From 6847c3dcb1dc575df0f2c7284181898e92926938 Mon Sep 17 00:00:00 2001
From: Guy Ben Aharon <guybenah@gmail.com>
Date: Sun, 22 Feb 2026 12:22:44 +0200
Subject: [PATCH] fix: auth

---
 apps/web/src/app/page.tsx                | 9 ++++++++-
 apps/web/src/providers/auth-provider.tsx | 9 +++++----
 turbo.json                               | 3 +++
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/apps/web/src/app/page.tsx b/apps/web/src/app/page.tsx
index ae44797..0371182 100644
--- a/apps/web/src/app/page.tsx
+++ b/apps/web/src/app/page.tsx
@@ -8,10 +8,17 @@ import { useAuth } from "@/providers/auth-provider";
 
 export default function Home() {
   const router = useRouter();
-  const { isAuthenticated } = useAuth();
+  const { isAuthenticated, isLoading: authLoading } = useAuth();
   const getOrCreateUser = useMutation(api.users.getOrCreateFromAuth);
   const [userReady, setUserReady] = useState(false);
 
+  // Redirect to login if not authenticated
+  useEffect(() => {
+    if (!authLoading && !isAuthenticated) {
+      router.replace("/auth/login");
+    }
+  }, [authLoading, isAuthenticated, router]);
+
   // Ensure user record exists before querying tenant data
   useEffect(() => {
     if (!isAuthenticated || userReady) return;
diff --git a/apps/web/src/providers/auth-provider.tsx b/apps/web/src/providers/auth-provider.tsx
index 61d104b..66aedf3 100644
--- a/apps/web/src/providers/auth-provider.tsx
+++ b/apps/web/src/providers/auth-provider.tsx
@@ -12,7 +12,7 @@ import type { ReactNode } from "react";
 import { Amplify } from "aws-amplify";
 import {
   getCurrentUser,
-  fetchUserAttributes,
+  fetchAuthSession,
   signInWithRedirect,
   signOut as amplifySignOut,
 } from "aws-amplify/auth";
@@ -125,10 +125,11 @@ const CognitoProvider = ({ children }: { children: ReactNode }) => {
   const checkAuthState = useCallback(async () => {
     try {
       await getCurrentUser();
-      const attributes = await fetchUserAttributes();
+      const session = await fetchAuthSession();
+      const idToken = session.tokens?.idToken;
       setUser({
-        email: attributes.email ?? "",
-        name: attributes.name,
+        email: (idToken?.payload?.email as string) ?? "",
+        name: idToken?.payload?.name as string | undefined,
       });
       setIsAuthenticated(true);
     } catch {
diff --git a/turbo.json b/turbo.json
index bdd247b..5241b10 100644
--- a/turbo.json
+++ b/turbo.json
@@ -15,6 +15,9 @@
     "AUTO_LOGIN_EMAIL",
     "GOOGLE_CLIENT_ID",
     "GOOGLE_CLIENT_SECRET",
+    "COGNITO_USER_POOL_ID",
+    "COGNITO_CLIENT_ID",
+    "COGNITO_DOMAIN",
     "WATCHER_TOKEN",
     "LOG_LEVEL",
     "NEXT_RUNTIME"