feat: enforce server-side authentication for all protected features (#835)

* feat: enforce server-side authentication for all protected features

Secured job board, resume translator, and LMS with server-side authentication
to ensure only Vets Who Code organization members can access protected content
in production.

Changes:
- Converted 8 pages from GetStaticProps to GetServerSideProps with auth checks
- Added server-side session validation using getServerSession
- Removed client-side auth checks and localStorage dev-session fallbacks
- All protected routes now redirect to /login if unauthenticated
- Dev login remains functional in development mode only

Protected features:
- Resume Translator (/resume-translator)
- Course Catalog (/courses)
- All Course Pages (software-engineering, data-engineering, ai-engineering, web-development, devops)
- Lesson Player (/courses/web-development/[moduleId]/[lessonId])
- Job Board (already had protection)

Security:
- Authentication enforced at server-side before page render
- Cannot be bypassed with browser DevTools or localStorage manipulation
- GitHub org membership verified during login via GitHub API
- Dev tools completely disabled in production (NODE_ENV check)

Documentation:
- Added SECURITY_VERIFICATION.md with complete security audit
- Added Playwright tests for authentication protection
- Tests verify redirects and bypass prevention

* feat: add server-side authentication to profile page

Secured profile page with server-side authentication to ensure only
authenticated Vets Who Code organization members can access it.

Changes:
- Converted from GetStaticProps to GetServerSideProps with auth check
- Added server-side session validation using getServerSession
- Removed client-side dev-session localStorage fallback logic
- Removed all devSession-related code and UI badges
- Simplified component to use user prop from server-side auth
- Profile now redirects to /login if unauthenticated

Security:
- Authentication enforced at server-side before page render
- Cannot be bypassed with browser DevTools or localStorage manipulation
- Consistent with other protected pages (courses, jobs, resume-translator)

* fix: resolve Playwright test issues in auth protection suite

- Removed localStorage clearing from beforeEach hook to prevent security errors
- Updated callback URL assertions to accept both encoded and non-encoded formats
- All 17 security tests now passing successfully

Test results:
- Protected routes properly redirect to login (9 tests)
- Dev login blocked in production (2 tests)
- Client-side bypass prevention working (2 tests)
- Public routes accessible (4 tests)

* fix: resolve NextAuth NO_SECRET error in Playwright tests

- Load .env.local explicitly in Playwright config
- Pass NEXTAUTH_SECRET to webServer environment
- Prevents NO_SECRET error when running production build for tests

* fix: remove conditional logic from Playwright tests for consistent CI behavior

- Playwright webServer always runs in production mode (npm run build && npm run start)
- Removed NODE_ENV checks that caused CI failures
- Tests now always expect production behavior (redirect to homepage, 403 responses)
- All 17 tests passing consistently in both local and CI environments

