Auth & Session:
- Add credentials: include to all frontend fetch calls (queryClient,
auth-context, tanuki-trades, symbol-selector, settings, verify)
- Redis-backed session store with connect-redis, 7-day cookie expiry,
sameSite=lax, httpOnly=true
- Add app.set('trust proxy', 1) so Express honors X-Forwarded-Proto from
nginx — fixes secure cookies never being sent over HTTPS
- Cookie secure flag also checks APP_URL for reverse proxy deployments
Login Flow:
- Fix post-login redirect race condition: use full page reload
(window.location.href) instead of hash navigation so auth cookie is
established before ProtectedRoute checks session
- Disable SymbolSelector query when not authenticated to prevent blocking
fetches on login page
- SymbolSelector returns null when not authenticated — no UI rendered
Tanuki Trades:
- Add ErrorBoundary component to isolate Tanuki page crashes
- Use unique queryKey ['tanuki-tickers'] to prevent React Query cache
collision with symbol selector
- Defensive query syntax with async/await for error isolation
Testing:
- Verified login → redirect → refresh → session persists (no 401)
- Verified Tanuki page no longer crashes the entire app
- Verified /api/auth/me returns user data across requests with cookie
- Configure Brevo SMTP (smtp-relay.brevo.com:587) for production emails
- Make sendVerificationEmail fire-and-forget so SMTP failures don't block registration
- Update .env with real SMTP credentials and APP_URL=https://gammanexus.io
- Fix resend-verification to also use non-blocking email send
- Revert schema to pgTable/serial (matches PostgreSQL)
- db.ts switched back to node-postgres driver
- PostgreSQL 16 installed and running on 142.93.245.235
- Database: gammanexus, User: gn_admin
- Same schema across local and production
- Use sqliteTable/integer instead of pgTable/serial
- Fix Drizzle ORM compatibility with better-sqlite3 driver
- This was causing silent failures on user registration
- Switch DB from PostgreSQL to SQLite (data.db) for now
- Add better-sqlite3, pg, drizzle-orm/* to build externals
- Fix serveStatic path resolution with cwd fallback
- Fix import.meta issue in static.ts for CJS bundle
- Rate limit whitelist for home subnet (192.168.x.x)
- Relax dev rate limits: 500/15min general, 50/15min auth
- Added ORATS API client with authentication (X-API-Key header)
- Implemented market data routes with ORATS → mock fallback
- Added ORATS status endpoint (/api/orats/status)
- Configured API key in .env (currently returning Forbidden - needs verification)
- Market data endpoints: /api/market/:symbol/summary, /gex, /expirations
- Screener endpoint uses ORATS when available, falls back to mock