feat(meetings): add join URL endpoint and simplify auth middleware

[asithade]

Summary

This PR implements two key features:

1. Meeting Join URL Endpoint (LFXV2-417):

   • Adds GET /api/meetings/:uid/join-url endpoint for fetching meeting join URLs
   • Updates public meeting controller to automatically fetch join URLs for public meetings

2. Authentication Middleware Simplification (LFXV2-452):

   • Consolidates redundant authentication middleware layers
   • Removes duplicate authContext creation in favor of using req.oidc directly
   • Improves maintainability and reduces complexity

Changes Made

Meeting Join URL Feature

• ✅ Created MeetingJoinURL interface in shared package for type safety
• ✅ Implemented getMeetingJoinUrl() service method using microservice proxy
• ✅ Added getMeetingJoinUrl() controller method with validation and logging
• ✅ Updated public meeting controller to fetch join URLs for public meetings with graceful error handling

Authentication Middleware Simplification

• ✅ Removed redundant authContext creation from unified auth middleware
• ✅ Updated AuthMiddlewareResult interface to remove authContext property
• ✅ Removed RequestWithAuth interface and switched to standard Express Request
• ✅ Deleted obsolete auth-token.middleware.ts and protected-routes.middleware.ts
• ✅ Created unified auth.middleware.ts focused on routing decisions only
• ✅ Added comprehensive debug logging for authentication troubleshooting

Technical Details

API Endpoint

GET /api/meetings/:uid/join-url
Response: { "join_url": "https://..." }

Authentication Flow

1. OIDC middleware populates req.oidc with authentication state
2. Unified auth middleware makes routing decisions based on req.oidc
3. Angular SSR handler creates auth object for Angular dependency injection only

Debug Logging

Enhanced logging now shows:

• OIDC authentication status and token presence
• Cookie and header information for debugging
• Step-by-step authentication decision process

Test Plan

• Build passes successfully
• All linting and type checking passes
• License headers validated
• Manual testing of join URL endpoint
• Manual testing of authentication flows
• Verify debug logging output

Related Issues

• Implements LFXV2-417: Meeting join URL endpoint
• Implements LFXV2-452: Authentication middleware simplification

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a global, configurable route-based OIDC auth middleware replacing legacy per-route middleware; exposes GET /meetings/:uid/join-url with service and shared-interface support; updates public/public-password meeting flows to optionally attach join_url and call services with access=false; refactors microservice proxy and API client, removes legacy auth-token/protected-routes middleware, tweaks client auth interceptor and meeting UI, and updates VSCode settings. MeetingController contains a duplicated getMeetingJoinUrl insertion.

Changes

Cohort / File(s)	Summary
Editor config \.vscode/settings.json	Added "angular.enable-strict-mode-prompt": false and fixed JSON separation.
Frontend — meeting UI apps/lfx-pcc/src/app/modules/meeting/meeting.component.html	Removed explanatory text, changed join row alignment, disabled Join button when joinForm.invalid.
Frontend — route guards & routes apps/lfx-pcc/src/app/app.routes.ts, apps/lfx-pcc/src/app/shared/guards/auth.guard.ts	Added authGuard CanActivateFn and applied canActivate: [authGuard] to home and project routes.
Frontend — interceptor apps/lfx-pcc/src/app/shared/interceptors/authentication.interceptor.ts	Extend matching to /public/api/ and /api/; when authenticated clone request with withCredentials: true and add Cookie header from cookieService.getAll().
Server — new global auth middleware & types apps/lfx-pcc/src/server/middleware/auth.middleware.ts, packages/shared/src/interfaces/auth.interface.ts	Added configurable auth middleware (route classification, checkAuthentication, token extraction, decision engine, executeAuthDecision) and exported createAuthMiddleware / authMiddleware; added auth-related shared interfaces/types.
Server — removed legacy middleware apps/lfx-pcc/src/server/middleware/auth-token.middleware.ts, apps/lfx-pcc/src/server/middleware/protected-routes.middleware.ts	Deleted legacy bearer-token extractor and protected-routes middleware.
Server bootstrap & routes apps/lfx-pcc/src/server/server.ts, apps/lfx-pcc/src/server/routes/meetings.route.ts	Apply global authMiddleware (app.use(authMiddleware)), remove per-route extractBearerToken, reorder/mount API routes (added /api/committees, /api/meetings, /api/past-meetings), add centralized API error handler, and add GET /meetings/:uid/join-url route.
Server — meeting controllers (public + main) apps/lfx-pcc/src/server/controllers/meeting.controller.ts, apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts	Added getMeetingJoinUrl handler (duplicated insertion present); public controller now calls getMeetingJoinUrl(req, id) in PUBLIC and password flows, attaches optional join_url when available, logs OIDC/debug info, and returns trimmed project payload.
Server — meeting & project services + interface apps/lfx-pcc/src/server/services/meeting.service.ts, apps/lfx-pcc/src/server/services/project.service.ts, packages/shared/src/interfaces/meeting.interface.ts	Added MeetingJoinURL interface and getMeetingJoinUrl(req, meetingUid) in MeetingService; getMeetings/getMeetingById and getProjectById gain optional access flag (default true) to skip access augmentation when false.
Server — microservice proxy & API client apps/lfx-pcc/src/server/services/microservice-proxy.service.ts, apps/lfx-pcc/src/server/services/api-client.service.ts	Inlined apiClient initialization, removed constructor and executeRequest wrapper, call apiClient.request directly; makeRequest now conditionally includes Authorization header only when a bearerToken is provided; added proxy debug logging.
Security util rename apps/lfx-pcc/src/server/utils/security.util.ts	Removed validatePasscode; callers updated to use validatePassword.
CI workflow .github/workflows/e2e-tests.yml	Removed pre-test yarn build step so workflow runs e2e tests without building beforehand.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant B as Browser / Client
  participant S as Server
  participant A as Auth Middleware
  participant O as OIDC Provider
  Note over S,A: Global auth middleware applied to incoming requests
  B->>S: HTTP request (SSR or API)
  S->>A: classify route & check req.oidc
  A->>A: extract token (if present) & decide (public/optional/required)
  alt SSR required & unauthenticated
    A-->>B: 302 Redirect to login
    B->>O: Login flow
  else API required & unauthenticated
    A-->>B: 401 AuthenticationError
  else allowed
    A-->>S: next() (req.bearerToken maybe populated)
    S->>S: route handler executes
    S-->>B: response
  end

