Web App Authentication Path
- user signs in via Supabase Auth
- frontend keeps session state in auth context
- API requests include bearer token
- backend validates token in
/server/middleware/auth.ts - backend maps identity to local user and enforces authorization
Extension Authentication Path
- extensions sync authenticated state from DealDash app context
- extension API calls send bearer token
- backend validates tokens with same middleware rules
Sensitive Coupling Points
- CORS/origin allowlist in
/server/index.ts - token parsing/verification logic in auth middleware
- extension auth sync storage and refresh behavior
Required Checks for Auth Changes
- unauthorized/expired token handling
- cross-surface parity (web + extension)
- no public route leakage of private data
- integration/e2e coverage for changed flows