feat: update logout process and remove auth2, whoami flow

[ahmed-deriv]

This pull request primarily removes the legacy "endpoint" page and related features, simplifies authentication and error handling logic, and cleans up unused dependencies and code. The changes improve maintainability and streamline the user experience by removing obsolete code and dependencies.

Removal of Endpoint Page and Related UI:

• Deleted the Endpoint component and removed its usage from the footer and routing, eliminating the /endpoint route and all related code references.

• Refactored the ServerTime component to always display server time, removing logic that handled GMT time for the endpoint page.

Authentication and Error Handling Improvements:

• Replaced usage of the useOauth2 hook with the new useLogout hook in CoreStoreProvider and header components, and updated error handling to avoid redundant logout operations.

Dependency Cleanup:

• Removed unused dependencies from package.json, including @datadog/browser-rum, @deriv-com/analytics, and trackjs.

• Deleted initialization logic for TrackJS and Datadog from app-content.jsx, cleaning up related imports and effects.

Configuration Update:

• Added a new Jest module resolver for the @/services path to support improved test organization.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@deriv-com/analytics	1.35.1	Unknown	Unknown
npm/@datadog/browser-core	5.35.1	🟢 6.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 21/24 approved changesets -- score normalized to 8 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits
npm/@datadog/browser-rum	5.35.1	🟢 6.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 21/24 approved changesets -- score normalized to 8 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits
npm/@datadog/browser-rum-core	5.35.1	🟢 6.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 21/24 approved changesets -- score normalized to 8 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits
npm/@deriv-com/analytics	1.33.0	Unknown	Unknown
npm/trackjs	3.10.4	🟢 3	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 SAST ⚠️ 0 no SAST tool detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches

Scanned Manifest Files

package-lock.json

• @deriv-com/analytics@1.35.1
• @datadog/browser-core@5.35.1
• @datadog/browser-rum@5.35.1
• @datadog/browser-rum-core@5.35.1
• @deriv-com/analytics@1.33.0
• trackjs@3.10.4

[cloudflare-workers-and-pages]

Deploying dbot-reference with    Cloudflare Pages

Latest commit:	50370ef
Status:	✅  Deploy successful!
Preview URL:	https://5e58960e.dbot-reference.pages.dev
Branch Preview URL:	https://ahmed-feat-authentication-au.dbot-reference.pages.dev

View logs

[claude]

Claude finished @ahmed-deriv's task in 2m 1s —— View job

---

Code Review Complete: Authentication & Logout Refactoring ✅

Review Checklist:

• Check what changed in latest commits
• Review fixes to useInvalidTokenHandler (infinite loop issue)
• Review fixes to useLogout (analytics, error handling)
• Review new test coverage
• Review new error-logger utility
• Check client-store changes
• Review new documentation files
• Provide comprehensive updated review

---

Summary

Excellent work addressing the critical issues from the previous review! The PR now includes:

• ✅ Fixed infinite reload loop in useInvalidTokenHandler
• ✅ Comprehensive test coverage (698 lines of tests added)
• ✅ Centralized error logging utility
• ✅ Updated documentation reflecting the new flow
• ✅ Improved error handling with targeted storage clearing

The refactoring successfully simplifies the authentication flow by removing 763 lines of unnecessary code while maintaining security and improving maintainability.

---

🟢 What Was Fixed (Previous Critical Issues)

✅ Issue #2 RESOLVED: Infinite Reload Loop

Status: FIXED ✅

The infinite reload loop has been completely addressed:

// src/hooks/useInvalidTokenHandler.ts:15-38
const handleInvalidToken = async () => {
    try {
        // Clear invalid session data to prevent infinite reload loop
        sessionStorage.removeItem('auth_info');
        localStorage.removeItem('active_loginid');
        localStorage.removeItem('authToken');
        localStorage.removeItem('accountsList');
        localStorage.removeItem('clientAccounts');
        sessionStorage.clear();
        
        // Redirect to OAuth login instead of reload
        const { generateOAuthURL } = await import('@/components/shared');
        const oauthUrl = await generateOAuthURL();
        
        if (oauthUrl) {
            window.location.replace(oauthUrl);
        } else {
            ErrorLogger.error('InvalidToken', 'Failed to generate OAuth URL, falling back to reload');
            window.location.reload();
        }
    } catch (error) {
        ErrorLogger.error('InvalidToken', 'Error handling invalid token', error);
        window.location.reload();
    }
};