Loading

sequenceDiagram
  autonumber
  participant C as Client
  participant S as Server
  participant M as MeetingService
  participant P as Microservice Proxy
  C->>S: GET /meetings/:uid/join-url
  S->>M: getMeetingJoinUrl(req, uid)
  M->>P: proxy request -> /meetings/{uid}/join_url
  P-->>M: { join_url } or error
  M-->>S: join_url (optional)
  S-->>C: 200 { join_url } or 200 with meeting without join_url

Loading

sequenceDiagram
  autonumber
  participant C as Client
  participant S as Server
  participant Pub as PublicMeetingController
  participant MS as MeetingService
  participant PS as ProjectService
  participant Proxy as Microservice Proxy
  C->>S: GET /public/api/meetings/:id
  S->>Pub: handler
  Pub->>MS: getMeetingById(req, id, 'meeting', false)
  MS->>Proxy: fetch meeting
  Proxy-->>MS: meeting
  MS-->>Pub: meeting (no access fields)
  Pub->>PS: getProjectById(req, meeting.project_uid, false)
  PS->>Proxy: fetch project
  Proxy-->>PS: project
  PS-->>Pub: project (trimmed: name, slug, logo_url)
  Pub->>MS: getMeetingJoinUrl(req, id)
  MS->>Proxy: fetch join_url
  Proxy-->>MS: join_url or error
  MS-->>Pub: attach optional join_url
  Pub-->>C: 200 { meeting (+/- join_url), project }

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60–90 minutes

Possibly related PRs

• fix(meetings): query service tag filtering and committee data handling #74 — Modifies meeting controller/service/interfaces and frontend meeting components; likely to overlap on join-URL and meeting domain changes.
• feat(api): add past-meetings endpoints and frontend integration #78 — Adjusts MeetingService method signatures (getMeetings/getMeetingById); direct signature overlap risk.
• feat(ui): implement meeting join dashboard with public access #69 — Touches public meeting join flow, controllers, middleware, and meeting UI; high chance of code-level conflicts.

Pre-merge checks (4 passed, 1 warning)

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes Check	⚠️ Warning	The pull request includes front-end edits—such as disabling strict mode in VSCode settings, modifying meeting.component.html, introducing an Angular authGuard and route guard, and adjusting the CI workflow—which are not part of the backend join URL endpoint or authentication middleware consolidation objectives defined in the linked issues.	Please remove or separate the unrelated front-end VSCode, component, route guard, and workflow changes into a separate pull request to keep this changeset focused on the backend join URL endpoint and auth middleware simplification.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly and concisely summarizes the two primary changes—adding the join URL endpoint and simplifying the authentication middleware—by referencing the affected feature area with “feat(meetings)” and avoiding extraneous detail, so it accurately reflects the main scope of the pull request.
Linked Issues Check	✅ Passed	The pull request fully implements the GET join URL endpoint with route, service, controller, input validation, structured logging, and error handling as outlined in LFXV2-417, and it consolidates and streamlines authentication by removing redundant authContext logic, updating interfaces, and centralizing routing decisions in line with LFXV2-452’s acceptance criteria.
Description Check	✅ Passed	The description provides a structured overview of both the join URL endpoint and authentication middleware simplification, outlines specific file and behavior changes, and references relevant issue numbers, making it directly related and informative for the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/LFXV2-417

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR implements a meeting join URL endpoint and simplifies authentication middleware for better maintainability. The changes focus on providing join URLs for meetings while consolidating redundant authentication layers.

Key changes:

• Adds a new API endpoint GET /api/meetings/:uid/join-url for fetching meeting join URLs
• Replaces multiple authentication middleware files with a unified auth.middleware.ts
• Updates public meeting controller to automatically fetch join URLs with graceful error handling

Reviewed Changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
packages/shared/src/interfaces/meeting.interface.ts	Adds MeetingJoinURL interface for type safety
packages/shared/src/interfaces/auth.interface.ts	Adds comprehensive auth middleware interfaces and types
apps/lfx-pcc/src/server/services/meeting.service.ts	Adds getMeetingJoinUrl service method and optional access parameter
apps/lfx-pcc/src/server/services/microservice-proxy.service.ts	Simplifies constructor and removes redundant executeRequest method
apps/lfx-pcc/src/server/middleware/auth.middleware.ts	Creates unified authentication middleware with comprehensive routing logic
apps/lfx-pcc/src/server/controllers/meeting.controller.ts	Implements getMeetingJoinUrl controller method with validation
apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts	Updates to fetch join URLs for public meetings with error handling
apps/lfx-pcc/src/server/routes/meetings.route.ts	Adds new join-url endpoint route
apps/lfx-pcc/src/server/server.ts	Replaces old middleware with unified auth middleware
apps/lfx-pcc/src/app/shared/interceptors/authentication.interceptor.ts	Extends authentication to include public API routes

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apps/lfx-pcc/src/app/shared/interceptors/authentication.interceptor.ts (1)

19-31: The UserService signal is never set in this codebase (no authenticated.set(…) calls or login methods), so userService.authenticated() always returns false—meaning cookies are never forwarded for any /api/ or /public/api/ request. You’ll need to implement and call a method that updates authenticated (e.g. after SSR reads cookies) before this interceptor will forward credentials.

apps/lfx-pcc/src/server/services/meeting.service.ts (1)

42-64: Avoid logging full meeting objects; potential PII/secret leakage (e.g., passwords, join_url).

req.log.debug({ meetings }, 'Meetings') can leak sensitive fields. Sanitize or log counts/keys only.

