f9..0223d5c 100644
--- a/packages/backend/src/services/oauth/oauth.service.ts
+++ b/packages/backend/src/services/oauth/oauth.service.ts
@@ -1,6 +1,7 @@
 import passport from 'passport';
 import { Strategy as GitHubStrategy } from 'passport-github2';
 import { Strategy as GoogleStrategy } from 'passport-google-oauth20';
+import { Strategy as MicrosoftStrategy } from 'passport-microsoft';
 import type { ConfigService, LoggerService, Service } from '../app.services';
 import type { UserService } from '../user';
 
@@ -149,6 +150,76 @@ export const createOAuthService = (
         logger.warn('Google OAuth not configured - missing credentials');
       }
 
+      // ===================================================================
+      // Microsoft OAuth Strategy
+      // ===================================================================
+      const microsoftClientId = config.get('MICROSOFT_CLIENT_ID');
+      const microsoftClientSecret = config.get('MICROSOFT_CLIENT_SECRET');
+      const microsoftCallbackUrl = config.get('MICROSOFT_CALLBACK_URL');
+
+      if (microsoftClientId && microsoftClientSecret && microsoftCallbackUrl) {
+        logger.info('Configuring Microsoft OAuth strategy...', {
+          clientId: microsoftClientId.substring(0, 8) + '...',
+          callbackUrl: microsoftCallbackUrl,
+        });
+
+        passport.use(
+          new MicrosoftStrategy(
+            {
+              clientID: microsoftClientId,
+              clientSecret: microsoftClientSecret,
+              callbackURL: microsoftCallbackUrl,
+              scope: ['user.read'],
+            },
+            async (_accessToken, _refreshToken, profile, done) => {
+              try {
+                const email = profile.emails?.[0]?.value;
+                if (!email) {
+                  return done(new Error('No email provided by Microsoft'));
+                }
+
+                const userDoc = await user.findOrCreateUser({
+                  provider: 'microsoft',
+                  providerId: profile.id,
+                  email,
+                  name: profile.displayName || email,
+                  avatar: profile.photos?.[0]?.value,
+                });
+
+                const expressUser: Express.User = {
+                  id: userDoc._id!,
+                  _id: userDoc._id!,
+                  email: userDoc.email,
+                  displayName: userDoc.name,
+                  avatar: userDoc.avatar,
+                  providers: userDoc.providers,
+                  role: userDoc.role,
+                  createdAt: userDoc.createdAt,
+                  updatedAt: userDoc.updatedAt,
+                };
+
+                logger.info('Microsoft OAuth successful', {
+                  userId: userDoc._id,
+                  email: userDoc.email,
+                });
+
+                done(null, expressUser);
+              } catch (error) {
+                logger.error('Microsoft OAuth error', { error });
+                done(error as Error);
+              }
+            }
+          )
+        );
+        logger.info('Microsoft OAuth strategy configured');
+      } else {
+        logger.warn('Microsoft OAuth not configured - missing credentials', {
+          hasClientId: !!microsoftClientId,
+          hasClientSecret: !!microsoftClientSecret,
+          hasCallbackUrl: !!microsoftCallbackUrl,
+        });
+      }
+
       // Passport serialization (not used in stateless JWT, but required by passport)
       passport.serializeUser((user: Express.User, done) => {
         done(null, user.id || user.userId);
diff --git a/scripts/dev.sh b/scripts/dev.sh
index 6a263fd..a9e57bf 100755
--- a/scripts/dev.sh
+++ b/scripts/dev.sh
@@ -18,7 +18,7 @@ export BACKEND_API_URL="http://localhost:3001"
 if ! nc -z localhost 27017 2>/dev/null; then
     echo "🚀 Starting MongoDB for development..."
     docker compose -f docker-compose.dev.yml up -d mongodb-dev
-    
+
     # Wait for MongoDB to be ready
     echo "⏳ Waiting for MongoDB..."
     for i in {1..30}; do
@@ -28,7 +28,7 @@ if ! nc -z localhost 27017 2>/dev/null; then
         fi
         sleep 1
     done
-    
+
     if ! nc -z localhost 27017 2>/dev/null; then
         echo "❌ MongoDB failed to start"
         exit 1
@@ -40,7 +40,7 @@ fi
 # Load secrets from .env file if available (selectively, without overriding NODE_ENV)
 if [[ -f ".env" ]]; then
     echo "📄 Loading secrets from .env file..."
-    export $(grep -E "^(JWT_SECRET|JWT_EXPIRES_IN|GITHUB_CLIENT_ID|GITHUB_CLIENT_SECRET|GITHUB_CALLBACK_URL|GOOGLE_CLIENT_ID|GOOGLE_CLIENT_SECRET|GOOGLE_CALLBACK_URL|MONGODB_URI|DATABASE_URL)=" .env | xargs) > /dev/null 2>&1
+    export $(grep -E "^(JWT_SECRET|JWT_EXPIRES_IN|GITHUB_CLIENT_ID|GITHUB_CLIENT_SECRET|GITHUB_CALLBACK_URL|GOOGLE_CLIENT_ID|GOOGLE_CLIENT_SECRET|GOOGLE_CALLBACK_URL|MONGODB_URI|DATABASE_URL|MICROSOFT_CLIENT_ID|MICROSOFT_CLIENT_SECRET|MICROSOFT_CALLBACK_URL)=" .env | xargs) > /dev/null 2>&1
 fi
 
