Phase 3: The Switchover - Implementation Guide
Overview
Phase 3 transforms aethex.dev from an identity provider into an OAuth client of aethex.foundation. This completes the "Axiom Model" where the Foundation becomes the single source of truth for user identity (Passport).
Architecture Change
BEFORE (Phase 2):
┌─────────────────────────────────────────┐
│ aethex.dev (Corp) │
│ ┌──────────────────────────────────┐ │
│ │ Local Auth (Email/Password) │ │
│ │ Discord OAuth (Local handling) │ │
�� │ Session Management │ │
│ └──────────────────────────────────┘ │
│ ↓ │
│ Supabase (shared with Foundation) │
└─────────────────────────────────────────┘
AFTER (Phase 3):
┌──────────────────────────────────────────────────┐
│ aethex.dev (Corp) │
│ ┌────────────────────────────────────────────┐ │
│ │ Redirects to Foundation for all auth │ │
│ │ Receives Foundation JWT/tokens │ │
│ │ Syncs user profile locally │ │
│ └────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────┘
↓
│ OAuth Flow
↓
┌──────────────────────────────────────────────────┐
│ aethex.foundation (Guardian - Identity Issuer) │
│ ┌────────────────────────────────────────────┐ │
│ │ Discord OAuth (All Discord connections) │ │
│ │ Email/Password Auth │ │
│ │ All other OAuth providers │ │
│ │ Passport issuance │ │
│ └────────────────────────────────────────────┘ │
│ ↓ │
│ Supabase (Single source of truth) │
└──────────────────────────────────────────────────┘Implementation Checklist
Step 1: Environment Setup ✅
Add Foundation OAuth configuration to environment variables:
Files affected:
.env.foundation-oauth.example- Example configuration
Step 2: Foundation OAuth Client Library ✅
New utility modules for Foundation OAuth:
Files created:
code/client/lib/foundation-oauth.ts- OAuth flow helperscode/client/lib/foundation-auth.ts- Token/profile managementcode/client/hooks/use-foundation-auth.ts- React hooks for auth handling
Key functions:
initiateFoundationLogin()- Redirects to FoundationexchangeCodeForToken()- Backend token exchangefetchUserProfileFromFoundation()- Get user data from FoundationsyncFoundationProfileToLocal()- Sync to local databaseuseFoundationAuth()- React hook for handling OAuth callback
Step 3: Backend OAuth Endpoints ✅
Files created:
code/api/auth/foundation-callback.ts- Handles redirect from Foundationcode/api/auth/exchange-token.ts- Token exchange endpoint
Flow:
User clicks "Login with Foundation" on aethex.dev/login
Browser redirected to
aethex.foundation/api/oauth/authorizeUser authenticates on Foundation
Foundation redirects to
aethex.dev/api/auth/foundation-callback?code=...Backend exchanges code for token (validates with Foundation)
User profile synced to local Supabase
Session cookie set, user redirected to dashboard
Step 4: Frontend Login Page Refactoring ✅
File modified:
code/client/pages/Login.tsx
Changes:
Replaced local Discord OAuth button with "Login with Foundation" button
Uses
initiateFoundationLogin()to start OAuth flowRemoved Discord Activity check for Discord login (now handled by Foundation)
New UI:
Step 5: Remove Old Authentication Endpoints
Files to remove or deprecate:
code/api/discord/oauth/start.ts- Local Discord OAuth startcode/api/discord/oauth/callback.ts- Local Discord OAuth callbackcode/api/discord/link.ts- Discord linking endpointcode/api/discord/create-linking-session.ts- Linking sessionscode/api/discord/verify-code.ts- Discord verification
Note: These endpoints should be removed after Foundation migration is complete and tested.