Use:

-    req.log.debug({ meetings }, 'Meetings');
+    req.log.debug({ meeting_count: meetings.length }, 'Meetings fetched');

Alternatively: Logger.sanitize before logging.

🧹 Nitpick comments (12)

apps/lfx-pcc/src/app/modules/meeting/meeting.component.html (1)

260-268: Guard join button when join_url is missing and add data-testid.

• Disable button if the backend didn’t attach a join_url.
• Add data-testid per guidelines for new UI elements.

Apply:

-                    <div class="flex items-center justify-end pt-3">
-                      <lfx-button
+                    <div class="flex items-center justify-end pt-3">
+                      <lfx-button
+                        [attr.data-testid]="'join-section-join-button'"
                         size="small"
-                        [href]="meeting().join_url"
+                        [href]="meeting().join_url"
                         severity="primary"
                         label="Join Meeting"
                         icon="fa-light fa-sign-in"
-                        [disabled]="joinForm.invalid"></lfx-button>
+                        [disabled]="joinForm.invalid || !meeting()?.join_url"></lfx-button>

apps/lfx-pcc/src/server/services/microservice-proxy.service.ts (1)

30-39: Consider M2M token use for public flows.

Per team learnings, server-side calls from public endpoints should use M2M tokens. Expose a tokenStrategy option on proxy methods to select user vs M2M token and source M2M from your token service.

apps/lfx-pcc/src/server/services/project.service.ts (1)

46-80: Backwards-compatible flag looks good; small naming nit.

Param name access could be clearer (e.g., augmentAccess or includeAccess) to convey intent.

-  public async getProjectById(req: Request, projectId: string, access: boolean = true): Promise<Project> {
+  public async getProjectById(req: Request, projectId: string, augmentAccess: boolean = true): Promise<Project> {
@@
-    if (access) {
+    if (augmentAccess) {

apps/lfx-pcc/src/server/controllers/meeting.controller.ts (1)

666-667: Mark join URL responses as non-cacheable.

Join URLs are sensitive/short-lived; prevent intermediary/browser caching.

-      // Send the join URL data to the client
-      res.json(joinUrlData);
+      // Send the join URL data to the client (prevent caching)
+      res.set('Cache-Control', 'no-store, private, max-age=0');
+      res.json(joinUrlData);

apps/lfx-pcc/src/server/server.ts (1)

203-205: Redundant error handler mount.

You already have a global error handler delegating to apiErrorHandler (Lines 273-283). Keeping the path-specific app.use('/api/*', apiErrorHandler) adds complexity without clear benefit.

Apply:

-// Add API error handler middleware
-app.use('/api/*', apiErrorHandler);
+// Handled by the global error handler below

apps/lfx-pcc/src/server/services/meeting.service.ts (1)

69-107: Simplify single-meeting flow to reduce indexing mistakes and improve readability.

Operate on a single object instead of an array-of-one; keeps types clean and avoids repeated [0].

-    let meeting = resources.map((resource) => resource.data);
-
-    if (meeting[0].committees && meeting[0].committees.length > 0) {
-      meeting = await this.getMeetingCommittees(req, meeting);
-    }
-
-    if (access) {
-      // Add writer access field to the meeting
-      return await this.accessCheckService.addAccessToResource(req, meeting[0], 'meeting', 'organizer');
-    }
-
-    return meeting[0];
+    let [meeting] = resources.map((resource) => resource.data);
+
+    if (meeting.committees && meeting.committees.length > 0) {
+      [meeting] = await this.getMeetingCommittees(req, [meeting]);
+    }
+
+    if (access) {
+      return await this.accessCheckService.addAccessToResource(req, meeting, 'meeting', 'organizer');
+    }
+
+    return meeting;

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (4)

249-256: Use the computed redirect URL when invoking OIDC login.

Leverage decision.redirectUrl to keep execution aligned with decision output.

-        // Use OIDC login method which handles the redirect properly
-        res.oidc.login({ returnTo: req.originalUrl });
+        // Use OIDC login method which handles the redirect properly
+        res.oidc.login({ returnTo: decision.redirectUrl ?? req.originalUrl });

---

79-83: Avoid fetching user info on every request; prefer session user first.

fetchUserInfo() incurs a network call. Use req.oidc.user if present, fetch only as fallback.

-      const user = (await req.oidc.fetchUserInfo()) ?? (req.oidc?.user as User);
+      const user = (req.oidc?.user as User) ?? (await req.oidc.fetchUserInfo());

---

258-267: Propagate statusCode from decision into the error (or remove field).

AuthDecision.statusCode is computed but not used here. Either include it in the error metadata/constructor or drop the field from the interface.

-      const error = new AuthenticationError(
+      const error = new AuthenticationError(
         decision.errorType === 'authorization' ? 'Insufficient permissions to access this resource' : 'Authentication required to access this resource',
         {
           operation: 'auth_middleware',
           service: 'authentication',
           path: req.path,
+          statusCode: decision.statusCode,
         }
       );

---

74-76: Trim cookie metadata logging.

Even cookie names can be noisy and sensitive. Consider removing unless needed for debugging.

-        cookies: Object.keys(req.cookies || {}),

packages/shared/src/interfaces/auth.interface.ts (2)

115-124: Align AuthDecision.statusCode with executor.

statusCode is defined here but not acted upon in executeAuthDecision. Either document it as informational, have the executor apply it, or remove to avoid drift.

---

69-76: Remove unused BearerTokenOptions interface (packages/shared/src/interfaces/auth.interface.ts:69–76). No references outside its own declaration; drop it to trim the public API surface.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a78f2d5 and 93d05f0.

