CRITICAL FIX: Correct authentication architecture

🚨 IMPORTANT: Preview environments should use Firebase Auth, NOT dev auth

Fixed authentication logic:
- Local development: Dev auth + test credentials + DEV_ data
- Vercel preview: Firebase auth + real credentials + production data
- Vercel production: Firebase auth + real credentials + production data

Changes:
- Removed incorrect preview environment dev auth logic
- Updated all auth routes to only use dev auth in local development
- Fixed AuthProvider client-side environment detection
- Created comprehensive authentication architecture documentation
- Updated environment architecture docs with auth requirements

Preview environments should now accept jamiegray2234@gmail.com and reject test credentials.

Author: sirjamesgray

app/api/auth/login/route.ts

@@ -49,26 +49,28 @@ function createSuccessResponse(user: LoginResponse['user']): NextResponse {
 export async function POST(request: NextRequest) {
   try {
     console.log('[Auth] Login request received');
+    console.log('[Auth] Request headers:', Object.fromEntries(request.headers.entries()));
+    console.log('[Auth] Request URL:', request.url);
 
     const body = await request.json() as LoginRequest;
     const { emailOrUsername, password } = body;
 
+    console.log('[Auth] Login attempt for:', emailOrUsername);
+    console.log('[Auth] Password provided:', password ? 'YES' : 'NO');
+
     // Validate required fields
     if (!emailOrUsername || !password) {
+      console.log('[Auth] Missing required fields');
       return createErrorResponse('Email/username and password are required');
     }
 
     // Check if we should use dev auth system
-    // Use dev auth for:
-    // 1. Local development (NODE_ENV=development + USE_DEV_AUTH=true)
-    // 2. Preview environments (VERCEL_ENV=preview) - for testing with production data
-    const environmentType = getEnvironmentType();
-    const isLocalDev = process.env.NODE_ENV === 'development' && process.env.USE_DEV_AUTH === 'true';
-    const isPreviewEnv = environmentType === 'preview';
-    const useDevAuth = isLocalDev || isPreviewEnv;
+    // ONLY use dev auth for local development with USE_DEV_AUTH=true
+    // Preview and production environments should use Firebase Auth with real credentials
+    const useDevAuth = process.env.NODE_ENV === 'development' && process.env.USE_DEV_AUTH === 'true';
 
     if (useDevAuth) {
-      console.log(`[Auth] Using dev auth system (environment: ${environmentType}, local dev: ${isLocalDev}, preview: ${isPreviewEnv})`);
+      console.log('[Auth] Using dev auth system (local development only)');
 
       // In development mode, check against known test accounts
       const testAccounts = [
@@ -82,7 +84,7 @@ export async function POST(request: NextRequest) {
       );
 
       if (!account) {
-        console.log(`[Auth] Dev auth login failed: invalid credentials (environment: ${environmentType})`);
+        console.log('[Auth] Dev auth login failed: invalid credentials');
         return createErrorResponse('Invalid credentials');
       }
 
@@ -103,7 +105,7 @@ export async function POST(request: NextRequest) {
         maxAge: 60 * 60 * 24 * 7 // 7 days
       });
 
-      console.log(`[Auth] Dev auth login successful for: ${account.email} (environment: ${environmentType})`);
+      console.log('[Auth] Dev auth login successful for:', account.email);
 
       return createSuccessResponse({
         uid: account.uid,

app/api/auth/session/route.ts

@@ -49,11 +49,10 @@ export async function GET(request: NextRequest) {
         return createErrorResponse(AuthErrorCode.SESSION_EXPIRED, 'Invalid session data');
       }
 
-      // Check if we should use dev auth system (same logic as login)
-      const environmentType = getEnvironmentType();
-      const isLocalDev = process.env.NODE_ENV === 'development' && process.env.USE_DEV_AUTH === 'true';
-      const isPreviewEnv = environmentType === 'preview';
-      const useDevAuth = isLocalDev || isPreviewEnv;
+      // Check if we should use dev auth system
+      // ONLY use dev auth for local development with USE_DEV_AUTH=true
+      // Preview and production environments should use Firebase Auth with real credentials
+      const useDevAuth = process.env.NODE_ENV === 'development' && process.env.USE_DEV_AUTH === 'true';
 
       if (useDevAuth) {
         const user: User = {
@@ -67,7 +66,7 @@ export async function GET(request: NextRequest) {
           lastLoginAt: new Date().toISOString()
         };
 
-        console.log(`[Session] Dev auth session valid for: ${user.email} (environment: ${environmentType})`);
+        console.log('[Session] Dev auth session valid for:', user.email);
         return createSuccessResponse(user);
       }
 
@@ -126,14 +125,13 @@ export async function POST(request: NextRequest) {
       return createErrorResponse(AuthErrorCode.INVALID_CREDENTIALS, 'ID token is required');
     }
 