Author: jeromehardaway

SECURITY_VERIFICATION.md

@@ -0,0 +1,178 @@
+# Security Verification Report
+
+## Protected Features - Production Security
+
+This document verifies that all protected features are properly secured in production and cannot be accessed without proper authentication.
+
+---
+
+## ✅ Security Measures in Place
+
+### 1. **Server-Side Authentication (GetServerSideProps)**
+
+All protected pages use `GetServerSideProps` which runs on the server **before** the page is rendered. This means:
+- Authentication is checked on the server, not the client
+- Users cannot bypass checks by manipulating browser JavaScript
+- Unauthenticated users are redirected before any protected content loads
+
+**Protected Pages:**
+- `/resume-translator` - Line 140
+- `/courses` - Line 262
+- `/courses/software-engineering` - Line 302
+- `/courses/data-engineering` - Line 302
+- `/courses/ai-engineering` - Line 302
+- `/courses/web-development` - Line 421
+- `/courses/devops` - Line 420
+- `/courses/web-development/[moduleId]/[lessonId]` - Line 419
+- `/jobs` - Line 347 (already had it)
+
+### 2. **GitHub Organization Membership Verification**
+
+**File:** `src/pages/api/auth/options.ts` (Lines 56-96)
+
+In production, the login flow:
+1. User signs in with GitHub OAuth
+2. System checks if user is in "Vets-Who-Code" GitHub org via API call
+3. HTTP 204 response = member, allowed to proceed
+4. Any other response = denied access
+
+**Exception:** Only `jeromehardaway` can login as admin regardless of org membership (Line 52)
+
+**Development:** All GitHub users can login for testing (Line 47)
+
+### 3. **Dev Login Protection**
+
+**File:** `src/pages/dev-login.tsx` (Lines 91-100)
+
+```typescript
+if (process.env.NODE_ENV !== "development") {
+    return {
+        redirect: {
+            destination: "/",
+            permanent: false,
+        },
+    };
+}
+```
+
+- In production, `/dev-login` redirects to homepage
+- Dev login button is hidden in production (conditional rendering)
+- Dev session API endpoint returns 403 in production
+
+**File:** `src/pages/api/auth/dev-session.ts` (Lines 10-12)
+
+```typescript
+if (process.env.NODE_ENV !== 'development') {
+    return res.status(403).json({ error: 'Not available in production' });
+}
+```
+
+---
+
+## 🔒 Security Verification Checklist
+
+### Client-Side Bypasses - PREVENTED ✅
+
+- ❌ **Cannot** bypass auth by manipulating localStorage
+  - *Why:* All auth checks happen server-side via `getServerSession()`
+  - *Old approach removed:* No longer checking `localStorage.getItem("dev-session")`
+
+- ❌ **Cannot** bypass auth by manipulating browser DevTools
+  - *Why:* Server-side rendering checks auth before sending HTML
+
+- ❌ **Cannot** access `/dev-login` in production
+  - *Why:* `GetServerSideProps` redirects to "/" in production
+
+### Server-Side Bypasses - PREVENTED ✅
+
+- ❌ **Cannot** access dev-session API in production
+  - *Why:* Returns 403 if `NODE_ENV !== 'development'`
+
+- ❌ **Cannot** forge NextAuth session
+  - *Why:* Sessions are validated against database and signed with secret
+
+- ❌ **Cannot** access protected pages without GitHub org membership
+  - *Why:* Org membership verified during login via GitHub API
+
+### Environment-Based Security ✅
+
+**Development Mode (`NODE_ENV=development`):**
+- ✅ Dev login accessible for testing
+- ✅ All GitHub users can login
+- ✅ Dev-session API works
+- ✅ localStorage dev-session (legacy, not used on protected pages)
+
+**Production Mode (`NODE_ENV=production`):**
+- ✅ Dev login redirects to homepage
+- ✅ Only Vets-Who-Code org members + jeromehardaway can login
+- ✅ Dev-session API returns 403
+- ✅ All protected pages require valid NextAuth session
+
+---
+
+## 🧪 How to Verify (Manual Testing)
+
+### Test 1: Dev Login in Production
+1. Set `NODE_ENV=production`
+2. Build: `npm run build`
+3. Start: `npm start`
+4. Navigate to `/dev-login`
+5. **Expected:** Redirect to homepage
+
+### Test 2: Protected Pages Without Auth
+1. Open browser in incognito mode
+2. Navigate to `/resume-translator`
+3. **Expected:** Redirect to `/login?callbackUrl=/resume-translator`
+4. Try `/courses`
+5. **Expected:** Redirect to `/login?callbackUrl=/courses`
+
+### Test 3: Dev Session API in Production
+1. Set `NODE_ENV=production`
+2. Make POST request to `/api/auth/dev-session`
+3. **Expected:** `403 Forbidden` with error message
+
+### Test 4: Non-Org Member Login Attempt
+1. Set `NODE_ENV=production`
+2. Login with GitHub user NOT in Vets-Who-Code org
+3. **Expected:** Login denied, redirected back
+
+---
+
+## 🔐 Environment Variables Required
+
+```bash
+# Required for production security
+GITHUB_ORG=Vets-Who-Code
+GITHUB_CLIENT_ID=your-client-id
+GITHUB_CLIENT_SECRET=your-client-secret
+NODE_ENV=production
+NEXTAUTH_SECRET=your-secret-key
+NEXTAUTH_URL=https://your-domain.com
+```
+
+---
+
+## ✅ Security Validation: PASSED
+
+**Build Status:** ✅ Successful (no TypeScript errors)
+
+**Protected Routes:** 9 routes converted to server-side auth
+
+**Dev Login:** ✅ Protected in production
+
+**Org Membership:** ✅ Enforced via GitHub API
+
+**Last Verified:** November 28, 2025
+
+---
+
+## 📋 Summary
+
+All features are properly secured with:
+1. ✅ Server-side authentication checks
+2. ✅ GitHub organization membership verification
+3. ✅ No client-side bypass vulnerabilities
+4. ✅ Dev tools disabled in production
+5. ✅ Environment-based access control
+
+**In production, only authenticated members of the Vets-Who-Code GitHub organization can access protected features.**

playwright.config.ts

@@ -1,7 +1,9 @@
 import { defineConfig, devices } from "@playwright/test";
 import dotenv from "dotenv";
+import path from "path";
 
