Stories no longer wrap with QueryClientProvider, ToastProvider,
ThemeProvider, or MemoryRouter; global StorybookDecorator provides them.
- Route-specific pages use parameters.router.initialEntries
(ResetPasswordPage, VerifyEmailPage) or minimal MemoryRouter+Route
where useParams is needed (TrackDetailPage, PlaylistDetailPage).
- Stories that seeded query cache use useQueryClient() from global
decorator (FollowButton, CollaboratorManagement, CommentSection).
- Navbar, AuthLayout, DashboardLayout, Header, and 25+ story files
simplified to layout divs only.
Co-authored-by: Cursor <cursoragent@cursor.com>
WithError and WithCustomFallback set parameters.storybookAudit.expectConsoleErrors
so audit/CI can treat their console errors as intentional (failure demo).
Co-authored-by: Cursor <cursoragent@cursor.com>
Prevent external asset requests during Storybook so no network
dependency and deterministic rendering. Return 1x1 SVG placeholder.
Co-authored-by: Cursor <cursoragent@cursor.com>
- auth/me: return data.user so authService.getCurrentUser() gets response.data.user
- Add GET /api/v1/dashboard for dashboardService (stats, recent_activity, library_preview)
- Add GET /api/v1/sessions/stats for sessionsApi
- Add GET /api/v1/roles and /roles/:id for admin views
- Remove console.log from audit/stats handler
Co-authored-by: Cursor <cursoragent@cursor.com>
Set VITE_STORYBOOK=true for storybook dev/build so the logger never
sends POST to /logs/frontend in the isolated UI environment. Prevents
94+ failed network requests in audit and keeps Storybook hermetic.
Co-authored-by: Cursor <cursoragent@cursor.com>
Added isAuthReady state to prevent router from rendering before auth
state is initialized. This eliminates login redirect loops and ensures
deterministic auth behavior.
Changes:
- Added isAuthReady state (default: false)
- New useEffect to initialize auth before rendering
- Waits for refreshUser() to complete if tokens exist
- Shows loading screen while auth is initializing
- Always sets isAuthReady=true in finally block
Loading screen:
- Simple centered spinner with "Chargement..." text
- Uses Tailwind classes for styling
- Matches app theme (bg-background, text-muted-foreground)
Behavior:
- App loads → Check for tokens → If yes, await refreshUser()
- Only after auth check completes, render router
- Prevents "flash of login page" for authenticated users
- Eliminates race condition: router no longer renders before auth ready
Impact: Fixes intermittent login loops, improves UX on page refresh.
Fixes: P1.2 from audit AUDIT_TEMP_29_01_2026.md
Added response interceptor to handle 403 errors caused by expired or
invalid CSRF tokens. When a mutation fails with 403, the interceptor:
1. Detects if error is CSRF-related (checks error message for csrf/token/forbidden)
2. Refreshes the CSRF token via csrfService.ensureToken()
3. Updates request headers with new token
4. Retries the request once
Features:
- Only retries once per request (via _csrfRetry flag)
- Skips retry for /csrf-token and /auth/* endpoints
- Logs all CSRF refresh attempts for debugging
- Falls through to original error if refresh fails
- Handles both error.error and error.message formats
TypeScript fixes:
- Cast originalRequest to any for _csrfRetry property
- Safely access error data with type checking
Impact: Eliminates 403 errors on POST/PUT/DELETE when CSRF token expires.
Users no longer need to manually refresh page to get new CSRF token.
Fixes: P1.3 from audit AUDIT_TEMP_29_01_2026.md
Added refresh attempt counter with MAX_REFRESH_ATTEMPTS=3 to prevent
infinite refresh loops when token refresh repeatedly fails.
Changes:
- Added refreshAttempts counter and MAX_REFRESH_ATTEMPTS constant
- Check counter before attempting refresh, logout if max reached
- Increment counter on each refresh attempt
- Reset counter to 0 on successful refresh
- Log attempt number in all refresh-related logs
- Show user-friendly error message after max attempts
Behavior:
- After 3 failed refresh attempts, user is logged out automatically
- Prevents infinite 401 → refresh → 401 loops
- Uses logoutLocal() to avoid triggering another API call
- Displays clear error message: "Session expired after multiple attempts"
Impact: Eliminates infinite refresh loops, improves UX on persistent auth failures.
Fixes: P1.4 from audit AUDIT_TEMP_29_01_2026.md
- Update Sidebar to use Design System Button component and consistent styling
- Refactor LibraryPage to use Card variants (glass/gaming) for track grid
- Ensure consistent button usage across key UI components
- Fix type errors in DashboardPage
- Refactor DashboardPage to use StatCard, new Button variants, and glassmorphism cards
- Update DashboardLayout to include AstralBackground for premium visual effect
- Style GlobalPlayer with glass-hud utility classes
- Fix type errors in LoginPage by using local Card shim
- Refactor Navbar, ChatInput, RegisterPage, and CreatePlaylistDialog to use @veza/design-system components
- Shim local UI components (Button, Input, Card) to align with Design System API and styles
- Fix hundreds of type errors by exporting missing components (SearchInput, FileUpload) and adding missing props (icon, variant)