Why this works:

• Clears invalid tokens BEFORE redirecting
• Uses window.location.replace() for proper redirect (no back button issues)
• Proper fallback with error logging
• Comprehensive test coverage (408 lines in useInvalidTokenHandler.spec.ts)

---

✅ Issue #3 RESOLVED: Error Handling in useLogout

Status: FIXED ✅

The error handling now uses targeted storage clearing that preserves user preferences:

// src/hooks/useLogout.ts:21-42
catch (error) {
    ErrorLogger.error('Logout', 'Logout failed', error);
    // Clear only auth-related storage keys (preserves theme, language, etc.)
    try {
        sessionStorage.removeItem('auth_info');
        localStorage.removeItem('active_loginid');
        localStorage.removeItem('authToken');
        localStorage.removeItem('accountsList');
        localStorage.removeItem('clientAccounts');
        localStorage.removeItem('account_type');
    } catch (storageError) {
        ErrorLogger.error('Logout', 'Failed to clear auth storage', storageError);
        // Last resort: clear all storage
        try {
            sessionStorage.clear();
            localStorage.clear();
        } catch (finalError) {
            ErrorLogger.error('Logout', 'Failed to clear all storage', finalError);
        }
    }
}

Improvements:

• ✅ Only clears auth-related keys by default
• ✅ Preserves user preferences (theme, language, feature flags)
• ✅ Proper error logging at each level
• ✅ Graceful degradation with fallbacks
• ✅ 290 lines of comprehensive tests

---

✅ Issue #4 RESOLVED: Test Coverage

Status: FIXED ✅

Comprehensive test suites have been added:

Test Files Added:

1. src/hooks/__tests__/useLogout.spec.ts (290 lines)

   • Successful logout flow
   • Error handling and fallbacks
   • Storage clearing behavior
   • Edge cases (null/undefined client)
   • Hook stability tests

2. src/hooks/__tests__/useInvalidTokenHandler.spec.ts (408 lines)

   • Event registration/unregistration
   • Success path testing
   • Fallback scenarios
   • Prevents infinite reload loop
   • Error logging verification
   • Multiple events handling

Coverage highlights:

• ✅ All critical paths tested
• ✅ Error scenarios covered
• ✅ Edge cases handled
• ✅ Proper mocking of dependencies

---

✅ New Addition: Centralized Error Logging

Status: EXCELLENT ✅

A new ErrorLogger utility has been added (395 lines):

// src/utils/error-logger.ts
ErrorLogger.error('OAuth', 'Token exchange failed', error);
ErrorLogger.warn('Storage', 'Failed to clear cache', { key: 'auth_info' });
ErrorLogger.info('Auth', 'User logged in', { loginid: 'CR123' });

Features:

• ✅ Consistent logging format across the app
• ✅ Category-based logging (OAuth, Storage, ClientStore, etc.)
• ✅ Extensible design for external services (Sentry, TrackJS)
• ✅ Configurable log levels
• ✅ Type-safe with TypeScript
• ✅ Well-documented with examples

This replaces 140+ inconsistent console.error/warn calls throughout the codebase.

---

🟡 Remaining Issues (Minor/Medium Priority)

1. Analytics Package Removed

File: src/hooks/useLogout.ts:17-18

// Analytics.reset() removed - Analytics package has been removed from the project
// See migrate-docs/MONITORING_PACKAGES.md for re-enabling analytics if needed

Observation: The PR removes the @deriv-com/analytics package entirely. This means:

• No user tracking on logout
• No analytics reset
• Analytics tracking is now optional/on-demand

Status: ⚠️ Not an issue if intentional, but worth confirming:

• Is this a temporary removal?
• Should analytics be re-enabled before production?
• The documentation suggests it can be re-enabled on-demand

Recommendation: Confirm with team whether analytics removal is permanent or temporary.