 # Build shared package first

From 944a5cd5ce0077598c45d7fb4bee109e50823667 Mon Sep 17 00:00:00 2001
From: Volodymyr Vreshch <vreshch@gmail.com>
Date: Fri, 21 Nov 2025 23:51:35 +0100
Subject: [PATCH 3/4] feat: fnalize UI

---
 .../frontend/src/app/auth/callback/page.tsx   |  3 ++
 .../frontend/src/app/contact/ContactForm.tsx  |  9 +++---
 .../src/components/auth/LoginModal.tsx        |  9 +++---
 .../frontend/src/components/auth/UserMenu.tsx |  1 -
 .../frontend/src/components/layout/Footer.tsx | 24 +++++++--------
 .../frontend/src/components/layout/Header.tsx | 30 +++++++++++--------
 packages/frontend/src/lib/hooks/useAuth.ts    | 25 ++++++++++++++++
 7 files changed, 68 insertions(+), 33 deletions(-)

diff --git a/packages/frontend/src/app/auth/callback/page.tsx b/packages/frontend/src/app/auth/callback/page.tsx
index 0118f4d..1b0d865 100644
--- a/packages/frontend/src/app/auth/callback/page.tsx
+++ b/packages/frontend/src/app/auth/callback/page.tsx
@@ -16,6 +16,9 @@ function AuthCallbackContent() {
       // Store the JWT token
       authApi.storeToken(token);
 
+      // Trigger storage event to notify other components
+      window.dispatchEvent(new Event('auth-token-changed'));
+
       // Redirect to home page
       router.push('/');
     } else {
diff --git a/packages/frontend/src/app/contact/ContactForm.tsx b/packages/frontend/src/app/contact/ContactForm.tsx
index 2a7ab98..348d556 100644
--- a/packages/frontend/src/app/contact/ContactForm.tsx
+++ b/packages/frontend/src/app/contact/ContactForm.tsx
@@ -1,5 +1,6 @@
 'use client';
 
+import Link from 'next/link';
 import { useState } from 'react';
 
 export function ContactForm() {
@@ -118,13 +119,13 @@ export function ContactForm() {
           />
           <label htmlFor="privacy" className="ml-2 text-sm text-gray-600">
             I agree to the{' '}
-            <a href="/privacy" className="text-blue-600 hover:text-blue-700">
+            <Link href="/privacy" className="text-blue-600 hover:text-blue-700">
               Privacy Policy
-            </a>{' '}
+            </Link>{' '}
             and{' '}
-            <a href="/terms" className="text-blue-600 hover:text-blue-700">
+            <Link href="/terms" className="text-blue-600 hover:text-blue-700">
               Terms of Service
-            </a>
+            </Link>
           </label>
         </div>
 
diff --git a/packages/frontend/src/components/auth/LoginModal.tsx b/packages/frontend/src/components/auth/LoginModal.tsx
index 26d0748..2d3dbc3 100644
--- a/packages/frontend/src/components/auth/LoginModal.tsx
+++ b/packages/frontend/src/components/auth/LoginModal.tsx
@@ -1,5 +1,6 @@
 'use client';
 
+import Link from 'next/link';
 import { LoginButton } from './LoginButton';
 
