feat: auth

api/AUTH_FLOW.md

@@ -0,0 +1,53 @@
+# Authentication Flow
+
+## Overview
+This API uses Discord OAuth for authentication and JWT tokens for session management. Only the admin user can perform create/update/delete operations, while public read access is available to everyone.
+
+## Environment Variables
+Set up your `prod.env` file with 1Password references:
+- `DATABASE_URL` - MongoDB connection string
+- `JWT_SECRET` - Secret for signing JWT tokens
+- `DISCORD_CLIENT_ID` - Discord OAuth app client ID
+- `DISCORD_CLIENT_SECRET` - Discord OAuth app client secret
+- `ADMIN_DISCORD_ID` - Your Discord user ID for admin access
+- `API_URL` - API base URL (e.g., http://localhost:3000)
+- `FRONTEND_URL` - Frontend URL to redirect after login
+
+## Running the API
+```bash
+# Start with 1Password secrets
+op run --env-file=prod.env -- nx serve api
+```
+
+## Auth Endpoints
+
+### 1. Login
+`GET /api/auth/login` - Redirects to Discord OAuth
+
+### 2. Callback
+`GET /api/auth/callback` - Discord redirects here after auth
+- Creates/updates user in database
+- Generates JWT token
+- Sets httpOnly cookie `auth-token`
+- Redirects to frontend
+
+### 3. Get Current User
+`GET /api/auth/me` - Returns authenticated user (requires auth)
+
+### 4. Logout
+`POST /api/auth/logout` - Clears auth cookie
+
+## Protected Routes
+Example: Games API
+- `GET /api/games` - Public (list all games)
+- `GET /api/games/:id` - Public (get single game)
+- `POST /api/games` - Admin only (create game)
+- `PUT /api/games/:id` - Admin only (update game)
+- `DELETE /api/games/:id` - Admin only (delete game)
+
+## Testing
+1. Set up Discord OAuth app at https://discord.com/developers/applications
+2. Add redirect URI: `http://localhost:3000/api/auth/callback`
+3. Copy client ID and secret to 1Password
+4. Run the API and visit `http://localhost:3000/api/auth/login`
+5. After Discord auth, you'll be redirected to frontend with auth cookie set