Fix

Author: ershad

bin/dev

@@ -2,12 +2,6 @@
 
 set -e
 
-if [ -f ".vercel/project.json" ]; then
-    pnpx vercel env pull .env
-elif [ ! -f ".env" ]; then
-    echo ".env file not found. Please run bin/setup first."
-fi
-
 pnpm install
 cd backend
 bundle install

frontend/AUTH_SETUP.md

@@ -7,8 +7,12 @@ This project now includes a parallel authentication flow using Auth.js with OTP
 Add these environment variables to your `.env` file:
 
 ```bash
+# Auth.js secret (server-side only)
 AUTH_SECRET=your-auth-secret-here
-API_SECRET_TOKEN=your-api-secret-token-here
+
+# API configuration (client-side accessible)
+NEXT_PUBLIC_API_SECRET_TOKEN=your-api-secret-token-here
+NEXT_PUBLIC_API_URL=http://localhost:3000  # Optional - defaults to localhost:3000 in dev
 ```
 
 ### AUTH_SECRET
@@ -17,8 +21,14 @@ Generate a random secret for Auth.js:
 npx auth secret
 ```
 
-### API_SECRET_TOKEN
-This should match the API token configured in your backend for accessing the OTP endpoints.
+### NEXT_PUBLIC_API_SECRET_TOKEN
+This should match the API token configured in your backend for accessing the OTP endpoints. Uses `NEXT_PUBLIC_` prefix to make it available in client-side code.
+
+### NEXT_PUBLIC_API_URL (Optional)
+Override the default API URL. If not set, it will auto-detect based on environment:
+- Development: `http://localhost:3000`
+- Production: `https://api.flexile.com`
+- Preview: Auto-generated Heroku URL
 
 ## How it Works
 

frontend/env/client.ts

@@ -5,12 +5,20 @@ const env = {
   NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: process.env.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY,
   NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY,
   NEXT_PUBLIC_EQUITY_EXERCISE_DOCUSEAL_ID: process.env.NEXT_PUBLIC_EQUITY_EXERCISE_DOCUSEAL_ID,
+  NEXT_PUBLIC_API_URL: process.env.NEXT_PUBLIC_API_URL,
+  NEXT_PUBLIC_API_SECRET_TOKEN: process.env.NEXT_PUBLIC_API_SECRET_TOKEN,
+  VERCEL_ENV: process.env.VERCEL_ENV,
+  VERCEL_GIT_PULL_REQUEST_ID: process.env.VERCEL_GIT_PULL_REQUEST_ID,
 };
 
 export default z
   .object({
     NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: z.string(),
     NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: z.string(),
     NEXT_PUBLIC_EQUITY_EXERCISE_DOCUSEAL_ID: z.string(),
+    NEXT_PUBLIC_API_URL: z.string().optional(),
+    NEXT_PUBLIC_API_SECRET_TOKEN: z.string().optional(),
+    VERCEL_ENV: z.enum(["production", "preview", "development"]).optional(),
+    VERCEL_GIT_PULL_REQUEST_ID: z.string().optional(),
   })
   .parse(env);

frontend/lib/auth.ts

@@ -1,21 +1,27 @@
 import NextAuth from "next-auth"
 import Credentials from "next-auth/providers/credentials"
 import { z } from "zod"
-import env from "@/env"
+import clientEnv from "@/env/client"
 
 // Define the API base URL based on environment
 const API_BASE_URL = (() => {
-  switch (env.VERCEL_ENV) {
+  // If NEXT_PUBLIC_API_URL is set, use it
+  if (clientEnv.NEXT_PUBLIC_API_URL) {
+    return clientEnv.NEXT_PUBLIC_API_URL
+  }
+
+  // Otherwise, determine based on environment
+  switch (clientEnv.VERCEL_ENV) {
     case "production":
       return "https://api.flexile.com"
     case "preview":
-      return `https://flexile-pipeline-pr-${process.env.VERCEL_GIT_PULL_REQUEST_ID}.herokuapp.com`
+      return `https://flexile-pipeline-pr-${clientEnv.VERCEL_GIT_PULL_REQUEST_ID || 'unknown'}.herokuapp.com`
     default:
       return "http://localhost:3000"
   }
 })()
 
-const API_TOKEN = env.API_SECRET_TOKEN
+const API_TOKEN = clientEnv.NEXT_PUBLIC_API_SECRET_TOKEN || process.env.API_SECRET_TOKEN || "your-api-token"
 
 // Schema for OTP login
 const otpLoginSchema = z.object({
@@ -29,7 +35,7 @@ const sendOtpSchema = z.object({
 })
 
 export const { handlers, signIn, signOut, auth } = NextAuth({
-  secret: env.AUTH_SECRET,
+  secret: process.env.AUTH_SECRET || "fallback-secret-for-development",
   providers: [
     Credentials({
       id: "otp",
@@ -86,7 +92,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
   ],
   callbacks: {
     async jwt({ token, user }) {
-      if (user) {
+      if (user && user.jwt) {
         token.jwt = user.jwt
       }
       return token