📒 Files selected for processing (15)

• .vscode/settings.json (1 hunks)
• apps/lfx-pcc/src/app/modules/meeting/meeting.component.html (1 hunks)
• apps/lfx-pcc/src/app/shared/interceptors/authentication.interceptor.ts (1 hunks)
• apps/lfx-pcc/src/server/controllers/meeting.controller.ts (1 hunks)
• apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts (3 hunks)
• apps/lfx-pcc/src/server/middleware/auth-token.middleware.ts (0 hunks)
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts (1 hunks)
• apps/lfx-pcc/src/server/middleware/protected-routes.middleware.ts (0 hunks)
• apps/lfx-pcc/src/server/routes/meetings.route.ts (1 hunks)
• apps/lfx-pcc/src/server/server.ts (2 hunks)
• apps/lfx-pcc/src/server/services/meeting.service.ts (5 hunks)
• apps/lfx-pcc/src/server/services/microservice-proxy.service.ts (3 hunks)
• apps/lfx-pcc/src/server/services/project.service.ts (2 hunks)
• packages/shared/src/interfaces/auth.interface.ts (1 hunks)
• packages/shared/src/interfaces/meeting.interface.ts (1 hunks)

💤 Files with no reviewable changes (2)

• apps/lfx-pcc/src/server/middleware/protected-routes.middleware.ts
• apps/lfx-pcc/src/server/middleware/auth-token.middleware.ts

🧰 Additional context used

📓 Path-based instructions (7)

apps/lfx-pcc/src/**/*.{ts,html}

📄 CodeRabbit inference engine (CLAUDE.md)

Use LFX wrapper components instead of importing PrimeNG components directly

Files:

• apps/lfx-pcc/src/app/modules/meeting/meeting.component.html
• apps/lfx-pcc/src/app/shared/interceptors/authentication.interceptor.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts
• apps/lfx-pcc/src/server/services/project.service.ts
• apps/lfx-pcc/src/server/controllers/meeting.controller.ts
• apps/lfx-pcc/src/server/routes/meetings.route.ts
• apps/lfx-pcc/src/server/services/meeting.service.ts
• apps/lfx-pcc/src/server/services/microservice-proxy.service.ts
• apps/lfx-pcc/src/server/server.ts
• apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts

apps/lfx-pcc/src/**/*.html

📄 CodeRabbit inference engine (CLAUDE.md)

apps/lfx-pcc/src/**/*.html: Add data-testid attributes to new components for reliable test targeting
Follow data-testid naming convention: [section]-[component]-[element]

Files:

• apps/lfx-pcc/src/app/modules/meeting/meeting.component.html

**/*.{ts,tsx,js,jsx,html,scss,css}

📄 CodeRabbit inference engine (CLAUDE.md)

Include required license headers on all source files

Files:

• apps/lfx-pcc/src/app/modules/meeting/meeting.component.html
• apps/lfx-pcc/src/app/shared/interceptors/authentication.interceptor.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts
• packages/shared/src/interfaces/meeting.interface.ts
• apps/lfx-pcc/src/server/services/project.service.ts
• apps/lfx-pcc/src/server/controllers/meeting.controller.ts
• packages/shared/src/interfaces/auth.interface.ts
• apps/lfx-pcc/src/server/routes/meetings.route.ts
• apps/lfx-pcc/src/server/services/meeting.service.ts
• apps/lfx-pcc/src/server/services/microservice-proxy.service.ts
• apps/lfx-pcc/src/server/server.ts
• apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Prefer TypeScript interfaces over union types when modeling shapes and contracts

Files:

• apps/lfx-pcc/src/app/shared/interceptors/authentication.interceptor.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts
• packages/shared/src/interfaces/meeting.interface.ts
• apps/lfx-pcc/src/server/services/project.service.ts
• apps/lfx-pcc/src/server/controllers/meeting.controller.ts
• packages/shared/src/interfaces/auth.interface.ts
• apps/lfx-pcc/src/server/routes/meetings.route.ts
• apps/lfx-pcc/src/server/services/meeting.service.ts
• apps/lfx-pcc/src/server/services/microservice-proxy.service.ts
• apps/lfx-pcc/src/server/server.ts
• apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Do not nest ternary expressions

Files:

• apps/lfx-pcc/src/app/shared/interceptors/authentication.interceptor.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts
• packages/shared/src/interfaces/meeting.interface.ts
• apps/lfx-pcc/src/server/services/project.service.ts
• apps/lfx-pcc/src/server/controllers/meeting.controller.ts
• packages/shared/src/interfaces/auth.interface.ts
• apps/lfx-pcc/src/server/routes/meetings.route.ts
• apps/lfx-pcc/src/server/services/meeting.service.ts
• apps/lfx-pcc/src/server/services/microservice-proxy.service.ts
• apps/lfx-pcc/src/server/server.ts
• apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts

apps/lfx-pcc/src/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

apps/lfx-pcc/src/**/*.ts: In the Angular app, use direct imports for standalone components (no barrel imports)
When defining types for PrimeNG usage, reference PrimeNG’s component interfaces

Files:

• apps/lfx-pcc/src/app/shared/interceptors/authentication.interceptor.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts
• apps/lfx-pcc/src/server/services/project.service.ts
• apps/lfx-pcc/src/server/controllers/meeting.controller.ts
• apps/lfx-pcc/src/server/routes/meetings.route.ts
• apps/lfx-pcc/src/server/services/meeting.service.ts
• apps/lfx-pcc/src/server/services/microservice-proxy.service.ts
• apps/lfx-pcc/src/server/server.ts
• apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts

packages/shared/src/interfaces/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

Place all shared interfaces in the shared package

Files:

