feat: implement API utilities for success and error responses

- Add successResponse and errorResponse functions to handle API responses.
- Implement handleApiError function to manage error handling with Zod validation.
- Create tests for API utilities to ensure correct behavior.

feat: add Supabase client and middleware for session management

- Create Supabase client for browser and server environments.
- Implement middleware to manage user sessions and authentication redirects.

test: add validation schemas and tests for user input

- Define validation schemas for signup, login, password reset, and session management.
- Add comprehensive tests for each validation schema to ensure input correctness.

feat: create database migrations for profiles and sessions

- Create profiles table to store user profile information with RLS policies.
- Implement sessions table with join codes and session management functions.
- Add session participants table to manage user participation in sessions.

feat: implement RPC functions for session management

- Create RPC functions for creating, joining, and managing sessions.
- Implement control state updates and participant management functions.

chore: add RLS policies for secure data access

- Define RLS policies for profiles, sessions, and session participants to enforce data security.
- Grant necessary permissions for authenticated and anonymous users.

Author: ralyodio

.claude/settings.local.json

@@ -78,7 +78,9 @@
       "Bash(node scripts/test-stats-api.mjs:*)",
       "Bash(npm run lint:*)",
       "Bash(xargs cat:*)",
-      "Bash(pnpm --filter @pairux/shared-types build:*)"
+      "Bash(pnpm --filter @pairux/shared-types build:*)",
+      "Bash(pnpm lint:fix:*)",
+      "Bash(pnpm test)"
     ],
     "deny": [
       "Bash(npm *)",

apps/web/package.json

@@ -23,12 +23,16 @@
     "next": "^15.1.0",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
-    "tailwind-merge": "^2.6.0"
+    "tailwind-merge": "^2.6.0",
+    "zod": "^3.24.0"
   },
   "devDependencies": {
     "@pairux/shared-types": "workspace:*",
     "@tailwindcss/postcss": "^4.0.0",
     "@tailwindcss/typography": "^0.5.15",
+    "@testing-library/jest-dom": "^6.6.0",
+    "@testing-library/react": "^16.1.0",
+    "@testing-library/user-event": "^14.5.0",
     "@types/node": "^22.10.0",
     "@types/react": "^19.0.0",
     "@types/react-dom": "^19.0.0",

apps/web/src/app/(auth)/forgot-password/page.tsx

@@ -0,0 +1,20 @@
+import { ForgotPasswordForm } from '@/components/auth';
+
+export const metadata = {
+  title: 'Forgot Password - PairUX',
+  description: 'Reset your PairUX account password',
+};
+
+export default function ForgotPasswordPage() {
+  return (
+    <div className="rounded-xl border border-gray-200 bg-white p-8 shadow-sm">
+      <div className="mb-8 text-center">
+        <h1 className="text-2xl font-bold text-gray-900">Forgot your password?</h1>
+        <p className="mt-2 text-sm text-gray-600">
+          Enter your email and we&apos;ll send you a reset link
+        </p>
+      </div>
+      <ForgotPasswordForm />
+    </div>
+  );
+}

apps/web/src/app/(auth)/layout.tsx

@@ -0,0 +1,32 @@
+import Link from 'next/link';
+
+export default function AuthLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  return (
+    <div className="flex min-h-screen flex-col">
+      {/* Simple header for auth pages */}
+      <header className="border-b border-gray-200 bg-white">
+        <div className="mx-auto max-w-7xl px-4 sm:px-6 lg:px-8">
+          <div className="flex h-16 items-center justify-between">
+            <Link href="/" className="flex items-center gap-2">
+              <div className="flex h-8 w-8 items-center justify-center rounded-lg bg-primary-600 text-white font-bold text-sm">
+                P
+              </div>
+              <span className="text-xl font-bold text-gray-900">PairUX</span>
+            </Link>
+          </div>
+        </div>
+      </header>
+
+      {/* Auth content */}
+      <main className="flex flex-1 items-center justify-center bg-gray-50 px-4 py-12">
+        <div className="w-full max-w-md">
+          {children}
+        </div>
+      </main>
+    </div>
+  );
+}

apps/web/src/app/(auth)/login/page.tsx

@@ -0,0 +1,21 @@
+import { Suspense } from 'react';
+import { LoginForm } from '@/components/auth';
+
+export const metadata = {
+  title: 'Sign In - PairUX',
+  description: 'Sign in to your PairUX account',
+};
+
+export default function LoginPage() {
+  return (
+    <div className="rounded-xl border border-gray-200 bg-white p-8 shadow-sm">
+      <div className="mb-8 text-center">
+        <h1 className="text-2xl font-bold text-gray-900">Welcome back</h1>
+        <p className="mt-2 text-sm text-gray-600">Sign in to your account to continue</p>
+      </div>
+      <Suspense fallback={<div className="h-64 animate-pulse bg-gray-100 rounded-lg" />}>
+        <LoginForm />
+      </Suspense>
+    </div>
+  );
+}

apps/web/src/app/(auth)/reset-password/page.tsx

@@ -0,0 +1,18 @@
+import { ResetPasswordForm } from '@/components/auth';
+
+export const metadata = {
+  title: 'Reset Password - PairUX',
+  description: 'Set a new password for your PairUX account',
+};
+
+export default function ResetPasswordPage() {
+  return (
+    <div className="rounded-xl border border-gray-200 bg-white p-8 shadow-sm">
+      <div className="mb-8 text-center">
+        <h1 className="text-2xl font-bold text-gray-900">Reset your password</h1>
+        <p className="mt-2 text-sm text-gray-600">Enter your new password below</p>
+      </div>
+      <ResetPasswordForm />
+    </div>
+  );
+}

