Rewg Fix 2

Client-Tech/src/auth/authConfig.js

@@ -1,30 +1,17 @@
 /**
  * authConfig.js — Tech Client (Staff Plane)
- *
- * ┌─────────────────────────────────────────────────────────────────────────┐
- * │  PRODUCTION MIGRATION — only these values change at handoff:            │
- * │                                                                         │
- * │  STAFF_AUTHORITY  →  'https://login.microsoftonline.com/{ORG_TENANT}'  │
- * │  STAFF_TENANT_ID  →  new company org tenant ID                         │
- * │  STAFF_CLIENT_ID  →  staff app registration in org tenant              │
- * │                                                                         │
- * │  No other code changes required anywhere.                               │
- * └─────────────────────────────────────────────────────────────────────────┘
- *
- * DEV NOTE: Staff currently authenticate against the CIAM tenant (same as
- * clients) because no org tenant exists yet. The login screen looks identical
- * to the client login — this is cosmetic only. API isolation is enforced by
- * audience: staff tokens are rejected by Gateway, client tokens by Management.
  */
 
 // ── Staff Identity Config ─────────────────────────────────────────────────────
 
-const STAFF_TENANT_ID = 'f56a3c51-9b5c-4356-920f-b4dcf932a96b'; 
-const STAFF_CLIENT_ID = '217928a9-4591-4dff-9f09-5b233824cf4f';               
+const STAFF_TENANT_ID = 'f56a3c51-9b5c-4356-920f-b4dcf932a96b';
+const STAFF_CLIENT_ID = '217928a9-4591-4dff-9f09-5b233824cf4f';
 
-// PROD: swap to         →  'https://login.microsoftonline.com/' + STAFF_TENANT_ID
 const STAFF_AUTHORITY = 'https://login.microsoftonline.com/' + STAFF_TENANT_ID;
 
+// Management Staff API — resource the Tech SPA requests a token for
+const MGMT_APP_ID = 'af95fa13-2ef4-4911-b137-7acc6a784cfa';
+
 // ── MSAL Config ───────────────────────────────────────────────────────────────
 
 export const msalConfig = {
@@ -33,10 +20,10 @@ export const msalConfig = {
         authority:             STAFF_AUTHORITY,
         redirectUri:           window.location.origin,
         postLogoutRedirectUri: window.location.origin,
-        navigateToLoginRequestUrl: true,
+        navigateToLoginRequestUrl: false,   // ← was true, caused the loop
     },
     cache: {
-        cacheLocation:  'sessionStorage',
+        cacheLocation:          'sessionStorage',
         storeAuthStateInCookie: false,
     },
     system: {
@@ -50,19 +37,18 @@ export const msalConfig = {
                     case 3: console.debug(message);  break;
                 }
             },
-            logLevel: 3,
+            logLevel: 1,  // warn + error only in prod
         },
     },
 };
 
 export const loginRequest = {
-    scopes: ["api://4e4d69c3-558a-4a27-a689-17bd397175e5/access_as_user"]
+    scopes: [`api://${MGMT_APP_ID}/access_as_user`]   // ← fixed
 };
 
 // ── API Endpoints ─────────────────────────────────────────────────────────────
 
-export const API_BASE  = 'https://adpapi.usimdev.com';     // Gateway API
-export const MGMT_BASE = 'https://adpmgmt.usimdev.com';    // Management API
+export const API_BASE  = 'https://portal.positivespend.com';   // ← fixed
+export const MGMT_BASE = 'https://mgmt.positivespend.com';     // ← fixed
 
-// Legacy — kept for backward compatibility with apiClient.js
-export const SESSION_ENDPOINT = `${API_BASE}/api/auth/session`;
+export const SESSION_ENDPOINT = `${API_BASE}/api/auth/session`;