p0 · Auth.js migration · Phase D · Pre-launch hardening

TL;DR

Pre-launch hardening code complete: H2 login timing, H1 CSP (report-only), M2 requireRole, M5 safe logger, Auth.js E2E suite (password-reset, email-verify, account-link, integration-api-keys). Production CSP enforce after staging soak is the only spun-out ops step.

Status: done (2026-05-24) · Source: [[Projects/personal-finance-notion/decisions/adr-2026-05-18-authjs-migration|ADR 2026-05-18]]

Steps (checklist)

1. H2 timing equalization — [x] DUMMY_HASH in src/auth.ts authorize(); [x] loginTimingEqualization.test.ts
2. H1 CSP — [x] next.config.mjs policy + report-only default; [ ] production enforce → [[Projects/personal-finance-notion/backlog/p2-csp-enforce-production|p2 CSP enforce]]
3. M2 role — [x] requireRole.ts + adminProbe + /api/admin/probe; [x] role stripped in updateUser; [x] requireRole.test.ts; [x] ADR addendum 2026-05-25
4. M5 logger — [x] circular-ref safe logger.error (logger.test.ts)
5. Test rewrite — [x] password-reset.spec.ts, email-verify.spec.ts, account-link.spec.ts, integration-api-keys.spec.ts, auth.spec.ts (Auth.js flows); minor: admin-guard E2E TODO in auth.spec.ts (non-blocking)

Spun out

• [[Projects/personal-finance-notion/backlog/p2-csp-enforce-production|p2 · CSP enforce on production]] — ≥24h report-only soak, then CSP_ENFORCE=true
• Auth C1–C3 follow-ups remain in active backlog (rate limits, resend UI, timing/E2E) — see [[Projects/personal-finance-notion/backlog/index|backlog index]]

Launch checklist (ops, not code)

• 24h CSP report-only soak on staging → fix violations → enforce (see p2 item)
• Manual audit re-run on migrated stack
• npm audit --production clean

Related

• [[Projects/personal-finance-notion/backlog/done/p0-h1-csp-header|H1]]
• [[Projects/personal-finance-notion/backlog/done/p0-h2-login-timing|H2]]
• [[Projects/personal-finance-notion/backlog/done/p0-authjs-phase-c-hardening|Phase C]]