# Auth Profile Contract

## Purpose

`GET /api/auth/me` is the backend-owned current user profile contract for the product frontend.

The endpoint must not expose passwords, verification tokens, reset tokens, or raw Sequelize model objects.

The auth transport hardening is documented in `backend/docs/cookie-auth.md`.

## Response Shape

The endpoint returns:

- `id`
- `email`
- `firstName`
- `lastName`
- `phoneNumber`
- `organizationsId`
- `organizations`
- `app_role`
- `productRole`
- `staffProfile`
- `campus`
- `campusId`
- `permissions`

`productRole` is derived server-side from generated backend roles first, then staff type, then the default teacher role.

## Constants

Role names and mappings live in `backend/src/constants/roles.js`.

Do not duplicate generated-role to product-role mapping in frontend code.

## Security Rules

- JWT validation remains handled by Passport.
- The target browser auth transport is a backend-owned HttpOnly cookie.
- Auth tokens must not be returned to the product frontend in response bodies or redirect URLs.
- Missing or invalid current users return the centralized forbidden error.
- The response is formatted by `AuthService.currentUserProfile`.
- Secrets are read from `backend/.env` or process environment only.
- `backend/.env` is ignored by git; repository access should still be treated carefully because local deployment values can exist in the working copy.

## Known Gaps

- Product roles still need a persistent backend migration or a documented server-owned mapping decision.
- Staff profile creation and update flows are not complete.
- Tenant and campus isolation tests still need to be added.