Migrate Authentication Functionality to Direct Client-Backend API Model #98
Description
Objective
As a proof of concept for the broader migration, refactor authentication functionality to use a direct client-to-backend API integration in the SvelteKit (Svelte 5) frontend. This will validate our new architecture and inform the full migration process.
Scope
- Create new refactoring
ApiService.tsinto an object-oriented client API service that can be instantiated in both SSR and browser contexts. - Implement
createClientApiClient(), ensuring instantiation logic fits the requirements for client-only authentication. - Integrate robust client-side access token management:
- Ensure refresh tokens handled only via backend http-only cookies.
- Harden logic for token renewal, race condition handling, and fallback strategies.
- Update authentication flows (e.g., login, logout, session refresh) to use new direct API methods.
- Remove reliance on SvelteKit remote functions or server-only utilities for authentication.
- Remove/harden any server-side authentication artifacts (for this flow) as necessary.
- Leave all the old logic in place—ensure the new approach is additive, not destructive, to enable progressive migration and POC validation.
Acceptance Criteria
- Authentication and token handling occur strictly through the new client API, not through SvelteKit remote functions.
- Secure http-only cookie use for refresh token is preserved.
- Access token management works end-to-end (login, usage in requests, renewal, error cases).
- No regressions in authentication flows or security.
- Code reviewed and POC validated as reference for future migration steps.