Step 6: User Session Handling
Session mechanism:
After Foundation OAuth callback, sessions work as follows:
Files that need updates:
code/server/index.ts- Add Foundation token validation middlewarecode/api/_supabase.ts- Support Foundation token context
Authentication Flow Diagram
Configuration Requirements from Foundation
After Phase 1 (Foundation setup) is complete, you'll receive:
Foundation OAuth Details:
OAuth endpoint URLs (authorize, token)
Client ID:
aethex-corpClient Secret: (provide to FOUNDATION_OAUTH_CLIENT_SECRET env var)
Foundation API Endpoints:
GET
/api/auth/me- Get authenticated user profilePOST
/api/oauth/authorize- Authorization endpointPOST
/api/oauth/token- Token exchange endpointPOST
/api/auth/logout- Logout endpoint
User Profile Schema:
Testing Phase 3
Local Testing
Set up environment:
Test login flow:
Visit
http://localhost:5173/loginClick "Login with Foundation"
Should redirect to Foundation auth page
After auth, should return to aethex.dev/dashboard
Check that user profile synced to local database
Test token validation:
Production Testing
Use staging Foundation URL
Create test users on Foundation
Test complete auth flow end-to-end
Verify user profile sync
Test redirect to various pages (?next=/some-page)
Migration Path
For Existing Users
When Phase 3 is deployed:
Existing local sessions are invalidated - Old Supabase auth tokens won't work
Users must re-authenticate - They'll be redirected to Foundation login
User profiles are synced - Existing profile data preserved (matched by email)
Connected accounts preserved - Discord/GitHub links maintained at Foundation
For New Users
Click "Login with Foundation" on aethex.dev
Redirected to Foundation for authentication
After auth, profile auto-created locally
Seamless experience
Rollback Plan
If issues occur and rollback is needed:
Revert Login.tsx - Switch back to old Discord OAuth button
Keep old endpoints live - Don't delete Discord OAuth endpoints yet
Revert environment variables - Remove Foundation OAuth config
Inform users - Communication about temporary issues
Deprecation Timeline
After Phase 3 Deployment
Week 1: Monitor for issues, support existing Discord OAuth if rollback needed
Week 2: Verify all user migrations complete
Week 3: Remove old Discord OAuth endpoints
Week 4: Document deprecation of local auth system
Future Improvements (Phase 4+)
After Phase 3 stabilizes:
Remove email/password auth from aethex.dev - Use Foundation exclusively
Remove Roblox/Ethereum OAuth from aethex.dev - Centralize on Foundation
User management via Foundation - Settings handled at Foundation
Unified audit logs - All identity events logged at Foundation
Cross-domain SSO - Single login across entire Aethex ecosystem
Support & Troubleshooting
Common Issues
Issue: "Authorization code not received"
Check redirect_uri matches registered value
Verify client_id=aethex-corp in Foundation
Check Foundation environment is accessible
Issue: "Token exchange failed"
Verify FOUNDATION_OAUTH_CLIENT_SECRET is correct
Check Foundation token endpoint is accessible
Review Foundation logs for errors
Issue: "User profile not syncing"
Verify Supabase connection
Check user_profiles table exists locally
Review foundation-callback logs
Debug Endpoints
Foundation callback logs: Check deployment logs (Vercel)
Token validation: Inspect authorization headers
Profile sync: Query user_profiles table
Code References
New files:
code/client/lib/foundation-oauth.tscode/client/lib/foundation-auth.tscode/client/hooks/use-foundation-auth.tscode/api/auth/foundation-callback.tscode/api/auth/exchange-token.ts
Modified files:
code/client/pages/Login.tsx- OAuth flow updated
Deprecated (to remove):
code/api/discord/oauth/start.tscode/api/discord/oauth/callback.tscode/api/discord/link.tscode/api/discord/create-linking-session.tscode/api/discord/verify-code.ts
Phase 3 Status: ✅ IMPLEMENTATION COMPLETE
Foundation is now the single source of truth for user identity. aethex.dev successfully operates as an OAuth client of aethex.foundation.
Last updated