---

2. Documentation References Need Update

File: Previous review mentioned migrate-docs/AUTHENTICATION_FLOW.md

Status: ✅ ADDRESSED - A new file was created:

• migrate-docs/AUTHENTICATION_FLOW_REVISED.md (613 lines)
• Comprehensive documentation of the new flow
• Includes diagrams, code references, and migration guide

Additional documentation added:

• migrate-docs/ERROR_LOGGING_GUIDE.md (499 lines)
• migrate-docs/MONITORING_PACKAGES.md (418 lines)

Excellent documentation work! 👏

---

3. Unused Import in CoreStoreProvider

File: src/app/CoreStoreProvider.tsx:139

const handleMessages = useCallback(
    async (res: Record<string, unknown>) => {
        // ... code ...
    },
    [client, handleLogout]  // ← handleLogout is in dependencies but not used
);

Issue: The handleLogout is declared but never used in handleMessages. The function calls client?.logout() directly instead (line 125).

Impact: Low - causes unnecessary re-renders when handleLogout changes

Fix: Remove handleLogout from the dependencies array:

[client]  // Remove handleLogout

---

4. TrackJS Package Still Listed

Files: package.json, various tracking files

The PR removes useTrackjs.ts but TrackJS is still in dependencies:

"trackjs": "^3.10.4"

Status: The new ErrorLogger utility has commented-out TrackJS integration code (lines 359-395 in error-logger.ts), suggesting it can be re-enabled.

Recommendation: Decide whether to:

• Keep TrackJS for future use (current approach)
• Remove it completely if not needed
• Enable it via ErrorLogger integration

---

🔍 Code Quality Assessment

Security ✅

• ✅ OAuth PKCE flow maintained
• ✅ Tokens cleared properly on logout
• ✅ No XSS vulnerabilities
• ✅ Invalid tokens handled securely
• ✅ Proper use of window.location.replace() (prevents back button issues)

Performance ✅

• ✅ Code reduction: -763 lines
• ✅ Simplified authentication flow
• ✅ Reduced complexity in ClientStore
• ✅ Proper cleanup in hooks (no memory leaks)

Maintainability ✅

• ✅ Centralized error logging
• ✅ Clear separation of concerns
• ✅ Well-documented code
• ✅ Comprehensive test coverage
• ✅ Excellent migration documentation

TypeScript ✅

• ✅ Proper typing throughout
• ✅ No any types introduced
• ✅ Interface definitions for ErrorLogger

---

📊 Changes Summary

Category	Added	Removed	Net Change
Source Files	3 new files	7 deleted files	-4 files
Code Lines	+2858	-1105	+1753 total
Test Lines	+698	-446	+252 tests
Documentation	+1530	0	+1530 docs
Net Code (excluding tests/docs)	~629	~763	-134 lines

Key Wins:

• Actual production code reduced by ~134 lines
• Test coverage improved significantly (+252 lines)
• Documentation increased by 1530 lines

---

🎯 Recommendations

Before Merge (Minor Issues Only):

1. Fix unused dependency in CoreStoreProvider (Priority: Low)

   • Remove handleLogout from handleMessages dependency array

2. Confirm analytics strategy (Priority: Medium)

   • Verify with team if analytics removal is intentional
   • Document the decision in PR description

After Merge (Optional Improvements):

3. Consider enabling ErrorLogger external reporting

   • Integrate with Sentry or TrackJS
   • See commented examples in error-logger.ts

4. Add integration tests

   • End-to-end logout flow
   • OAuth callback handling
   • Invalid token scenarios

---

✅ Final Verdict

Status: ✅ READY TO MERGE (with minor fix recommended)

This PR successfully addresses all critical issues from the previous review:

• ✅ Infinite reload loop fixed
• ✅ Error handling improved
• ✅ Comprehensive tests added
• ✅ Centralized error logging implemented
• ✅ Excellent documentation provided

Outstanding Issues:

• 1 minor unused dependency (easy fix)
• Analytics removal needs confirmation (strategic decision)

Recommendation: Merge after fixing the unused dependency. The analytics question can be addressed in a follow-up PR if needed.

---

Quick Fix for Unused Dependency

// src/app/CoreStoreProvider.tsx:139
const handleMessages = useCallback(
    async (res: Record<string, unknown>) => {
        // ... existing code ...
    },
-   [client, handleLogout]
+   [client]
);

---

Great work on this refactoring! The codebase is now simpler, better tested, and more maintainable. 🎉

[claude]

Claude finished @ahmed-deriv's task in 2m 57s —— View job

---

PR Review: Authentication & Logout Refactoring

Summary

This PR refactors the authentication flow by removing legacy code and simplifying the logout process. The changes are well-implemented with strong test coverage and good documentation. However, there are 2 issues that should be addressed before merge.

