fix login

CLAUDE.md

@@ -132,7 +132,7 @@ pytest services/pii/tests/test_file.py::test_function
 
 **Config override:** Any config key can be overridden via env var with the `VEYLANT_` prefix and `.` → `_` replacement. Example: `VEYLANT_SERVER_PORT=9090` overrides `server.port`.
 
-**Auth config:** `auth.jwt_secret` (env: `VEYLANT_AUTH_JWT_SECRET`) and `auth.jwt_ttl_hours`. Login endpoint: `POST /v1/auth/login` (public). Dev credentials: `admin@veylant.dev` / `admin123`. Tokens are HS256-signed JWTs; users stored in `users` table with bcrypt password hashes (migration 000010).
+**Auth config:** `auth.jwt_secret` (env: `VEYLANT_AUTH_JWT_SECRET`) and `auth.jwt_ttl_hours`. Login endpoint: `POST /v1/auth/login` — public (no JWT required), CORS applied. Dev credentials: `admin@veylant.dev` / `admin123`. Tokens are HS256-signed JWTs; users stored in `users` table with bcrypt password hashes (migration 000010) and a `name TEXT` column (migration 000012). Login response includes `{token, user: {id, email, name, role, tenant_id, department}}`.
 
 **Provider configs:** LLM provider API keys are stored encrypted (AES-256-GCM) in the `provider_configs` table (migration 000011). CRUD via `GET|POST /v1/admin/providers`, `PUT|DELETE|POST-test /v1/admin/providers/{id}`. Adapters hot-reload on save/update without proxy restart (`router.UpdateAdapter()` / `RemoveAdapter()`).
 

cmd/proxy/main.go

@@ -293,14 +293,19 @@ func main() {
 		r.Get(cfg.Metrics.Path, promhttp.Handler().ServeHTTP)
 	}
 
-	// Public login endpoint — must be registered before the auth middleware below.
 	loginHandler := auth.NewLoginHandler(db, cfg.Auth.JWTSecret, cfg.Auth.JWTTTLHours, logger)
-	r.Post("/v1/auth/login", loginHandler.ServeHTTP)
 
 	r.Route("/v1", func(r chi.Router) {
 		r.Use(middleware.CORS(cfg.Server.AllowedOrigins))
+
+		// Public — CORS applied, no auth required.
+		r.Post("/auth/login", loginHandler.ServeHTTP)
+
+		// Protected — JWT auth + tenant rate limit.
+		r.Group(func(r chi.Router) {
 			r.Use(middleware.Auth(jwtVerifier))
 			r.Use(middleware.RateLimit(rateLimiter))
+
 			r.Post("/chat/completions", proxyHandler.ServeHTTP)
 
 			// PII analyze endpoint for Playground (E8-11, Sprint 8).
@@ -341,6 +346,7 @@ func main() {
 				logger.Info("compliance module started")
 			}
 		})
+	})
 
 	// ── HTTP server ───────────────────────────────────────────────────────────
 	addr := fmt.Sprintf(":%d", cfg.Server.Port)

internal/auth/login.go

@@ -70,7 +70,7 @@ func (h *LoginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	var u userInfo
 	var passwordHash string
 	err := h.db.QueryRowContext(r.Context(),
-		`SELECT id, tenant_id, email, email, role, COALESCE(department,''), password_hash
+		`SELECT id, tenant_id, email, COALESCE(name,''), role, COALESCE(department,''), password_hash
 		 FROM users
 		 WHERE email = $1 AND is_active = TRUE
 		 LIMIT 1`,

migrations/000012_users_add_name.up.sql

@@ -1,6 +1,9 @@
 -- Migration 000012: Add name column to users table.
 -- Migration 000001 created users without a name column; migration 000006 used
 -- CREATE TABLE IF NOT EXISTS which was a no-op since the table already existed.
--- This migration adds the missing column retroactively.
+-- This migration adds the missing column retroactively and seeds existing users.
 
 ALTER TABLE users ADD COLUMN IF NOT EXISTS name TEXT NOT NULL DEFAULT '';
+
+-- Seed name for the dev admin user created in migration 000001.
+UPDATE users SET name = 'Admin Veylant' WHERE email = 'admin@veylant.dev' AND name = '';