# authentication Specification

## Purpose
TBD - created by archiving change add-meeting-assistant-mvp. Update Purpose after archive.
## Requirements
### Requirement: Login Proxy
The middleware server SHALL proxy login requests to the company Auth API at https://pj-auth-api.vercel.app/api/auth/login.

#### Scenario: Successful login
- **WHEN** user submits valid credentials to POST /api/login
- **THEN** the server SHALL forward to Auth API and return the JWT token

#### Scenario: Admin role detection
- **WHEN** user logs in with email ymirliu@panjit.com.tw
- **THEN** the response JWT payload SHALL include role: "admin"

#### Scenario: Invalid credentials
- **WHEN** user submits invalid credentials
- **THEN** the server SHALL return HTTP 401 with error message from Auth API

### Requirement: Token Validation
The middleware server SHALL validate JWT tokens on protected endpoints.

#### Scenario: Valid token access
- **WHEN** request includes valid JWT in Authorization header
- **THEN** the request SHALL proceed to the endpoint handler

#### Scenario: Expired token
- **WHEN** request includes expired JWT
- **THEN** the server SHALL return HTTP 401 with "token_expired" error code

#### Scenario: Missing token
- **WHEN** request to protected endpoint lacks Authorization header
- **THEN** the server SHALL return HTTP 401 with "token_required" error code

### Requirement: Token Auto-Refresh
The Electron client SHALL implement automatic token refresh before expiration.

#### Scenario: Proactive refresh
- **WHEN** token approaches expiration (within 5 minutes) during active session
- **THEN** the client SHALL request new token transparently without user interruption

#### Scenario: Refresh during long meeting
- **WHEN** user is in a meeting session lasting longer than token validity
- **THEN** the client SHALL maintain authentication through automatic refresh