--- status: complete phase: 08-social-sign-in source: - 08-01-SUMMARY.md - 08-02-SUMMARY.md - 08-03-SUMMARY.md - 08-04-SUMMARY.md - 08-05-SUMMARY.md started: 2026-05-15T19:29:29Z updated: 2026-05-15T19:46:05Z --- ## Current Test [testing complete] ## Tests ### 1. Cold Start Smoke Test expected: Kill any running backend process. From `backend/`, start the app with `just dev`. Postgres and MinIO start, generation completes, migrations apply, and the web server comes up on `http://localhost:8080` without startup errors. Loading the login page returns the Xtablo auth UI. result: pass ### 2. Auth Pages Show Provider Controls expected: Visiting `/login` and `/signup` shows the Google provider control above the email/password form, followed by an `or` separator. When Google env vars are missing, the Google control is visible but disabled and non-clickable. When Google env vars are configured, the control links to `/auth/google/start`. Apple sign-in controls are not shown. result: pass ### 3. Google Sign-in Flow expected: With Google OAuth env vars configured, clicking `Continue with Google` starts Google sign-in. After completing the provider flow, Xtablo creates or links the local account, issues the normal server-managed session cookie, and redirects to `/` as a signed-in user. result: pass ### 4. Apple Sign-in Disabled expected: Apple sign-in is not shown on `/login` or `/signup`. There is no `Continue with Apple` button, no Apple disabled-state copy, and no link to `/auth/apple/start`. Direct requests to `/auth/apple/start` and `/auth/apple/callback` return 404. result: pass ### 5. Existing Email/Password Auth Still Works expected: Email/password signup, login, logout, CSRF validation, and rate-limited invalid login behavior still work as before. Social sign-in controls do not submit or break the email/password form. result: pass ### 6. Social-only Account Guardrails expected: For an email that already belongs to a social-only user, password signup shows `An account already exists for this email. Sign in with your provider.` Password login does not reveal provider details and fails with the normal invalid-credentials behavior. result: pass ### 7. Linked Providers View expected: `/account/providers` requires authentication. When signed in, it shows `Linked providers` with a Google row. The row shows `Connected` with the stored provider email when linked, or `Not connected` when no Google identity is linked. No Apple row, unlink action, or add-password action is shown. result: pass ## Summary total: 7 passed: 7 issues: 0 pending: 0 skipped: 0 blocked: 0 ## Gaps [none yet]