← knowledge.oriz.in

data.oriz.in aggregator app + centralized auth.oriz.in + Phone-Auth Pro-tier-only

decision decisiondata-hubauthfirebasephone-smscentral-auth

Data hub + central auth + Phone gating

data.oriz.in aggregator

NEW app oriz-data-aggregator-app at c:/D/oriz/repos/oriz/own/prod/apps/content/oriz-data-aggregator-app/. Hosted on Cloudflare Pages (one-level subdomain — Universal SSL works).

Scope

Tech

auth.oriz.in central auth

auth.oriz.in is the central Firebase Auth domain. ALL apps redirect here for sign-in:

Flow

  1. User clicks "Sign in" on any app (e.g. paisa.oriz.in)
  2. Browser redirects to auth.oriz.in/sign-in?return=https://paisa.oriz.in/account
  3. auth.oriz.in shows the unified sign-in UI (Google + GitHub + Email-link [+ Phone for Pro tier])
  4. User picks provider, signs in, Firebase issues token
  5. auth.oriz.in redirects back to return URL with Firebase ID token in URL fragment
  6. Originating app captures token + sets Firebase Auth state locally
  7. Cross-app SSO works via Firebase's signInWithCustomToken + cookie at .oriz.in

Why centralize

Implementation

@chirag127/auth-core package gains a <SignInButton /> component that always redirects to https://auth.oriz.in/sign-in?return=<current-url>. The oriz-auth-app (NEW; at repos/oriz/own/prod/apps/hub/oriz-auth-app/) hosts the sign-in UI itself, mounted at auth.oriz.in.

Phone Auth gating

Firebase Phone Auth is technically enabled in the Console (per user request: Google + GitHub + Email + Phone all on). BUT:

Tier-gated UI

Tier Phone Auth visible? SMS quota
Free NO 0/day
Pro YES 5/day
Max YES Unlimited

Implementation: oriz-auth-app's sign-in UI conditionally renders the Phone provider button based on the requesting app's user tier (determined from Firestore on first auth attempt OR not shown if anonymous).

OR simpler: Phone is shown ONLY when user has an existing Pro/Max subscription that they're logging back into (the auth flow loads subscription state before deciding which providers to render).

Authentication scope

ONLY in apps. NEVER in APIs.

This avoids:

Cross-refs