-    // Check if we should use dev auth system (same logic as other auth routes)
-    const environmentType = getEnvironmentType();
-    const isLocalDev = process.env.NODE_ENV === 'development' && process.env.USE_DEV_AUTH === 'true';
-    const isPreviewEnv = environmentType === 'preview';
-    const useDevAuth = isLocalDev || isPreviewEnv;
+    // Check if we should use dev auth system
+    // ONLY use dev auth for local development with USE_DEV_AUTH=true
+    // Preview and production environments should use Firebase Auth with real credentials
+    const useDevAuth = process.env.NODE_ENV === 'development' && process.env.USE_DEV_AUTH === 'true';
 
     if (useDevAuth) {
-      console.log(`[Session] Dev auth mode: bypassing Firebase ID token verification (environment: ${environmentType})`);
+      console.log('[Session] Dev auth mode: bypassing Firebase ID token verification (local development only)');
 
       try {
         // In development mode, decode the token without verification
@@ -185,7 +183,7 @@ export async function POST(request: NextRequest) {
           lastActiveAt: new Date().toISOString()
         });
 
-        console.log(`[Session] Dev auth session created for: ${user.email} (environment: ${environmentType})`);
+        console.log('[Session] Dev auth session created for:', user.email);
         return createSuccessResponse(user);
 
       } catch (devError) {

app/api/debug/auth-environment/route.ts

@@ -18,9 +18,9 @@ export async function GET(request: NextRequest) {
     const environmentContext = getEnvironmentContext();
 
     // Check auth configuration (same logic as login/session routes)
-    const isLocalDev = process.env.NODE_ENV === 'development' && process.env.USE_DEV_AUTH === 'true';
-    const isPreviewEnv = environmentType === 'preview';
-    const useDevAuth = isLocalDev || isPreviewEnv;
+    // ONLY use dev auth for local development with USE_DEV_AUTH=true
+    // Preview and production environments should use Firebase Auth with real credentials
+    const useDevAuth = process.env.NODE_ENV === 'development' && process.env.USE_DEV_AUTH === 'true';
 
     // Log environment config for server logs
     logEnvironmentConfig();
@@ -36,10 +36,9 @@ export async function GET(request: NextRequest) {
         useDevAuth: process.env.USE_DEV_AUTH
       },
       authConfiguration: {
-        isLocalDev,
-        isPreviewEnv,
         useDevAuth,
-        authSystem: useDevAuth ? 'dev-auth' : 'firebase-auth'
+        authSystem: useDevAuth ? 'dev-auth' : 'firebase-auth',
+        description: useDevAuth ? 'Local development with test accounts' : 'Production Firebase Auth with real credentials'
       },
       testCredentials: useDevAuth ? {
         available: [
@@ -54,24 +53,24 @@ export async function GET(request: NextRequest) {
       troubleshooting: {
         expectedBehavior: {
           'local development': 'Should use dev auth when USE_DEV_AUTH=true',
-          'vercel preview': 'Should use dev auth for testing with production data',
-          'vercel production': 'Should use Firebase auth with real credentials'
+          'vercel preview': 'Should use Firebase auth with your production credentials',
+          'vercel production': 'Should use Firebase auth with your production credentials'
         },
         commonIssues: {
-          '401 on preview': 'Check that VERCEL_ENV=preview is set correctly',
-          'wrong auth system': 'Verify environment detection logic',
-          'missing credentials': 'Ensure test accounts exist in dev auth system'
+          '401 on preview/production': 'Use your real Firebase Auth credentials (jamiegray2234@gmail.com)',
+          'wrong auth system': 'Only local development should use dev auth',
+          'missing credentials': 'Preview/production need real user accounts, not test accounts'
         }
       },
       recommendations: [
         ...(useDevAuth ? [
           'Dev authentication is active - test users are available',
-          'Use the provided test credentials for testing',
+          'Use the provided test credentials for local development',
           'Production user accounts are protected from development access'
         ] : [
-          'Firebase Auth is active - use your production credentials',
-          'Be careful when testing - you may be using real user accounts',
-          'Consider using preview environment for safer testing'
+          'Firebase Auth is active - use your real production credentials',
+          'Use jamiegray2234@gmail.com or other real Firebase Auth accounts',
+          'Preview environments test with production data using real credentials'
         ])
       ]
     };

app/providers/AuthProvider.tsx

@@ -103,15 +103,13 @@ export function AuthProvider({ children }: AuthProviderProps) {
       setLoading(true);
       clearError();
 
