...reapply

Client-Registration/src/auth/authConfig.js

@@ -1,21 +1,13 @@
-/**
- * MSAL Configuration for Entra External ID (Customer Identity)
- *
- * This uses the External ID tenant (CIAM) — different from the
- * internal Entra tenant used by the Admin/Management console.
- *
- * TODO: Replace placeholder values with actual External ID tenant details.
- */
 export const msalConfig = {
     auth: {
-        clientId: '154c9111-14a0-4c0f-8132-7bc68254a74e',
-        authority: 'https://usimclients.ciamlogin.com/891f98f1-ed34-42a1-9b6c-28b0554d92c2',
-        redirectUri: window.location.origin,
-        postLogoutRedirectUri: window.location.origin,
-        knownAuthorities: ['usimclients.ciamlogin.com'],
+        clientId:              '43c493e4-e1ed-4cd7-ab0a-e507e20af724',
+        authority:             'https://positiveclients.ciamlogin.com/',
+        redirectUri:           'https://register.positivespend.com',
+        postLogoutRedirectUri: 'https://register.positivespend.com',
+        knownAuthorities:      ['positiveclients.ciamlogin.com'],
     },
     cache: {
-        cacheLocation: 'sessionStorage',
+        cacheLocation:          'sessionStorage',
         storeAuthStateInCookie: false,
     },
 };
@@ -24,9 +16,5 @@ export const loginRequest = {
     scopes: ['openid', 'profile', 'email'],
 };
 
-// Registration Function API
-export const API_BASE_URL = 'https://adpregapi.usimdev.com';
-
-// Function key for Registration API (AuthorizationLevel.Function)
-// TODO: Set this from your Azure Function → App Keys → default host key
-export const API_FUNCTION_KEY = '';
+export const API_BASE_URL     = 'https://portal.positivespend.com';
+export const API_FUNCTION_KEY = '';

Client-Tech/src/auth/authConfig.js

@@ -1,20 +1,68 @@
+/**
+ * authConfig.js — Tech Client (Staff Plane)
+ *
+ * ┌─────────────────────────────────────────────────────────────────────────┐
+ * │  PRODUCTION MIGRATION — only these values change at handoff:            │
+ * │                                                                         │
+ * │  STAFF_AUTHORITY  →  'https://login.microsoftonline.com/{ORG_TENANT}'  │
+ * │  STAFF_TENANT_ID  →  new company org tenant ID                         │
+ * │  STAFF_CLIENT_ID  →  staff app registration in org tenant              │
+ * │                                                                         │
+ * │  No other code changes required anywhere.                               │
+ * └─────────────────────────────────────────────────────────────────────────┘
+ *
+ * DEV NOTE: Staff currently authenticate against the CIAM tenant (same as
+ * clients) because no org tenant exists yet. The login screen looks identical
+ * to the client login — this is cosmetic only. API isolation is enforced by
+ * audience: staff tokens are rejected by Gateway, client tokens by Management.
+ */
+
+// ── Staff Identity Config ─────────────────────────────────────────────────────
+
+const STAFF_TENANT_ID = '0be4c23a-6941-4bdb-b397-a4faf88de4b3'; 
+const STAFF_CLIENT_ID = '846a3677-9135-4ba6-b7f5-933dcce126be';               
+
+// PROD: swap to         →  'https://login.microsoftonline.com/' + STAFF_TENANT_ID
+const STAFF_AUTHORITY = 'https://login.microsoftonline.com/' + STAFF_TENANT_ID;
+
+// ── MSAL Config ───────────────────────────────────────────────────────────────
+
 export const msalConfig = {
     auth: {
-        clientId:              '43c493e4-e1ed-4cd7-ab0a-e507e20af724',
-        authority:             'https://positiveclients.ciamlogin.com/',
-        redirectUri:           'https://register.positivespend.com',
-        postLogoutRedirectUri: 'https://register.positivespend.com',
-        knownAuthorities:      ['positiveclients.ciamlogin.com'],
+        clientId:              STAFF_CLIENT_ID,
+        authority:             STAFF_AUTHORITY,
+        redirectUri:           window.location.origin,
+        postLogoutRedirectUri: window.location.origin,
+        navigateToLoginRequestUrl: true,
     },
     cache: {
-        cacheLocation:          'sessionStorage',
+        cacheLocation:  'sessionStorage',
         storeAuthStateInCookie: false,
     },
+    system: {
+        loggerOptions: {
+            loggerCallback: (level, message, containsPii) => {
+                if (containsPii) return;
+                switch (level) {
+                    case 0: console.error(message);  break;
+                    case 1: console.warn(message);   break;
+                    case 2: console.info(message);   break;
+                    case 3: console.debug(message);  break;
+                }
+            },
+            logLevel: 3,
+        },
+    },
 };
 
 export const loginRequest = {
-    scopes: ['openid', 'profile', 'email'],
+    scopes: ["api://4e4d69c3-558a-4a27-a689-17bd397175e5/access_as_user"]
 };
 
-export const API_BASE_URL     = 'https://portal.positivespend.com';
-export const API_FUNCTION_KEY = '';
+// ── API Endpoints ─────────────────────────────────────────────────────────────
+
+export const API_BASE  = 'https://adpapi.usimdev.com';     // Gateway API
+export const MGMT_BASE = 'https://adpmgmt.usimdev.com';    // Management API
+
+// Legacy — kept for backward compatibility with apiClient.js
+export const SESSION_ENDPOINT = `${API_BASE}/api/auth/session`;