• packages/shared/src/interfaces/meeting.interface.ts
• packages/shared/src/interfaces/auth.interface.ts

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
PR: linuxfoundation/lfx-v2-ui#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-05T18:09:48.791Z
Learning: Public routes include /meeting and /public/api; use M2M tokens for server-side API calls from public endpoints

📚 Learning: 2025-09-05T18:09:48.792Z

Learnt from: CR
PR: linuxfoundation/lfx-v2-ui#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-05T18:09:48.792Z
Learning: Applies to {apps/lfx-pcc/src,packages/shared/src}/**/index.ts : Avoid barrel exports; use direct imports instead of index.ts barrels

Applied to files:

• apps/lfx-pcc/src/server/server.ts

📚 Learning: 2025-09-05T18:09:48.791Z

Learnt from: CR
PR: linuxfoundation/lfx-v2-ui#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-05T18:09:48.791Z
Learning: Public routes include /meeting and /public/api; use M2M tokens for server-side API calls from public endpoints

Applied to files:

• apps/lfx-pcc/src/server/server.ts

🧬 Code graph analysis (7)

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (2)

packages/shared/src/interfaces/auth.interface.ts (5)

• RouteAuthConfig (100-109)
• AuthConfig (145-152)
• User (8-41)
• AuthMiddlewareResult (130-139)
• AuthDecision (115-124)

apps/lfx-pcc/src/server/helpers/logger.ts (1)

• error (52-65)

apps/lfx-pcc/src/server/services/project.service.ts (1)

packages/shared/src/interfaces/project.interface.ts (1)

• Project (54-103)

apps/lfx-pcc/src/server/controllers/meeting.controller.ts (2)

apps/lfx-pcc/src/server/helpers/logger.ts (2)

• Logger (10-129)
• error (52-65)

apps/lfx-pcc/src/server/helpers/validation.helper.ts (1)

• validateUidParameter (30-49)

apps/lfx-pcc/src/server/services/meeting.service.ts (1)

packages/shared/src/interfaces/meeting.interface.ts (2)

• Meeting (75-142)
• MeetingJoinURL (427-430)

apps/lfx-pcc/src/server/services/microservice-proxy.service.ts (1)

apps/lfx-pcc/src/server/services/api-client.service.ts (1)

• ApiClientService (9-123)

apps/lfx-pcc/src/server/server.ts (1)

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (1)

• authMiddleware (351-351)

apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts (1)

apps/lfx-pcc/src/server/helpers/logger.ts (1)

• error (52-65)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: E2E Tests / Playwright E2E Tests

🔇 Additional comments (10)

.vscode/settings.json (1)

64-66: LGTM — editor-only setting.

No runtime impact; fine to keep in repo-scoped settings.

packages/shared/src/interfaces/meeting.interface.ts (1)

422-430: LGTM — concise response contract for join URL.

Name aligns with existing join_url field; docs included.

apps/lfx-pcc/src/server/routes/meetings.route.ts (1)

24-26: LGTM — route wiring for join URL.

Placement after /:uid is fine; no path shadowing.

apps/lfx-pcc/src/server/server.ts (1)

190-196: No action needed: authMiddleware already exempts /public/api and /meetings as optional routes.

apps/lfx-pcc/src/server/services/meeting.service.ts (1)

384-390: LGTM: join URL proxy method.

Straight-through proxy aligns with the shared MeetingJoinURL interface and defers errors to caller.

apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts (1)

45-47: LGTM: explicit access=false for public fetch.

Keeps access augmentation off for public responses as intended.

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (1)

22-24: No singular /meeting SSR route detected—no update needed.

packages/shared/src/interfaces/auth.interface.ts (3)

100-109: RouteAuthConfig looks good.

Clear, minimal shape with optional token flag for APIs.

---

130-139: AuthMiddlewareResult is appropriate.

Carries only what the decision engine needs; no leaked authContext.

---

145-152: AuthConfig is sufficient and future-proof.

Defaults plus route array match the new middleware.

[github-actions]

✅ E2E Tests Passed

Browser: chromium
Status: passed

All E2E tests passed successfully.

Test Configuration

• Node.js: 22
• Command: e2e
• Browser: chromium
• Base URL: http://localhost:4200

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (2)

171-206: SSR non-GET unauth bypass fixed.

Non-GET SSR now returns 401 when unauthenticated. Good catch.

---

66-77: Express type augmentation reminder (oidc, log, id, bearerToken).

If not already added, extend Express types so these fields compile cleanly.

Also applies to: 267-270, 339-347

🧹 Nitpick comments (8)

apps/lfx-pcc/src/server/services/api-client.service.ts (3)

89-97: Handle empty/204/304 responses before JSON.parse.

Avoid parsing empty body which throws.

-      const data = await response.text();
+      const text = await response.text();
+      const isEmpty = response.status === 204 || response.status === 304 || !text;
 
       const apiResponse: ApiResponse<T> = {
-        data: data ? JSON.parse(data) : null,
+        data: isEmpty ? null : JSON.parse(text),
         status: response.status,
         statusText: response.statusText,
         headers: Object.fromEntries(response.headers.entries()),
       };

---

125-128: Support array query params.

new URLSearchParams(query) stringifies arrays as comma-joined. Expand arrays to repeated keys.

-    const queryString = query ? new URLSearchParams(query).toString() : '';
+    const queryString = query ? this.buildSearchParams(query) : '';

Add this helper inside the class:

private buildSearchParams(query: Record<string, any>): string {
  const params = new URLSearchParams();
  for (const [k, v] of Object.entries(query)) {
    if (Array.isArray(v)) v.forEach(x => params.append(k, String(x)));
    else if (v != null) params.append(k, String(v));
  }
  return params.toString();
}

---

10-18: Retry config is unused.

retryAttempts/retryDelay are never applied. Implement retry/backoff (idempotent methods) or drop the fields.