-      // Check if we should use dev auth system (client-side environment detection)
-      // Note: Client-side can't access server-only env vars, so we use NEXT_PUBLIC_ vars and URL detection
-      const isLocalDev = process.env.NODE_ENV === 'development' && process.env.NEXT_PUBLIC_USE_DEV_AUTH === 'true';
-      const isPreviewEnv = typeof window !== 'undefined' &&
-        (window.location.hostname.includes('vercel.app') || window.location.hostname.includes('preview'));
-      const useDevAuth = isLocalDev || isPreviewEnv;
+      // Check if we should use dev auth system
+      // ONLY use dev auth for local development with NEXT_PUBLIC_USE_DEV_AUTH=true
+      // Preview and production environments should use Firebase Auth with real credentials
+      const useDevAuth = process.env.NODE_ENV === 'development' && process.env.NEXT_PUBLIC_USE_DEV_AUTH === 'true';
 
       if (useDevAuth) {
-        console.log(`[Auth] Using dev auth system (local dev: ${isLocalDev}, preview: ${isPreviewEnv}, hostname: ${typeof window !== 'undefined' ? window.location.hostname : 'server'})`);
+        console.log('[Auth] Using dev auth system (local development only)');
 
         // Use server-side login endpoint for development
         const loginResponse = await fetch('/api/auth/login', {
@@ -127,7 +125,7 @@ export function AuthProvider({ children }: AuthProviderProps) {
           const loginData = await loginResponse.json();
           if (loginData.success && loginData.user) {
             setUser(loginData.user);
-            console.log(`[Auth] Dev auth sign in successful for user: ${loginData.user.email} (preview: ${isPreviewEnv})`);
+            console.log('[Auth] Dev auth sign in successful for user:', loginData.user.email);
           } else {
             throw new AuthError(loginData.error || 'Login failed', AuthErrorCode.INVALID_CREDENTIALS);
           }

docs/AUTHENTICATION_ARCHITECTURE.md

@@ -0,0 +1,163 @@
+# Authentication Architecture
+
+## 🚨 CRITICAL: Environment-Specific Authentication Rules
+
+**This document defines the EXACT authentication behavior for each environment. Never deviate from these rules.**
+
+## Authentication by Environment
+
+### 🏠 **Local Development**
+- **Auth System**: Dev Auth (test accounts)
+- **Data Access**: DEV_ prefixed collections (isolated dev data)
+- **Credentials**: Test accounts only (jamie@wewrite.app, test@wewrite.app, etc.)
+- **Trigger**: `NODE_ENV=development` AND `USE_DEV_AUTH=true`
+
+### 🔍 **Vercel Preview**
+- **Auth System**: Firebase Auth (production auth)
+- **Data Access**: Production collections (no DEV_ prefix)
+- **Credentials**: Real Firebase Auth accounts (jamiegray2234@gmail.com, etc.)
+- **Purpose**: Test with production data using real credentials
+
+### 🚀 **Vercel Production**
+- **Auth System**: Firebase Auth (production auth)
+- **Data Access**: Production collections (no DEV_ prefix)
+- **Credentials**: Real Firebase Auth accounts (jamiegray2234@gmail.com, etc.)
+- **Purpose**: Live production environment
+
+## Environment Detection Logic
+
+### Server-Side (API Routes)
+```typescript
+// ONLY use dev auth for local development
+const useDevAuth = process.env.NODE_ENV === 'development' && process.env.USE_DEV_AUTH === 'true';
+
+if (useDevAuth) {
+  // Use test accounts and dev auth system
+} else {
+  // Use Firebase Auth with real credentials
+}
+```
+
+### Client-Side (AuthProvider)
+```typescript
+// ONLY use dev auth for local development
+const useDevAuth = process.env.NODE_ENV === 'development' && process.env.NEXT_PUBLIC_USE_DEV_AUTH === 'true';
+
+if (useDevAuth) {
+  // Call /api/auth/login with test credentials
+} else {
+  // Use Firebase Auth SDK with real credentials
+}
+```
+
+## Data Access Patterns
+
+### Local Development
+- Collections: `DEV_users`, `DEV_pages`, `DEV_subscriptions`
+- Purpose: Isolated development data
+- Safety: Cannot affect production data
+
+### Preview & Production
+- Collections: `users`, `pages`, `subscriptions` (base names)
+- Purpose: Real production data
+- Safety: Use real credentials, real data
+
+## Test Credentials (Local Development Only)
+
+```typescript
+const testAccounts = [
+  { email: 'jamie@wewrite.app', password: 'TestPassword123!', isAdmin: true },
+  { email: 'test@wewrite.app', password: 'TestPassword123!', isAdmin: false },
+  { email: 'getwewrite@gmail.com', password: 'TestPassword123!', isAdmin: false },
+  { email: 'test@local.dev', password: 'TestPassword123!', isAdmin: false }
+];
+```
+
+**⚠️ These test credentials ONLY work in local development with dev auth enabled.**
+
+## Production Credentials (Preview & Production)
+
+Use real Firebase Auth accounts:
+- `jamiegray2234@gmail.com` (admin account)
+- Any other real Firebase Auth user accounts
+
+## Common Mistakes to Avoid
+
+### ❌ **WRONG: Using dev auth in preview**
+```typescript
+// DON'T DO THIS
+const isPreviewEnv = environmentType === 'preview';
+const useDevAuth = isLocalDev || isPreviewEnv; // WRONG!
+```
+
+### ✅ **CORRECT: Only dev auth in local development**
+```typescript
+// DO THIS
+const useDevAuth = process.env.NODE_ENV === 'development' && process.env.USE_DEV_AUTH === 'true';
+```
+
+### ❌ **WRONG: Expecting test credentials in preview**
+Preview environments should NOT accept `jamie@wewrite.app` or other test credentials.
+
+### ✅ **CORRECT: Use real credentials in preview**
+Preview environments should accept `jamiegray2234@gmail.com` and other real Firebase Auth accounts.
+
+## Debugging Authentication Issues
+
+### Check Environment Detection
+Visit: `/api/debug/auth-environment`
+
+Expected responses:
+
+**Local Development:**
+```json
+{
+  "environment": { "type": "development" },
+  "authConfiguration": { "useDevAuth": true, "authSystem": "dev-auth" },
+  "testCredentials": { "available": ["jamie@wewrite.app / TestPassword123!"] }
+}
+```
+
+**Preview/Production:**
+```json
+{
+  "environment": { "type": "preview" },
+  "authConfiguration": { "useDevAuth": false, "authSystem": "firebase-auth" },
+  "testCredentials": { "note": "Using Firebase Auth - use your production credentials" }
+}
+```
+
+## Environment Variables
+
+### Local Development
+```bash
+NODE_ENV=development
+USE_DEV_AUTH=true
+NEXT_PUBLIC_USE_DEV_AUTH=true
+```
+
+### Preview/Production
+```bash
+NODE_ENV=production
+# USE_DEV_AUTH should be undefined or false
+# NEXT_PUBLIC_USE_DEV_AUTH should be undefined or false
+```
+
+## File Locations
+
+### Authentication Logic
+- **Login**: `app/api/auth/login/route.ts`
+- **Session**: `app/api/auth/session/route.ts`
+- **Client**: `app/providers/AuthProvider.tsx`
+
+### Environment Detection
+- **Server**: `app/utils/environmentConfig.ts`
+- **Debug**: `app/api/debug/auth-environment/route.ts`
+
+## Summary
+
+**Remember: Preview environments are for testing with production data using real credentials, NOT for using test accounts with production data.**
+
+- **Local**: Dev auth + dev data + test credentials
+- **Preview**: Firebase auth + production data + real credentials  
+- **Production**: Firebase auth + production data + real credentials