apps/web/src/app/(auth)/signup/page.tsx

@@ -0,0 +1,20 @@
+import { SignupForm } from '@/components/auth';
+
+export const metadata = {
+  title: 'Sign Up - PairUX',
+  description: 'Create a PairUX account to start sharing your screen',
+};
+
+export default function SignupPage() {
+  return (
+    <div className="rounded-xl border border-gray-200 bg-white p-8 shadow-sm">
+      <div className="mb-8 text-center">
+        <h1 className="text-2xl font-bold text-gray-900">Create an account</h1>
+        <p className="mt-2 text-sm text-gray-600">
+          Sign up to start sharing your screen and collaborating
+        </p>
+      </div>
+      <SignupForm />
+    </div>
+  );
+}

apps/web/src/app/api/auth/forgot-password/route.test.ts

@@ -0,0 +1,119 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { POST } from './route';
+import { createMockSupabaseClient } from '@/test/mocks/supabase';
+
+vi.mock('@/lib/supabase/server', () => ({
+  createClient: vi.fn(),
+}));
+
+// Override the global headers mock for this test file
+vi.mock('next/headers', () => ({
+  headers: vi.fn(() => Promise.resolve({
+    get: (name: string) => name === 'origin' ? 'http://localhost:3000' : null,
+  })),
+}));
+
+import { createClient } from '@/lib/supabase/server';
+
+describe('POST /api/auth/forgot-password', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('sends reset email successfully', async () => {
+    const mockSupabase = createMockSupabaseClient({
+      auth: {
+        resetPasswordForEmail: vi.fn().mockResolvedValue({ error: null }),
+      },
+    });
+    vi.mocked(createClient).mockResolvedValue(mockSupabase as never);
+
+    const request = new Request('http://localhost/api/auth/forgot-password', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: 'user@example.com' }),
+    });
+
+    const response = await POST(request);
+    const body = await response.json();
+
+    expect(response.status).toBe(200);
+    expect(body.data.message).toContain('If an account exists');
+    expect(mockSupabase.auth.resetPasswordForEmail).toHaveBeenCalledWith(
+      'user@example.com',
+      expect.objectContaining({
+        redirectTo: expect.stringContaining('/reset-password'),
+      })
+    );
+  });
+
+  it('returns success even for non-existent email (prevents enumeration)', async () => {
+    const mockSupabase = createMockSupabaseClient({
+      auth: {
+        resetPasswordForEmail: vi.fn().mockResolvedValue({ error: null }),
+      },
+    });
+    vi.mocked(createClient).mockResolvedValue(mockSupabase as never);
+
+    const request = new Request('http://localhost/api/auth/forgot-password', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: 'nonexistent@example.com' }),
+    });
+
+    const response = await POST(request);
+    const body = await response.json();
+
+    // Should return success to prevent email enumeration
+    expect(response.status).toBe(200);
+    expect(body.data.message).toContain('If an account exists');
+  });
+
+  it('returns 400 for invalid email format', async () => {
+    const request = new Request('http://localhost/api/auth/forgot-password', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: 'not-an-email' }),
+    });
+
+    const response = await POST(request);
+    const body = await response.json();
+
+    expect(response.status).toBe(400);
+    expect(body.error).toContain('email');
+  });
+
+  it('returns 400 when supabase returns error', async () => {
+    const mockSupabase = createMockSupabaseClient({
+      auth: {
+        resetPasswordForEmail: vi.fn().mockResolvedValue({
+          error: { message: 'Rate limit exceeded' },
+        }),
+      },
+    });
+    vi.mocked(createClient).mockResolvedValue(mockSupabase as never);
+
+    const request = new Request('http://localhost/api/auth/forgot-password', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: 'user@example.com' }),
+    });
+
+    const response = await POST(request);
+    const body = await response.json();
+
+    expect(response.status).toBe(400);
+    expect(body.error).toBe('Rate limit exceeded');
+  });
+
+  it('returns 400 for missing email', async () => {
+    const request = new Request('http://localhost/api/auth/forgot-password', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({}),
+    });
+
+    const response = await POST(request);
+    expect(response.status).toBe(400);
+  });
+});

apps/web/src/app/api/auth/forgot-password/route.ts

@@ -0,0 +1,31 @@
+/* eslint-disable @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-argument, @typescript-eslint/prefer-nullish-coalescing, @typescript-eslint/no-unnecessary-condition, @typescript-eslint/restrict-template-expressions */
+import { createClient } from '@/lib/supabase/server';
+import { forgotPasswordSchema } from '@/lib/validations';
+import { successResponse, errorResponse, handleApiError } from '@/lib/api';
+import { headers } from 'next/headers';
+
+export async function POST(request: Request) {
+  try {
+    const body = await request.json();
+    const { email } = forgotPasswordSchema.parse(body);
+
+    const supabase = await createClient();
+    const headersList = await headers();
+    const origin = headersList.get('origin') || process.env.NEXT_PUBLIC_APP_URL;
+
+    const { error } = await supabase.auth.resetPasswordForEmail(email, {
+      redirectTo: `${origin}/reset-password`,
+    });
+
+    if (error) {
+      return errorResponse(error.message, 400);
+    }
+
+    // Always return success to prevent email enumeration
+    return successResponse({
+      message: 'If an account exists with that email, you will receive a password reset link',
+    });
+  } catch (error) {
+    return handleApiError(error);
+  }
+}