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (5)

25-27: Guest access for join URL endpoint?

Current /api rule requires auth+token, which blocks unauthenticated guests. If guests may retrieve join URLs for public meetings, add a specific override above the generic /api rule, or expose it under /public/api.

+  // Join URL endpoint – allow optional auth; controller enforces meeting visibility
+  { pattern: /^\/api\/meetings\/[^/]+\/join-url$/, type: 'api', auth: 'optional', tokenRequired: false },

Confirm intended behavior vs LFXV2-417.

---

66-83: Avoid fetching user info on every request.

Use req.oidc.user when present; call fetchUserInfo() only if missing.

-    if (req.oidc?.isAuthenticated()) {
-      const user = (await req.oidc.fetchUserInfo()) ?? (req.oidc?.user as User);
+    if (req.oidc?.isAuthenticated()) {
+      const user = (req.oidc?.user as User) ?? (await req.oidc.fetchUserInfo());
       req.log.debug({ path: req.path, userId: user?.sub }, 'Authentication check successful');
       return { authenticated: true, user };
     }

---

68-76: Don’t log cookie names.

Reduce log verbosity and risk by logging count only.

-        cookies: Object.keys(req.cookies || {}),
+        cookieCount: Object.keys(req.cookies || {}).length,

---

101-121: Consider token refresh before failing token checks.

If supported by your OIDC lib, attempt refresh when isExpired() is true.

---

266-273: Guard res.oidc.login to avoid runtime error.

Fall back to plain redirect if OIDC object is unavailable.

-      if (decision.redirectUrl) {
-        // Use OIDC login method which handles the redirect properly
-        res.oidc.login({ returnTo: req.originalUrl });
-      } else {
-        res.redirect('/');
-      }
+      if (res.oidc?.login) {
+        res.oidc.login({ returnTo: req.originalUrl });
+      } else {
+        res.redirect(`/login?returnTo=${encodeURIComponent(req.originalUrl)}`);
+      }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 93d05f0 and f8bb764.

📒 Files selected for processing (2)

• apps/lfx-pcc/src/server/middleware/auth.middleware.ts (1 hunks)
• apps/lfx-pcc/src/server/services/api-client.service.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Prefer TypeScript interfaces over union types when modeling shapes and contracts

Files:

• apps/lfx-pcc/src/server/services/api-client.service.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Do not nest ternary expressions

Files:

• apps/lfx-pcc/src/server/services/api-client.service.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts

apps/lfx-pcc/src/**/*.{ts,html}

📄 CodeRabbit inference engine (CLAUDE.md)

Use LFX wrapper components instead of importing PrimeNG components directly

Files:

• apps/lfx-pcc/src/server/services/api-client.service.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts

**/*.{ts,tsx,js,jsx,html,scss,css}

📄 CodeRabbit inference engine (CLAUDE.md)

Include required license headers on all source files

Files:

• apps/lfx-pcc/src/server/services/api-client.service.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts

apps/lfx-pcc/src/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

apps/lfx-pcc/src/**/*.ts: In the Angular app, use direct imports for standalone components (no barrel imports)
When defining types for PrimeNG usage, reference PrimeNG’s component interfaces

Files:

• apps/lfx-pcc/src/server/services/api-client.service.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
PR: linuxfoundation/lfx-v2-ui#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-05T18:09:48.791Z
Learning: Public routes include /meeting and /public/api; use M2M tokens for server-side API calls from public endpoints

🧬 Code graph analysis (1)

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (2)

packages/shared/src/interfaces/auth.interface.ts (5)

• RouteAuthConfig (100-109)
• AuthConfig (145-152)
• User (8-41)
• AuthMiddlewareResult (130-139)
• AuthDecision (115-124)

apps/lfx-pcc/src/server/helpers/logger.ts (1)

• error (52-65)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: E2E Tests / Playwright E2E Tests

🔇 Additional comments (2)

apps/lfx-pcc/src/server/services/api-client.service.ts (1)

53-54: Confirm Node.js runtime version supports AbortSignal.timeout
AbortSignal.timeout is available in Node.js v16.14.0+ and v17.3.0+ (nodejs.org). Verify your package.json engines.node constraint (or your CI/runtime) meets this requirement, or include an appropriate polyfill (e.g. via undici) if targeting older Node versions.

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (1)

294-363: No changes needed: OIDC middleware precedes custom auth middleware and routes mount correctly.
app.use(auth(authConfig)) at line 168 runs before app.use(authMiddleware) at line 191, and subsequent routes are mounted in the intended order.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (2)

198-212: SSR non-GET auth bypass fixed — nice.

The 401 branch for SSR non-GET closes the gap flagged earlier.

Also applies to: 214-229, 231-246

---

101-159: Token refresh path is fine; ensure typings exist for req.bearerToken/req.oidc/req.log.

Prior feedback noted only bearerToken was declared. Make sure Request/Response are augmented for oidc, log, and id.

#!/bin/bash
# Verify Express module augmentation for oidc/log/id/bearerToken
rg -nP -C2 'declare module .express.|namespace\s+Express' --type-add 'dts:*.d.ts' --type dts
rg -nP -C3 'interface\s+Request\s*{[^}]*\boidc\b' --type-add 'dts:*.d.ts' --type dts
rg -nP -C3 'interface\s+Request\s*{[^}]*\blog\b'  --type-add 'dts:*.d.ts' --type dts
rg -nP -C3 'interface\s+Request\s*{[^}]*\bid\b'   --type-add 'dts:*.d.ts' --type dts
rg -nP -C3 'interface\s+Response\s*{[^}]*\boidc\b' --type-add 'dts:*.d.ts' --type dts

🧹 Nitpick comments (8)

apps/lfx-pcc/src/app/shared/guards/auth.guard.ts (1)

25-31: Comment/code mismatch and minor redirect nit.

