Auth & Session:
- Add credentials: include to all frontend fetch calls (queryClient,
auth-context, tanuki-trades, symbol-selector, settings, verify)
- Redis-backed session store with connect-redis, 7-day cookie expiry,
sameSite=lax, httpOnly=true
- Add app.set('trust proxy', 1) so Express honors X-Forwarded-Proto from
nginx — fixes secure cookies never being sent over HTTPS
- Cookie secure flag also checks APP_URL for reverse proxy deployments
Login Flow:
- Fix post-login redirect race condition: use full page reload
(window.location.href) instead of hash navigation so auth cookie is
established before ProtectedRoute checks session
- Disable SymbolSelector query when not authenticated to prevent blocking
fetches on login page
- SymbolSelector returns null when not authenticated — no UI rendered
Tanuki Trades:
- Add ErrorBoundary component to isolate Tanuki page crashes
- Use unique queryKey ['tanuki-tickers'] to prevent React Query cache
collision with symbol selector
- Defensive query syntax with async/await for error isolation
Testing:
- Verified login → redirect → refresh → session persists (no 401)
- Verified Tanuki page no longer crashes the entire app
- Verified /api/auth/me returns user data across requests with cookie
- Added ORATS API client with authentication (X-API-Key header)
- Implemented market data routes with ORATS → mock fallback
- Added ORATS status endpoint (/api/orats/status)
- Configured API key in .env (currently returning Forbidden - needs verification)
- Market data endpoints: /api/market/:symbol/summary, /gex, /expirations
- Screener endpoint uses ORATS when available, falls back to mock