# Auth API Deployment Guide (botbinaryhub.com)

This guide covers the parts that must be done on hosting infrastructure (outside app code).

## Goal

`POST /auth/firebase-custom-token` must reach your Node auth API and return JSON, not HTML.

## 1) Required runtime checks

From your browser Network tab, confirm for `/auth/firebase-custom-token`:

- Status: `200`
- `content-type`: `application/json`
- Body contains `firebaseCustomToken`

If content-type is `text/html`, your route is still going to static site handler.

## 2) Deploy Node auth API separately

Run `firebase-auth-server` behind a process manager (pm2/systemd) and HTTPS proxy.

Environment variables:

- `PORT=8080`
- `ALLOWED_ORIGIN=https://botbinaryhub.com`
- `GOOGLE_APPLICATION_CREDENTIALS=/secure/path/service-account.json`
- Optional: `DERIV_WS_HOST`, `DERIV_APP_ID`, `DERIV_TIMEOUT_MS`

## 3) Route traffic to auth API

You need one of these patterns:

1. Subdomain pattern (recommended)

- API URL: `https://auth.botbinaryhub.com/auth/firebase-custom-token`
- Set frontend env: `FIREBASE_CUSTOM_TOKEN_ENDPOINT=https://auth.botbinaryhub.com/auth/firebase-custom-token`

2. Same-domain path proxy

- Frontend URL stays `https://botbinaryhub.com/auth/firebase-custom-token`
- Reverse proxy must forward `/auth/*` to Node server on `127.0.0.1:8080`

## 4) LiteSpeed/OpenLiteSpeed style proxy idea

Exact UI labels differ by panel, but concept is:

- Match path: `/auth/*`
- Upstream: `http://127.0.0.1:8080`
- Preserve method/body/headers
- Keep `Content-Type: application/json` from upstream

After save/restart, re-test endpoint in browser and curl.

## 5) Frontend rebuild/deploy

After setting `FIREBASE_CUSTOM_TOKEN_ENDPOINT`, rebuild and redeploy frontend.

## 6) Firestore rules

Keep claim-based rules requiring:

- `request.auth.token.deriv_loginid == loginid`
- document `loginid` must match path `users/{loginid}/sessions/{sessionId}`

## 7) Quick troubleshooting matrix

- `200 text/html`: proxy/routing wrong (still static handler)
- `401 JSON`: token verification failed in backend
- `CORS error`: `ALLOWED_ORIGIN` mismatch
- Firebase permission denied: rules/claims mismatch