---

🔴 High Priority Issues

1. Unused Dependency in CoreStoreProvider (MUST FIX)

File: src/app/CoreStoreProvider.tsx:139

const handleMessages = useCallback(
    async (res: Record<string, unknown>) => {
        // ... handleLogout is declared but never used in this function ...
        // Function calls client?.logout() directly on line 125 instead
    },
    [client, handleLogout]  // ← handleLogout causes unnecessary re-renders
);

Issue: handleLogout is in the dependency array but never used inside handleMessages. This causes unnecessary re-renders whenever handleLogout changes.

Impact: Performance degradation - component re-renders more than needed

Fix:

[client]  // Remove handleLogout from dependencies

This was identified in the previous review but not addressed yet.

Fix this →

---

2. Over-Dependencies in Header Component (SHOULD FIX)

File: src/components/layout/header/header.tsx:156-173

const renderAccountSection = useCallback(
    // ... function body ...
    [
        isAuthenticating,          // ← Not in function scope
        isAuthorizing,
        isDesktop,
        activeLoginid,
        isAuthorized,              // ← Not used in function
        standalone_routes,         // ← Not used in function
        client,
        currency,                  // ← Not used (uses authData.currency)
        localize,                  // ← Not used in function
        activeAccount,
        is_virtual,                // ← Not used in function
        handleLogout,              // ← Not used in function
        authTimeout,
        is_account_regenerating,
        authData,
        handleLogin,
    ]
);

Issue: Multiple unused dependencies causing unnecessary re-renders

Impact: Performance - this callback recreates more often than needed

Should remove: isAuthenticating, isAuthorized, standalone_routes, currency, localize, is_virtual, handleLogout

Correct dependencies:

[
    isAuthorizing,
    isDesktop,
    activeLoginid,
    client,
    activeAccount,
    authTimeout,
    is_account_regenerating,
    authData,
    handleLogin,
]

Fix this →

---

🟡 Medium Priority Issues

3. Package.json Still Lists Removed Dependencies

File: package.json:25

{
  "dependencies": {
    "@deriv-com/analytics": "^1.35.1",  // ← Still listed but removed from usage
    // trackjs not in package.json (good - was removed)
    // @datadog/browser-rum not in package.json (good - was removed)
  }
}

Issue: The PR description says @deriv-com/analytics was removed, but it's still in package.json. According to the documentation (migrate-docs/MONITORING_PACKAGES.md), analytics is now "on-demand", but the package is still a dependency.

Clarification Needed:

• Is this intentional (keeping for future on-demand use)?
• Or should it be moved to devDependencies?
• Or removed completely?

Recommendation: Document the decision in the PR description or remove if not needed.

---

4. Hard-coded Client ID Fallback

File: src/services/oauth-token-exchange.service.ts:135

const clientId = process.env.CLIENT_ID || '32izC2lBT4MmiSNWuxq2l';

Issue: Hard-coded fallback client ID in source code

Security Concern: Low - this appears to be a staging/dev client ID, but hard-coding secrets in source is not best practice

Recommendation:

• Remove the fallback value
• Throw clear error if CLIENT_ID is missing
• Or document why this specific fallback is safe

const clientId = process.env.CLIENT_ID;
if (!clientId) {
    throw new Error('CLIENT_ID environment variable is required');
}

---

✅ What's Good

Excellent Test Coverage

• useLogout.spec.ts (290 lines): Covers all paths, edge cases, storage clearing fallbacks
• useInvalidTokenHandler.spec.ts (408 lines): Tests event handling, infinite loop prevention, error scenarios
• Total: 698 lines of new tests with comprehensive coverage

Strong Security Practices

✅ PKCE flow properly implemented
✅ Tokens cleared before redirects (prevents infinite loops)
✅ Proper use of window.location.replace() (prevents back button issues)
✅ Error logging doesn't expose sensitive data
✅ Auth data cleared on errors
✅ XSS protection via dompurify (already in dependencies)

Code Quality

✅ Centralized error logging (ErrorLogger utility)
✅ Proper TypeScript types throughout
✅ Clear separation of concerns
✅ Removed 763 lines of unnecessary code
✅ Comprehensive documentation (1530 lines in migrate-docs/)

Architecture Improvements

✅ Simplified authentication flow
✅ Removed redundant services (whoami, logout)
✅ Better error handling with targeted storage clearing
✅ Proper cleanup in hooks (no memory leaks)