 interface LoginModalProps {
@@ -59,13 +60,13 @@ export const LoginModal = ({ isOpen, onClose, onLogin }: LoginModalProps) => {
           {/* Terms */}
           <p className="text-xs text-gray-500 text-center mt-6">
             By signing in, you agree to our{' '}
-            <a href="/terms" className="text-blue-600 hover:underline">
+            <Link href="/terms" className="text-blue-600 hover:underline">
               Terms of Service
-            </a>{' '}
+            </Link>{' '}
             and{' '}
-            <a href="/privacy" className="text-blue-600 hover:underline">
+            <Link href="/privacy" className="text-blue-600 hover:underline">
               Privacy Policy
-            </a>
+            </Link>
           </p>
         </div>
       </div>
diff --git a/packages/frontend/src/components/auth/UserMenu.tsx b/packages/frontend/src/components/auth/UserMenu.tsx
index 0efb639..ca10330 100644
--- a/packages/frontend/src/components/auth/UserMenu.tsx
+++ b/packages/frontend/src/components/auth/UserMenu.tsx
@@ -43,7 +43,6 @@ export const UserMenu = ({ user, onLogout }: UserMenuProps) => {
             {user.name.charAt(0).toUpperCase()}
           </div>
         )}
-        <span className="hidden md:block text-sm font-medium text-gray-700">{user.name}</span>
         <svg
           className={`w-4 h-4 text-gray-500 transition-transform ${isOpen ? 'rotate-180' : ''}`}
           fill="none"
diff --git a/packages/frontend/src/components/layout/Footer.tsx b/packages/frontend/src/components/layout/Footer.tsx
index d916317..3cb8fbb 100644
--- a/packages/frontend/src/components/layout/Footer.tsx
+++ b/packages/frontend/src/components/layout/Footer.tsx
@@ -51,14 +51,14 @@ export const Footer = () => {
               <h4 className="font-semibold text-white mb-4">Legal</h4>
               <ul className="space-y-2 text-sm">
                 <li>
-                  <a href="/privacy" className="text-gray-400 hover:text-white transition-colors">
+                  <Link href="/privacy" className="text-gray-400 hover:text-white transition-colors">
                     Privacy Policy
-                  </a>
+                  </Link>
                 </li>
                 <li>
-                  <a href="/terms" className="text-gray-400 hover:text-white transition-colors">
+                  <Link href="/terms" className="text-gray-400 hover:text-white transition-colors">
                     Terms of Service
-                  </a>
+                  </Link>
                 </li>
               </ul>
             </div>
@@ -68,14 +68,14 @@ export const Footer = () => {
               <h4 className="font-semibold text-white mb-4">Company</h4>
               <ul className="space-y-2 text-sm">
                 <li>
-                  <a href="/about" className="text-gray-400 hover:text-white transition-colors">
+                  <Link href="/about" className="text-gray-400 hover:text-white transition-colors">
                     About
-                  </a>
+                  </Link>
                 </li>
                 <li>
-                  <a href="/contact" className="text-gray-400 hover:text-white transition-colors">
+                  <Link href="/contact" className="text-gray-400 hover:text-white transition-colors">
                     Contact
-                  </a>
+                  </Link>
                 </li>
                 <li>
                   <a
@@ -98,12 +98,12 @@ export const Footer = () => {
                 © {new Date().getFullYear()} Agentage. All rights reserved.
               </div>
               <div className="flex space-x-6 text-sm">
-                <a href="/privacy" className="text-gray-400 hover:text-white transition-colors">
+                <Link href="/privacy" className="text-gray-400 hover:text-white transition-colors">
                   Privacy Policy
-                </a>
-                <a href="/terms" className="text-gray-400 hover:text-white transition-colors">
+                </Link>
+                <Link href="/terms" className="text-gray-400 hover:text-white transition-colors">
                   Terms of Service
-                </a>
+                </Link>
               </div>
             </div>
           </div>
diff --git a/packages/frontend/src/components/layout/Header.tsx b/packages/frontend/src/components/layout/Header.tsx
index 03e4fa3..8f20490 100644
--- a/packages/frontend/src/components/layout/Header.tsx
+++ b/packages/frontend/src/components/layout/Header.tsx
@@ -33,7 +33,7 @@ const Logo = () => (
 export const Header = () => {
   const [isMobileMenuOpen, setIsMobileMenuOpen] = useState(false);
   const [isLoginModalOpen, setIsLoginModalOpen] = useState(false);
-  const { user, isAuthenticated, isLoading, login, logout } = useAuth();
+  const { user, isAuthenticated, isLoading, isMounted, login, logout } = useAuth();
 
   const toggleMobileMenu = () => {
     setIsMobileMenuOpen(!isMobileMenuOpen);
@@ -52,12 +52,12 @@ export const Header = () => {
               </span>
             </div>
             <div className="flex items-center space-x-4">
-              <a href="/privacy" className="text-gray-500 hover:text-blue-600 transition-colors">
+              <Link href="/privacy" className="text-gray-500 hover:text-blue-600 transition-colors">
                 Privacy
-              </a>
-              <a href="/terms" className="text-gray-500 hover:text-blue-600 transition-colors">
+              </Link>
+              <Link href="/terms" className="text-gray-500 hover:text-blue-600 transition-colors">
                 Terms
-              </a>
+              </Link>
               <a
                 href="https://github.com/agentage/"
                 target="_blank"
@@ -129,7 +129,7 @@ export const Header = () => {
                 </svg>
                 Status
               </Link>
-              <a
+              <Link
                 href="/contact"
                 className="flex items-center px-4 py-2 text-gray-700 hover:text-blue-600 hover:bg-slate-50 rounded-xl font-medium transition-all group"
               >
@@ -147,15 +147,21 @@ export const Header = () => {
                   />
                 </svg>
                 Contact
-              </a>
+              </Link>
             </nav>
 
