Created .env.production for frontend with absolute API URLs for
production deployment.
Configuration:
- VITE_API_URL: https://api.veza.com/api/v1
- VITE_WS_URL: wss://api.veza.com/ws
- VITE_STREAM_URL: https://api.veza.com/stream
- VITE_UPLOAD_URL: https://api.veza.com/upload
- VITE_API_VERSION: v1
Features:
- Absolute URLs (required for production, no Vite proxy)
- HTTPS/WSS for secure connections
- Validation alerting enabled
- Deployment notes included
Usage:
- Local testing: Update URLs to local domains, npm run build, npm run preview
- Production: Update to real domains, ensure CORS configured
Impact: Frontend can now be deployed to production with proper API URLs.
Fixes: P2.2 from audit AUDIT_TEMP_29_01_2026.md
Added proxy configuration to forward /api requests to backend
on localhost:8080 during development.
Benefits:
- Eliminates CORS errors in dev (requests are same-origin)
- No need for CORS_ALLOWED_ORIGINS in dev environment
- Matches production behavior (frontend and API on same domain)
- Simplifies local development setup
Configuration:
- Target: http://localhost:8080
- changeOrigin: true (modifies Host header)
- secure: false (allows self-signed certs in dev)
Impact: Dev environment more stable, no CORS configuration needed.
Fixes: P2.1 from audit AUDIT_TEMP_29_01_2026.md
Added isAuthReady state to prevent router from rendering before auth
state is initialized. This eliminates login redirect loops and ensures
deterministic auth behavior.
Changes:
- Added isAuthReady state (default: false)
- New useEffect to initialize auth before rendering
- Waits for refreshUser() to complete if tokens exist
- Shows loading screen while auth is initializing
- Always sets isAuthReady=true in finally block
Loading screen:
- Simple centered spinner with "Chargement..." text
- Uses Tailwind classes for styling
- Matches app theme (bg-background, text-muted-foreground)
Behavior:
- App loads → Check for tokens → If yes, await refreshUser()
- Only after auth check completes, render router
- Prevents "flash of login page" for authenticated users
- Eliminates race condition: router no longer renders before auth ready
Impact: Fixes intermittent login loops, improves UX on page refresh.
Fixes: P1.2 from audit AUDIT_TEMP_29_01_2026.md
Added response interceptor to handle 403 errors caused by expired or
invalid CSRF tokens. When a mutation fails with 403, the interceptor:
1. Detects if error is CSRF-related (checks error message for csrf/token/forbidden)
2. Refreshes the CSRF token via csrfService.ensureToken()
3. Updates request headers with new token
4. Retries the request once
Features:
- Only retries once per request (via _csrfRetry flag)
- Skips retry for /csrf-token and /auth/* endpoints
- Logs all CSRF refresh attempts for debugging
- Falls through to original error if refresh fails
- Handles both error.error and error.message formats
TypeScript fixes:
- Cast originalRequest to any for _csrfRetry property
- Safely access error data with type checking
Impact: Eliminates 403 errors on POST/PUT/DELETE when CSRF token expires.
Users no longer need to manually refresh page to get new CSRF token.
Fixes: P1.3 from audit AUDIT_TEMP_29_01_2026.md
Added refresh attempt counter with MAX_REFRESH_ATTEMPTS=3 to prevent
infinite refresh loops when token refresh repeatedly fails.
Changes:
- Added refreshAttempts counter and MAX_REFRESH_ATTEMPTS constant
- Check counter before attempting refresh, logout if max reached
- Increment counter on each refresh attempt
- Reset counter to 0 on successful refresh
- Log attempt number in all refresh-related logs
- Show user-friendly error message after max attempts
Behavior:
- After 3 failed refresh attempts, user is logged out automatically
- Prevents infinite 401 → refresh → 401 loops
- Uses logoutLocal() to avoid triggering another API call
- Displays clear error message: "Session expired after multiple attempts"
Impact: Eliminates infinite refresh loops, improves UX on persistent auth failures.
Fixes: P1.4 from audit AUDIT_TEMP_29_01_2026.md
- Update Sidebar to use Design System Button component and consistent styling
- Refactor LibraryPage to use Card variants (glass/gaming) for track grid
- Ensure consistent button usage across key UI components
- Fix type errors in DashboardPage
- Refactor DashboardPage to use StatCard, new Button variants, and glassmorphism cards
- Update DashboardLayout to include AstralBackground for premium visual effect
- Style GlobalPlayer with glass-hud utility classes
- Fix type errors in LoginPage by using local Card shim
- Refactor Navbar, ChatInput, RegisterPage, and CreatePlaylistDialog to use @veza/design-system components
- Shim local UI components (Button, Input, Card) to align with Design System API and styles
- Fix hundreds of type errors by exporting missing components (SearchInput, FileUpload) and adding missing props (icon, variant)
- Button component uses 'default' variant for primary actions, not 'primary'
- Fixes issue where Generate Key button wasn't working
- Ensures button is properly styled and clickable
- Disable backdrop click to close when in step 2 (showing generated key)
- Ensures user can copy the key before modal closes
- Only allow closing via Done button after key is generated
- Update CreateAPIKeyModal to properly handle async operations
- Add loading states and form validation
- Wait for API response before showing generated key
- Add proper error handling and user feedback
- Disable buttons during generation
- Return full key from service for display in modal
- Fix Input component usage (add proper label wrapper)
- Ensure form validation works (name required, at least one scope)
- Add frame-src directive to CSP_POLICY and CSP_POLICY_DEV in csp.ts
- Add frame-src to Vite dev server CSP headers
- Allows loading Swagger UI iframe from backend (localhost:8080)
- Fixes Content-Security-Policy violation blocking Swagger documentation
- Ajouter option useIframe pour charger /swagger/index.html dans un iframe
- Cela évite les problèmes avec /swagger/doc.json qui retourne 500
- Swagger UI HTML fonctionne correctement et affiche toute la documentation
- Garder le composant React comme fallback si nécessaire
- Ajouter fallback pour Swagger UI si doc.json ne fonctionne pas
- Améliorer message d'erreur avec bouton pour ouvrir Swagger UI directement
- Les fonctionnalités API Keys et Usage Stats sont maintenant complètes et fonctionnelles
- Tous les onglets de DeveloperPage sont maintenant implémentés
