fix(auth): add login validation, error handling, and fix ProtectedRoute bypass #63

[rajesh-puripanda]

Problem

The login page (/) performed no authentication whatsoever:

• Empty fields were accepted with no validation error
• No API call, no token check, no session — nothing
• ProtectedRoute used a hardcoded mock user (dashboardData.user with role "Admin"), making role-based access control completely meaningless
• Anyone could access the full dashboard without credentials

Root Cause

1. LoginPage had no client-side validation and no error feedback in the UI
2. ProtectedRoute accepted a user prop that was hardcoded to dashboardData.user in OrgRoute.tsx — the auth store was never consulted
3. AuthStore had the token field commented out and never persisted it

Changes

File	Change
src/features/Auth/v1/Pages/LoginPage.tsx	Added validateFields() (email format regex + empty field checks), inline field errors, server error banner, loading/disabled button state, member role redirect
src/features/Auth/v1/Types/Auth.type.ts	Uncommented token in AuthState, updated setAuthData signature
src/features/Auth/v1/Store/Auth.Store.ts	setAuthData now accepts and stores token; clearAuthData clears it
src/features/Auth/v1/hooks/useAuth.ts	Passes response.token to setAuthData on successful login
src/routes/ProtectedRoute.tsx	Reads user from useAuthStore instead of accepting a prop (core security fix)
src/routes/OrgRoute.tsx	Removed hardcoded dashboardData.user prop and unused mock import

Security Impact

• Before: Anyone could navigate directly to /org/dashboard with zero authentication
• After: ProtectedRoute reads from the zustand auth store; unauthenticated users are redirected to /; wrong roles go to /unauthorized
• Client-side validation prevents empty form submissions
• Server errors are surfaced in the UI instead of silently swallowed

Testing

• tsc --noEmit passes with zero errors
• Empty form submit shows validation errors
• Invalid credentials show server error banner
• Button shows loading state during API call
• Authenticated org users reach dashboard; unauthenticated users are redirected to login

Closes #63

[gemini-code-assist]

Code Review

This pull request introduces client-side validation, server error handling, and a loading state to the login page, while also integrating authentication token management into the Zustand store. Additionally, ProtectedRoute has been refactored to retrieve the authenticated user directly from the store rather than receiving it as a prop. Feedback on these changes suggests wrapping the new validateFields function in useCallback and adding it to the dependency array of handleLogin to ensure correct hook memoization.

[rajesh-puripanda]

Hi @abhishek-nexgen-dev,

Thank you for merging the fix for the authentication bypass issue (#63 / #126).

As this work was completed as part of GSSoC, could you please help add the appropriate GSSoC label to the PR? Please let me know if there is anything else needed from my side to ensure the contribution is correctly tracked.

Thanks again!