-dotenv.config();
+// Load .env.local for local development
+dotenv.config({ path: path.resolve(__dirname, ".env.local") });
 /**
  * Read environment variables from file.
  * https://github.com/motdotla/dotenv
@@ -66,5 +68,8 @@ export default defineConfig({
         url: "http://localhost:3000",
         reuseExistingServer: !process.env.CI,
         timeout: 120000, // Adding a longer timeout for build process
+        env: {
+            NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET || "test-secret-for-playwright",
+        },
     },
 });

public/fallback-ig51mFqkghFuP2RH4aGuS.js public/fallback-GYuLBtSjRrqeLZZfp-5JC.jspublic/fallback-ig51mFqkghFuP2RH4aGuS.js renamed to public/fallback-GYuLBtSjRrqeLZZfp-5JC.js

@@ -1,12 +1,19 @@
 import React, { useState } from "react";
 import Link from "next/link";
-import { useSession } from "next-auth/react";
 import Layout01 from "@layout/layout-01";
-import type { GetStaticProps, NextPage } from "next";
+import type { GetServerSideProps, NextPage } from "next";
+import { getServerSession } from "next-auth/next";
+import { options } from "@/pages/api/auth/options";
 import SEO from "@components/seo/page-seo";
 import Breadcrumb from "@components/breadcrumb";
 
 type PageProps = {
+    user: {
+        id: string;
+        name: string | null;
+        email: string;
+        image: string | null;
+    };
     layout?: {
         headerShadow: boolean;
         headerFluid: boolean;
@@ -93,67 +100,9 @@ const modules = [
     },
 ];
 
-const AIEngineeringCourse: PageWithLayout = () => {
-    const { data: session, status } = useSession();
+const AIEngineeringCourse: PageWithLayout = ({ user: _user }) => {
     const [selectedModule, setSelectedModule] = useState<number | null>(null);
 
-    // Check for dev session as fallback
-    const [devSession, setDevSession] = React.useState<{
-        user: { id: string; name: string; email: string; image: string };
-    } | null>(null);
-
-    React.useEffect(() => {
-        if (typeof window !== "undefined") {
-            const stored = localStorage.getItem("dev-session");
-            if (stored) {
-                try {
-                    const user = JSON.parse(stored);
-                    setDevSession({ user });
-                } catch {
-                    localStorage.removeItem("dev-session");
-                }
-            }
-        }
-    }, []);
-
-    // Use either real session or dev session
-    const currentSession = session || devSession;
-
-    if (status === "loading") {
-        return (
-            <div className="tw-container tw-py-16">
-                <div className="tw-text-center">
-                    <div className="tw-mx-auto tw-h-32 tw-w-32 tw-animate-spin tw-rounded-full tw-border-b-2 tw-border-success" />
-                    <p className="tw-mt-4 tw-text-gray-600">Loading course...</p>
-                </div>
-            </div>
-        );
-    }
-
-    if (!currentSession) {
-        return (
-            <>
-                <SEO title="AI Engineering - Sign In Required" />
-                <div className="tw-container tw-py-16">
-                    <div className="tw-text-center">
-                        <h1 className="tw-mb-4 tw-text-4xl tw-font-bold tw-text-gray-900">
-                            Authentication Required
-                        </h1>
-                        <p className="tw-mb-8 tw-text-xl tw-text-gray-600">
-                            Please sign in to access the AI Engineering vertical.
-                        </p>
-                        <Link
-                            href="/login"
-                            className="tw-inline-flex tw-items-center tw-rounded-md tw-bg-success tw-px-6 tw-py-3 tw-font-semibold tw-text-white tw-transition-colors hover:tw-bg-success/90"
-                        >
-                            Sign In
-                        </Link>
-                    </div>
-                </div>
-            </>
-        );
-    }
-
     return (
         <>
             <SEO title="AI Engineering Vertical" />
@@ -350,9 +299,27 @@ const AIEngineeringCourse: PageWithLayout = () => {
 
 AIEngineeringCourse.Layout = Layout01;
 
-export const getStaticProps: GetStaticProps<PageProps> = () => {
+export const getServerSideProps: GetServerSideProps<PageProps> = async (context) => {
+    // Check authentication
+    const session = await getServerSession(context.req, context.res, options);
+
+    if (!session?.user) {
+        return {
+            redirect: {
+                destination: "/login?callbackUrl=/courses/ai-engineering",
+                permanent: false,
+            },
+        };
+    }
+
     return {
         props: {
+            user: {
+                id: session.user.id,
+                name: session.user.name || null,
+                email: session.user.email || "",
+                image: session.user.image || null,
+            },
             layout: {
                 headerShadow: true,
                 headerFluid: false,