Merge branch 'master' into feat/organizations

frontend/src/app/activity/page.tsx

@@ -298,7 +298,7 @@ export default function ActivityPage() {
           <div className="rounded-xl border border-slate-200 bg-white px-8 py-6 shadow-sm">
             <p className="text-sm text-slate-600">Sign in to view the feed.</p>
             <SignInButton
-              mode="modal"
+              mode="redirect"
               forceRedirectUrl="/activity"
               signUpForceRedirectUrl="/activity"
             >

frontend/src/app/sign-in/[[...rest]]/page.tsx

@@ -0,0 +1,13 @@
+"use client";
+
+import { SignIn } from "@clerk/nextjs";
+
+export default function SignInPage() {
+  // Dedicated sign-in route for Cypress E2E.
+  // Avoids modal/iframe auth flows and gives Cypress a stable top-level page.
+  return (
+    <main className="flex min-h-screen items-center justify-center bg-slate-50 p-6">
+      <SignIn routing="path" path="/sign-in" forceRedirectUrl="/activity" />
+    </main>
+  );
+}

frontend/src/auth/clerk.tsx

@@ -1,10 +1,10 @@
 "use client";
 
-import type { ReactNode } from "react";
-
 // NOTE: We intentionally keep this file very small and dependency-free.
 // It provides CI/secretless-build safe fallbacks for Clerk hooks/components.
 
+import type { ReactNode, ComponentProps } from "react";
+
 import {
   ClerkProvider,
   SignedIn as ClerkSignedIn,
@@ -15,33 +15,22 @@ import {
   useUser as clerkUseUser,
 } from "@clerk/nextjs";
 
-import type { ComponentProps } from "react";
-
 import { isLikelyValidClerkPublishableKey } from "@/auth/clerkKey";
 
-function isE2EAuthBypassEnabled(): boolean {
-  // Used only for Cypress E2E to keep tests secretless and deterministic.
-  // When enabled, we treat the user as signed in and skip Clerk entirely.
-  return process.env.NEXT_PUBLIC_E2E_AUTH_BYPASS === "1";
-}
-
 export function isClerkEnabled(): boolean {
   // IMPORTANT: keep this in sync with AuthProvider; otherwise components like
   // <SignedOut/> may render without a <ClerkProvider/> and crash during prerender.
-  if (isE2EAuthBypassEnabled()) return false;
   return isLikelyValidClerkPublishableKey(
     process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY,
   );
 }
 
 export function SignedIn(props: { children: ReactNode }) {
-  if (isE2EAuthBypassEnabled()) return <>{props.children}</>;
   if (!isClerkEnabled()) return null;
   return <ClerkSignedIn>{props.children}</ClerkSignedIn>;
 }
 
 export function SignedOut(props: { children: ReactNode }) {
-  if (isE2EAuthBypassEnabled()) return null;
   if (!isClerkEnabled()) return <>{props.children}</>;
   return <ClerkSignedOut>{props.children}</ClerkSignedOut>;
 }
@@ -67,15 +56,6 @@ export function useUser() {
 }
 
 export function useAuth() {
-  if (isE2EAuthBypassEnabled()) {
-    return {
-      isLoaded: true,
-      isSignedIn: true,
-      userId: "e2e-user",
-      sessionId: "e2e-session",
-      getToken: async () => "e2e-token",
-    } as const;
-  }
   if (!isClerkEnabled()) {
     return {
       isLoaded: true,

frontend/src/proxy.ts

@@ -1,5 +1,5 @@
 import { NextResponse } from "next/server";
-import { clerkMiddleware } from "@clerk/nextjs/server";
+import { clerkMiddleware, createRouteMatcher } from "@clerk/nextjs/server";
 
 import { isLikelyValidClerkPublishableKey } from "@/auth/clerkKey";
 
@@ -8,7 +8,23 @@ const isClerkEnabled = () =>
     process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY,
   );
 
-export default isClerkEnabled() ? clerkMiddleware() : () => NextResponse.next();
+// Public routes must include Clerk sign-in paths to avoid redirect loops.
+const isPublicRoute = createRouteMatcher(["/sign-in(.*)"]);
+
+export default isClerkEnabled()
+  ? clerkMiddleware(async (auth, req) => {
+      if (isPublicRoute(req)) return NextResponse.next();
+
+      // In middleware, `auth()` resolves to a session/auth context (Promise in current typings).
+      // Use redirectToSignIn() (instead of protect()) for unauthenticated requests.
+      const { userId, redirectToSignIn } = await auth();
+      if (!userId) {
+        return redirectToSignIn({ returnBackUrl: req.url });
+      }
+
+      return NextResponse.next();
+    })
+  : () => NextResponse.next();
 
 export const config = {
   matcher: [