docs/ENVIRONMENT_ARCHITECTURE.md

@@ -6,12 +6,23 @@ This document provides a comprehensive overview of WeWrite's environment configu
 
 WeWrite uses a **four-environment architecture** with strict data separation to ensure safe development and testing:
 
-| Environment | Data Source | Stripe Keys | Collections | Purpose |
-|-------------|-------------|-------------|-------------|---------|
-| **Local Development** | Dev Data | Test Keys | `dev_*` | Local development and testing |
-| **Vercel Dev** | Dev Data | Test Keys | `dev_*` | Development branch testing |
-| **Vercel Preview** | **Production Data** | Live Keys | No prefix | Pre-production testing with real data |
-| **Vercel Production** | Production Data | Live Keys | No prefix | Live production environment |
+| Environment | Data Source | Auth System | Collections | Credentials | Purpose |
+|-------------|-------------|-------------|-------------|-------------|---------|
+| **Local Development** | Dev Data | **Dev Auth** | `DEV_*` | Test accounts | Local development and testing |
+| **Vercel Preview** | **Production Data** | **Firebase Auth** | No prefix | Real accounts | Pre-production testing with real data |
+| **Vercel Production** | Production Data | **Firebase Auth** | No prefix | Real accounts | Live production environment |
+
+## 🔐 Authentication Architecture
+
+### Local Development
+- **Auth System**: Dev Auth (test accounts)
+- **Credentials**: `jamie@wewrite.app`, `test@wewrite.app` with `TestPassword123!`
+- **Data**: Isolated dev collections (`DEV_users`, `DEV_pages`, etc.)
+
+### Preview & Production
+- **Auth System**: Firebase Auth (real accounts)
+- **Credentials**: `jamiegray2234@gmail.com` and other real Firebase users
+- **Data**: Production collections (`users`, `pages`, etc.)
 
 ## 🎯 Key Design Principles