feat: user auth/login feature #483
Description
Description
Expand auth support beyond admin-only to support prescriber accounts. The adds a three-tier access model (anonymous, authenticated, admin), completes the registration-to-login lifecycle, and introduces proper permission boundaries between regular users and admins.
Core clinical tools (medication suggester, medication list, chatbot & q/a chat) will remain publicly accessible without login.
Note: User-owned data features (persistent conversations, saved PDF lists, etc.) are not part of this work as of now. They depend on the DB migration (#464) and will be a separate effort after that's resolved.
See the full design doc here
Sub-issues:
- [auth]: fix auth bugs, add admin permission boundaries, lock down CORS #484: Fix auth bugs and add admin permission boundaries
- [auth]: registration and email activation #485: Registration and email activation
- [auth]: update login page, add login button, add token refresh #486: Login UX, token refresh
- [auth]: profile page #487: Profile page
Acceptance criteria
- Non-admin users can register with email, activate their account, and log in
- Authenticated users can access auth-only features (profile, PDF viewing) but not admin tools
- Admin users retain exclusive access to admin endpoints and admin UI (rules manager, manage meds, file uploads, settings)
- Anonymous users can still access all core clinical tools without logging in (medication suggester, medication list, risk data, chatbot)
- Sessions refresh silently without logging the user out after 60 minutes
- Password reset works end-to-end via email
- isSuperuser is correctly determined from the JWT on page reload, not hardcoded