clean up

Client-Registration/README.md

@@ -61,7 +61,7 @@ npm start          # http://localhost:3001
 Runs in **mock mode** when `API_BASE_URL` is empty in `authConfig.js`. To connect to the real Registration Function, update the constants in `src/auth/authConfig.js`:
 
 ```js
-export const API_BASE_URL = 'https://adpregapi.usimdev.com';
+export const API_BASE_URL = 'https://portal.positivespend.com';
 export const API_FUNCTION_KEY = 'your-function-key';
 ```
 

Client-Registration/src/auth/authConfig.js

@@ -1,10 +1,35 @@
+/**
+ * MSAL Configuration for Entra External ID (Customer Identity / CIAM)
+ *
+ * ─── CIAM Tenant ───────────────────────────────────────────────────────────
+ * Tenant:    Positive Spend Clients (to be created under Grae@PositiveSpend.com)
+ *
+ * After creating the CIAM tenant in Entra External ID, replace these values:
+ *   REPLACE_WITH_CIAM_CLIENT_ID  → App registration client ID (AdPlatform Client SPA)
+ *   REPLACE_WITH_CIAM_SUBDOMAIN  → The subdomain chosen when creating the tenant
+ *                                   e.g. if domain is "psclients.onmicrosoft.com"
+ *                                        then subdomain is "psclients"
+ *
+ * Portal steps to get these values:
+ *   1. entra.microsoft.com → switch to CIAM tenant
+ *   2. App registrations → AdPlatform Client SPA → Overview → Application (client) ID
+ *   3. Overview → Primary domain  (gives you the subdomain)
+ *
+ * Token flow:
+ *   1. MSAL acquires ID token from CIAM tenant
+ *   2. Client POSTs to Gateway with Authorization: Bearer <id_token>
+ *   3. Gateway forwards to registration:8080
+ *   4. Microsoft.Identity.Web validates issuer + audience
+ *   5. Server extracts OID claim as entraSubjectId — client never supplies it
+ * ──────────────────────────────────────────────────────────────────────────
+ */
 export const msalConfig = {
     auth: {
-        clientId:              'c426967f-bfcc-46af-b4e5-d69dc01cbf75',
-        authority:             'https://positiveclients.ciamlogin.com/',
+        clientId:              'REPLACE_WITH_CIAM_CLIENT_ID',
+        authority:             'https://REPLACE_WITH_CIAM_SUBDOMAIN.ciamlogin.com/',
         redirectUri:           'https://register.positivespend.com',
         postLogoutRedirectUri: 'https://register.positivespend.com',
-        knownAuthorities:      ['positiveclients.ciamlogin.com'],
+        knownAuthorities:      ['REPLACE_WITH_CIAM_SUBDOMAIN.ciamlogin.com'],
     },
     cache: {
         cacheLocation:          'sessionStorage',
@@ -16,5 +41,23 @@ export const loginRequest = {
     scopes: ['openid', 'profile', 'email'],
 };
 
+// ═════════════════════════════════════════════════════════════════════════════
+// SWAP: ASP.NET Core / self-hosted  ◄ ACTIVE
+//
+// The client posts to the Gateway (portal.positivespend.com), which internally
+// forwards to registration:8080 in docker-compose.
+// No function key needed — Bearer token is the only auth on /register.
+// Admin endpoints are called server-to-server (Management → registration:8080).
+// ═════════════════════════════════════════════════════════════════════════════
 export const API_BASE_URL     = 'https://portal.positivespend.com';
 export const API_FUNCTION_KEY = '';
+
+// ═════════════════════════════════════════════════════════════════════════════
+// SWAP: Azure Functions  ◄ INACTIVE — uncomment to restore
+//
+// Set API_BASE_URL to the Azure Function App public URL.
+// Set API_FUNCTION_KEY from Azure Portal → Function App → App Keys → default.
+//
+// export const API_BASE_URL     = 'https://REPLACE_WITH_AZURE_FUNCTION_APP_URL';
+// export const API_FUNCTION_KEY = '';
+// ═════════════════════════════════════════════════════════════════════════════