The comment says “using Router for SSR compatibility,” but the code uses window.location. Either update the comment or switch to a Router UrlTree. Also prefer location.replace to avoid polluting browser history with the transient /login hop.

-  // Redirect to login with returnTo parameter using Router for SSR compatibility
+  // Redirect to server-side /login with returnTo parameter (browser only).
+  // On non-browser/SSR, return false and let server middleware handle redirects.
@@
-  if (isPlatformBrowser(platformId)) {
-    window.location.href = `/login?returnTo=${returnTo}`;
-  }
+  if (isPlatformBrowser(platformId)) {
+    window.location.replace(`/login?returnTo=${returnTo}`);
+  }

apps/lfx-pcc/src/server/server.ts (3)

75-93: Fix Pino redaction path for Set-Cookie.

Use dot-notation (res.headers.set-cookie). The bracket form won’t be recognized by Pino.

-          : ['access_token', 'refresh_token', 'authorization', 'cookie', 'req.headers.authorization', 'req.headers.cookie', 'res.headers["set-cookie"]'],
+          : ['access_token', 'refresh_token', 'authorization', 'cookie', 'req.headers.authorization', 'req.headers.cookie', 'res.headers.set-cookie'],

Apply the same change in httpLogger redact config.

---

205-207: Prefer prefix mount for API error handler.

Use '/api' instead of '/api/*' for the error handler mount to catch all API errors consistently.

-app.use('/api/*', apiErrorHandler);
+app.use('/api', apiErrorHandler);

---

125-132: Logger ignore lists a non-existent '/api/health'.

Either add an /api/health endpoint or remove it from the ignore predicate.

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (4)

35-39: Make defaults consistent with the catch-all.

With the above change, leaving defaultAuth: 'required' is correct. If you keep a catch-all '/' of 'optional', defaultAuth will never be used—avoid that inconsistency.

---

290-297: Use the computed redirectUrl to hit /login (and its returnTo validation).

Currently you ignore decision.redirectUrl and call res.oidc.login directly. Redirecting to /login centralizes sanitization and keeps behavior consistent.

-    case 'redirect':
-      if (decision.redirectUrl) {
-        // Use OIDC login method which handles the redirect properly
-        res.oidc.login({ returnTo: req.originalUrl });
-      } else {
-        res.redirect('/');
-      }
+    case 'redirect':
+      if (decision.redirectUrl) {
+        return res.redirect(decision.redirectUrl);
+      }
+      res.redirect('/');
       break;

---

66-96: Avoid remote userinfo call on every request.

fetchUserInfo can be an extra network hop. Prefer req.oidc.user for middleware decisions; defer userinfo fetch to places that need fresh profile.

-    if (req.oidc?.isAuthenticated()) {
-      const user = (await req.oidc.fetchUserInfo()) ?? (req.oidc?.user as User);
+    if (req.oidc?.isAuthenticated()) {
+      const user = (req.oidc?.user as User) ?? undefined;

---

340-345: Skip token extraction for SSR optional routes to reduce overhead.

Refreshing/extracting tokens for every optional SSR hit isn’t needed. Restrict to API routes (and required SSR if desired).

-      if (routeConfig.tokenRequired || routeConfig.auth === 'optional') {
+      if (routeConfig.type === 'api' && (routeConfig.tokenRequired || routeConfig.auth === 'optional')) {
         hasToken = await extractBearerToken(req);
       }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f8bb764 and 88c8bd8.

📒 Files selected for processing (7)

• apps/lfx-pcc/src/app/app.routes.ts (2 hunks)
• apps/lfx-pcc/src/app/shared/guards/auth.guard.ts (1 hunks)
• apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts (3 hunks)
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts (1 hunks)
• apps/lfx-pcc/src/server/server.ts (2 hunks)
• apps/lfx-pcc/src/server/services/meeting.service.ts (5 hunks)
• apps/lfx-pcc/src/server/utils/security.util.ts (0 hunks)

💤 Files with no reviewable changes (1)

• apps/lfx-pcc/src/server/utils/security.util.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• apps/lfx-pcc/src/server/services/meeting.service.ts
• apps/lfx-pcc/src/server/controllers/public-meeting.controller.ts

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Prefer TypeScript interfaces over union types when modeling shapes and contracts

Files:

• apps/lfx-pcc/src/app/shared/guards/auth.guard.ts
• apps/lfx-pcc/src/app/app.routes.ts
• apps/lfx-pcc/src/server/server.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Do not nest ternary expressions

Files:

• apps/lfx-pcc/src/app/shared/guards/auth.guard.ts
• apps/lfx-pcc/src/app/app.routes.ts
• apps/lfx-pcc/src/server/server.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts

apps/lfx-pcc/src/**/*.{ts,html}

📄 CodeRabbit inference engine (CLAUDE.md)

Use LFX wrapper components instead of importing PrimeNG components directly

Files:

• apps/lfx-pcc/src/app/shared/guards/auth.guard.ts
• apps/lfx-pcc/src/app/app.routes.ts
• apps/lfx-pcc/src/server/server.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts

**/*.{ts,tsx,js,jsx,html,scss,css}

📄 CodeRabbit inference engine (CLAUDE.md)

Include required license headers on all source files

Files:

• apps/lfx-pcc/src/app/shared/guards/auth.guard.ts
• apps/lfx-pcc/src/app/app.routes.ts
• apps/lfx-pcc/src/server/server.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts

apps/lfx-pcc/src/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

apps/lfx-pcc/src/**/*.ts: In the Angular app, use direct imports for standalone components (no barrel imports)
When defining types for PrimeNG usage, reference PrimeNG’s component interfaces

Files:

• apps/lfx-pcc/src/app/shared/guards/auth.guard.ts
• apps/lfx-pcc/src/app/app.routes.ts
• apps/lfx-pcc/src/server/server.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
PR: linuxfoundation/lfx-v2-ui#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-05T18:09:48.791Z
Learning: Public routes include /meeting and /public/api; use M2M tokens for server-side API calls from public endpoints