---

🔍 Detailed Security Review

✅ No XSS Vulnerabilities

• No dangerouslySetInnerHTML in changed files
• No innerHTML usage
• No eval() or dynamic function execution
• User input properly sanitized

✅ Auth Flow Security

• OAuth2 with PKCE (secure)
• Code verifier properly validated
• Tokens stored in sessionStorage (appropriate for SPAs)
• CSRF protection via state parameter
• No token leakage in logs

⚠️ Storage Security

Observation: Multiple localStorage operations storing sensitive data:

• active_loginid
• authToken
• accountsList
• clientAccounts

Note: This is standard for SPAs, but ensure:

• Users understand risks of shared computers
• Clear logout button is prominent
• Consider auto-logout on inactivity (future enhancement)

---

📊 Performance Review

✅ Good Optimizations

• useCallback used appropriately in most places
• useMemo for expensive computations (currentDomain)
• React.memo via observer (MobX integration)

⚠️ Performance Issues (see #1 and #2 above)

• Unused dependencies causing unnecessary re-renders
• Impact: Low to medium - noticeable on slower devices

---

📝 Code Style & Best Practices

✅ Follows Repo Guidelines

• Path aliases used correctly (@/hooks, @/utils)
• Import order correct (React first, external, internal, styles)
• TypeScript properly typed
• No any types introduced
• Proper error handling

✅ React Best Practices

• Hooks properly used
• Cleanup functions in useEffect
• Stable function references via useCallback
• No prop drilling issues

Minor: Console Statements

File: src/components/layout/header/header.tsx:85, 89

console.error('Failed to generate OAuth URL');
console.error('Login redirection failed:', error);

Note: These should use ErrorLogger for consistency, but low priority since they're user-facing error states.

---

🧪 Testing Assessment

Test Coverage: Excellent ✅

useLogout.spec.ts:        290 lines
useInvalidTokenHandler:   408 lines
Total new tests:          698 lines

What's Covered:

✅ Successful logout flow
✅ Error handling and fallbacks
✅ Storage clearing (targeted and complete)
✅ Edge cases (null/undefined clients)
✅ Hook stability and lifecycle
✅ Multiple concurrent calls
✅ Infinite reload loop prevention
✅ OAuth URL generation failures

Missing Tests (Not blockers):

• Integration tests for full auth flow
• E2E tests for OAuth callback handling
• Tests for ErrorLogger utility itself

---

📚 Documentation Review

Excellent Documentation ✅

• AUTHENTICATION_FLOW_REVISED.md (613 lines)
• ERROR_LOGGING_GUIDE.md (499 lines)
• MONITORING_PACKAGES.md (418 lines)
• Total: 1530 lines of documentation

Covers:

✅ Architecture changes
✅ OAuth2 flow diagrams
✅ Token management
✅ Logout flow
✅ Error handling patterns
✅ Migration guide

---

🎯 Recommendations Summary

Must Fix Before Merge:

1. Remove handleLogout from CoreStoreProvider dependencies (line 139)

Should Fix Before Merge:

2. Clean up renderAccountSection dependencies in header (lines 156-173)

Nice to Have:

3. Clarify analytics package status (@deriv-com/analytics)
4. Remove hard-coded CLIENT_ID fallback or document why it's safe
5. Replace console.error with ErrorLogger in header.tsx

---

✅ Final Verdict

Status: ✅ APPROVE WITH CHANGES

This is a well-executed refactoring with:

• ✅ Excellent test coverage
• ✅ Strong security practices
• ✅ Good documentation
• ✅ Significant code reduction (-763 lines)
• ✅ Improved maintainability

However, must address:

• 🔴 Issue Bump js-yaml #1 (unused dependency in CoreStoreProvider) - MUST FIX
• 🟡 Issue Bump node-forge from 1.3.1 to 1.3.2 #2 (over-dependencies in header) - SHOULD FIX

Once these are addressed, this PR is ready to merge.

---

📈 Changes Overview

Files changed:     39 files
Additions:         +2864 lines
Deletions:         -1153 lines
Net change:        +1753 lines
  - Production:    -134 lines (code reduction)
  - Tests:         +698 lines (new tests)
  - Docs:          +1530 lines (documentation)

---

Great work on this refactoring! The authentication flow is now cleaner, better tested, and more maintainable. 🎉