             {/* Right Section - Enhanced Actions */}
             <div className="flex items-center space-x-3">
               {/* Auth Section */}
-              {isLoading ? (
-                // Loading skeleton
-                <div className="w-8 h-8 rounded-full bg-gray-200 animate-pulse" />
+              {!isMounted ? (
+                // SSR: Render empty space to avoid hydration mismatch
+                <div className="w-[75px]" />
+              ) : isLoading ? (
+                // Client-side loading: Show skeleton
+                <div className="flex items-center space-x-2 px-3 py-2">
+                  <div className="w-8 h-8 rounded-full bg-gray-200 animate-pulse" />
+                  <div className="w-4 h-4 bg-gray-200 rounded animate-pulse" />
+                </div>
               ) : isAuthenticated && user ? (
                 // Authenticated: Show user menu
                 <UserMenu user={user} onLogout={logout} />
@@ -270,7 +276,7 @@ export const Header = () => {
                   </svg>
                   Status
                 </Link>
-                <a
+                <Link
                   href="/contact"
                   className="flex items-center px-4 py-3 text-gray-700 hover:text-blue-600 hover:bg-slate-50 rounded-xl font-medium transition-all group"
                   onClick={toggleMobileMenu}
@@ -289,7 +295,7 @@ export const Header = () => {
                     />
                   </svg>
                   Contact
-                </a>
+                </Link>
                 <div className="pt-4 border-t border-gray-200 space-y-3">
                   {/* Auth Section */}
                   {isAuthenticated && user ? (
diff --git a/packages/frontend/src/lib/hooks/useAuth.ts b/packages/frontend/src/lib/hooks/useAuth.ts
index 9b2b8fa..8579af4 100644
--- a/packages/frontend/src/lib/hooks/useAuth.ts
+++ b/packages/frontend/src/lib/hooks/useAuth.ts
@@ -1,5 +1,6 @@
 'use client';
 
+import { usePathname } from 'next/navigation';
 import { useEffect, useState } from 'react';
 import { authApi, type User } from '../auth-api';
 
@@ -7,11 +8,34 @@ export function useAuth() {
   const [user, setUser] = useState<User | null>(null);
   const [isAuthenticated, setIsAuthenticated] = useState(false);
   const [isLoading, setIsLoading] = useState(true);
+  const [isMounted, setIsMounted] = useState(false);
+  const pathname = usePathname();
 
   useEffect(() => {
+    setIsMounted(true);
     checkAuthStatus();
+
+    // Listen for auth token changes (e.g., after OAuth callback)
+    const handleAuthChange = () => {
+      checkAuthStatus();
+    };
+
+    window.addEventListener('auth-token-changed', handleAuthChange);
+    window.addEventListener('storage', handleAuthChange);
+
+    return () => {
+      window.removeEventListener('auth-token-changed', handleAuthChange);
+      window.removeEventListener('storage', handleAuthChange);
+    };
   }, []);
 
+  // Refresh auth status when pathname changes (e.g., after redirect from callback)
+  useEffect(() => {
+    if (pathname === '/' && authApi.hasToken()) {
+      checkAuthStatus();
+    }
+  }, [pathname]);
+
   async function checkAuthStatus() {
     try {
       const currentUser = await authApi.getCurrentUser();
@@ -38,6 +62,7 @@ export function useAuth() {
     user,
     isAuthenticated,
     isLoading,
+    isMounted,
     login,
     logout,
     refresh: checkAuthStatus,

From bbde51182c1423ffce5c63c2fd2713461437666c Mon Sep 17 00:00:00 2001
From: Volodymyr Vreshch <vreshch@gmail.com>
Date: Fri, 21 Nov 2025 23:53:39 +0100
Subject: [PATCH 4/4] fix: add type annotations to Microsoft OAuth strategy

---
 packages/backend/src/services/oauth/oauth.service.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/backend/src/services/oauth/oauth.service.ts b/packages/backend/src/services/oauth/oauth.service.ts
index 0223d5c..9a828af 100644
--- a/packages/backend/src/services/oauth/oauth.service.ts
+++ b/packages/backend/src/services/oauth/oauth.service.ts
@@ -171,7 +171,12 @@ export const createOAuthService = (
               callbackURL: microsoftCallbackUrl,
               scope: ['user.read'],
             },
-            async (_accessToken, _refreshToken, profile, done) => {
+            async (
+              _accessToken: string,
+              _refreshToken: string,
+              profile: any,
+              done: (error: Error | null, user?: Express.User | false) => void
+            ) => {
               try {
                 const email = profile.emails?.[0]?.value;
                 if (!email) {