📚 Learning: 2025-09-05T18:09:48.791Z

Learnt from: CR
PR: linuxfoundation/lfx-v2-ui#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-05T18:09:48.791Z
Learning: Public routes include /meeting and /public/api; use M2M tokens for server-side API calls from public endpoints

Applied to files:

• apps/lfx-pcc/src/server/server.ts

🧬 Code graph analysis (3)

apps/lfx-pcc/src/app/app.routes.ts (1)

apps/lfx-pcc/src/app/shared/guards/auth.guard.ts (1)

• authGuard (16-32)

apps/lfx-pcc/src/server/server.ts (1)

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (1)

• authMiddleware (392-392)

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (1)

packages/shared/src/interfaces/auth.interface.ts (5)

• RouteAuthConfig (100-109)
• AuthConfig (145-152)
• User (8-41)
• AuthMiddlewareResult (130-139)
• AuthDecision (115-124)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: E2E Tests / Playwright E2E Tests

🔇 Additional comments (2)

apps/lfx-pcc/src/app/shared/guards/auth.guard.ts (1)

20-23: Guard check looks good.

Synchronous check against the signal is clear and cheap.

apps/lfx-pcc/src/server/server.ts (1)

191-193: Good placement of the unified auth middleware.

Mounted after OIDC and before routers; aligns with design.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/lfx-pcc/src/server/server.ts (1)

222-226: Prefer token claims; fallback to userinfo — add minor type/robustness guard

Current logic is sound. To avoid overwriting with a sparse userinfo payload and to satisfy TS types, guard and cast:

-      auth.user = req.oidc?.user as User;
-      if (!auth.user?.email) {
-        auth.user = await req.oidc.fetchUserInfo();
-      }
+      auth.user = req.oidc?.user as User;
+      if (!auth.user?.email) {
+        const info = (await req.oidc.fetchUserInfo()) as unknown as User;
+        if (info?.email) auth.user = info;
+      }

Optional: before passing auth.user into SSR, project to a minimal, known-safe subset of fields to avoid leaking extraneous claims. I can provide a small sanitizer util if helpful.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 88c8bd8 and 8ce3e51.

📒 Files selected for processing (6)

• .github/workflows/e2e-tests.yml (0 hunks)
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts (1 hunks)
• apps/lfx-pcc/src/server/server.ts (3 hunks)
• apps/lfx-pcc/src/server/services/meeting.service.ts (5 hunks)
• apps/lfx-pcc/src/server/services/microservice-proxy.service.ts (3 hunks)
• packages/shared/src/interfaces/auth.interface.ts (1 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/e2e-tests.yml

🚧 Files skipped from review as they are similar to previous changes (4)

• apps/lfx-pcc/src/server/services/microservice-proxy.service.ts
• apps/lfx-pcc/src/server/middleware/auth.middleware.ts
• packages/shared/src/interfaces/auth.interface.ts
• apps/lfx-pcc/src/server/services/meeting.service.ts

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Prefer TypeScript interfaces over union types when modeling shapes and contracts

Files:

• apps/lfx-pcc/src/server/server.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Do not nest ternary expressions

Files:

• apps/lfx-pcc/src/server/server.ts

apps/lfx-pcc/src/**/*.{ts,html}

📄 CodeRabbit inference engine (CLAUDE.md)

Use LFX wrapper components instead of importing PrimeNG components directly

Files:

• apps/lfx-pcc/src/server/server.ts

**/*.{ts,tsx,js,jsx,html,scss,css}

📄 CodeRabbit inference engine (CLAUDE.md)

Include required license headers on all source files

Files:

• apps/lfx-pcc/src/server/server.ts

apps/lfx-pcc/src/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

apps/lfx-pcc/src/**/*.ts: In the Angular app, use direct imports for standalone components (no barrel imports)
When defining types for PrimeNG usage, reference PrimeNG’s component interfaces

Files:

• apps/lfx-pcc/src/server/server.ts

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
PR: linuxfoundation/lfx-v2-ui#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-05T18:09:48.791Z
Learning: Public routes include /meeting and /public/api; use M2M tokens for server-side API calls from public endpoints

📚 Learning: 2025-09-05T18:09:48.791Z

Learnt from: CR
PR: linuxfoundation/lfx-v2-ui#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-05T18:09:48.791Z
Learning: Public routes include /meeting and /public/api; use M2M tokens for server-side API calls from public endpoints

Applied to files:

• apps/lfx-pcc/src/server/server.ts

🧬 Code graph analysis (1)

apps/lfx-pcc/src/server/server.ts (2)

apps/lfx-pcc/src/server/middleware/auth.middleware.ts (1)

• authMiddleware (376-376)

packages/shared/src/interfaces/auth.interface.ts (1)

• User (8-41)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: E2E Tests / Playwright E2E Tests

🔇 Additional comments (2)

apps/lfx-pcc/src/server/server.ts (2)

18-18: Unified auth middleware import — LGTM

Importing the consolidated auth middleware here aligns with the new OIDC-driven flow.

---

191-197: Confirm public route allowlist and API behaviors

• auth.middleware.ts (lines 17–26) defines { pattern: '/public/api', type: 'api', auth: 'optional', tokenRequired: false } and { pattern: '/meetings', type: 'ssr', auth: 'optional' }, confirming public endpoints pass through without redirect.
• Verify OPTIONS/HEAD (preflight) requests bypass auth as intended.
• Verify unauthorized API calls return JSON 401/403 (no HTML redirects).

Optional: mount the API error handler on public routes for symmetry:

+ app.use('/public/api/*', apiErrorHandler);

[github-actions]

🧹 Deployment Removed

The deployment for PR #79 has been removed.