feat: integrate cms

packages/gatekeeper/src/app/api/whoami/route.ts

@@ -12,9 +12,11 @@ export async function GET(req: NextRequest) {
   }
 
   let identity = "Guest";
+  let company = null;
   try {
     const payload = JSON.parse(session.value);
     identity = payload.identity || "Guest";
+    company = payload.company || null;
   } catch (e) {
     // Old format probably just the password
   }
@@ -22,5 +24,6 @@ export async function GET(req: NextRequest) {
   return NextResponse.json({
     authenticated: true,
     identity: identity,
+    company: company,
   });
 }

packages/gatekeeper/src/app/login/page.tsx

@@ -29,6 +29,7 @@ export default async function LoginPage({ searchParams }: LoginPageProps) {
     const cookieDomain = process.env.COOKIE_DOMAIN;
 
     let userIdentity = "";
+    let userCompany: any = null;
 
     // 1. Check Global Admin (from ENV)
     if (
@@ -43,8 +44,40 @@ export default async function LoginPage({ searchParams }: LoginPageProps) {
     else if (!email && password === expectedCode) {
       userIdentity = "Guest";
     }
-    // 3. Check Directus if email is provided
-    if (email && password && process.env.DIRECTUS_URL) {
+    // 3. Check Lightweight Client Users (dedicated collection)
+    if (email && password && process.env.INFRA_DIRECTUS_URL) {
+      try {
+        const clientUsersRes = await fetch(
+          `${process.env.INFRA_DIRECTUS_URL}/items/client_users?filter[email][_eq]=${encodeURIComponent(
+            email
+          )}&fields=*,company.*`,
+          {
+            headers: {
+              Authorization: `Bearer ${process.env.INFRA_DIRECTUS_TOKEN}`,
+            },
+          }
+        );
+
+        if (clientUsersRes.ok) {
+          const { data: users } = await clientUsersRes.json();
+          const clientUser = users[0];
+
+          // ⚠️ NOTE: Plain text check for demo/dev, should use argon2 in production
+          if (clientUser && clientUser.password === password) {
+            userIdentity = clientUser.first_name || clientUser.email;
+            userCompany = {
+              id: clientUser.company?.id,
+              name: clientUser.company?.name,
+            };
+          }
+        }
+      } catch (e) {
+        console.error("Client User Auth Error:", e);
+      }
+    }
+
+    // 4. Fallback to Directus Staff Auth if still not identified
+    if (!userIdentity && email && password && process.env.DIRECTUS_URL) {
       try {
         const loginRes = await fetch(`${process.env.DIRECTUS_URL}/auth/login`, {
           method: "POST",
@@ -56,14 +89,21 @@ export default async function LoginPage({ searchParams }: LoginPageProps) {
           const { data } = await loginRes.json();
           const accessToken = data.access_token;
 
-          // Fetch user info to get a nice display name
-          const userRes = await fetch(`${process.env.DIRECTUS_URL}/users/me`, {
-            headers: { Authorization: `Bearer ${accessToken}` },
-          });
+          // Fetch user info with company depth
+          const userRes = await fetch(
+            `${process.env.DIRECTUS_URL}/users/me?fields=*,company.*`,
+            {
+              headers: { Authorization: `Bearer ${accessToken}` },
+            }
+          );
 
           if (userRes.ok) {
             const { data: user } = await userRes.json();
             userIdentity = user.first_name || user.email;
+            userCompany = {
+              id: user.company?.id,
+              name: user.company?.name,
+            };
           }
         }
       } catch (e) {
@@ -76,6 +116,7 @@ export default async function LoginPage({ searchParams }: LoginPageProps) {
       // Store identity in the cookie (simplified for now, ideally signed)
       const sessionValue = JSON.stringify({
         identity: userIdentity,
+        company: userCompany,
         timestamp: Date.now(),
       });