rzyfront/vendix-customer-auth
skills/vendix-customer-auth/SKILL.md
Customer authentication patterns for STORE_ECOMMERCE using modal login/register, store-scoped auth endpoints, tenant context, and legal document acceptance. Trigger: When implementing customer login, registration, auth modal, or ecommerce auth flows.
$ install --global
skillsauthnpx skillsauth add rzyfront/vendix vendix-customer-authInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 16, 2026, 5:06 AM201.1s1 file scanned
SKILL.md
- name:
- vendix-customer-auth
- description:
- >
- license:
- MIT
- author:
- rzyfront
- version:
- 1.1
- scope:
- [root]
When to Use
- Implementing customer login or registration in
STORE_ECOMMERCE. - Editing the ecommerce auth modal or store ecommerce layout.
- Working with
loginCustomer,registerCustomer, customer tokens, or legal document acceptance.
Backend Endpoints
POST /auth/register-customeris@Public().POST /auth/login-customeris@Public().- Both collect
ip_addressanduser_agentfrom the request.
Files:
apps/backend/src/domains/auth/auth.controller.tsapps/backend/src/domains/auth/auth.service.tsapps/backend/src/domains/auth/dto/register-customer.dto.tsapps/backend/src/domains/auth/dto/login-customer.dto.ts
DTO Rules
RegisterCustomerDto requires email, first_name, last_name, and store_id.
password is optional in the backend DTO. If provided, it must be at least 8 chars and contain at least one non-alphanumeric character. The current frontend modal requires a password during registration.
Optional registration fields include phone, document_type, and document_number. Phone allows digits plus + # * ( ) - and spaces.
LoginCustomerDto requires email, password, and store_id.
Backend Service Behavior
registerCustomer():
- Finds the store by
store_id. - Rejects duplicate email within the store organization.
- Uses role name
customerin lowercase. - Generates a temporary password if backend password is omitted.
- Creates
userswith the store organization id. - Creates
user_settingswithapp_type: 'STORE_ECOMMERCE'. - Creates
user_rolesandstore_usersassociation. - Generates tokens with organization context.
- Emits
customer.createdand sends a store-branded welcome email.
loginCustomer():
- Finds store and user by
email + organization_id. - Validates bcrypt password.
- Rejects suspended/archived users.
- Requires role
customerand association instore_users. - Generates tokens with
store_id: store.id. - Returns
updatedEnvironment: 'STORE_ECOMMERCE'.
Frontend Modal Pattern
Use modal auth, not redirects, for customer login/register.
Files:
apps/frontend/src/app/private/layouts/store-ecommerce/store-ecommerce-layout.component.tsapps/frontend/src/app/private/layouts/store-ecommerce/components/auth-modal/auth-modal.component.tsapps/frontend/src/app/core/store/auth/auth.actions.tsapps/frontend/src/app/core/store/auth/auth.facade.tsapps/frontend/src/app/core/store/auth/auth.effects.tsapps/frontend/src/app/core/store/auth/auth.reducer.ts
The layout uses signals:
readonly is_auth_modal_open = signal(false);
readonly auth_modal_mode = signal<'login' | 'register'>('login');
login(): void {
this.auth_modal_mode.set('login');
this.is_auth_modal_open.set(true);
}
Template binding:
<app-auth-modal
[isOpen]="is_auth_modal_open()"
[initialMode]="auth_modal_mode()"
[storeLogo]="store_logo()"
[storeName]="store_name()"
(closed)="closeAuthModal()"
/>
Auth Modal Behavior
AuthModalComponent uses signal input()/output() APIs and signal state. It auto-closes with an effect() when authFacade.isAuthenticated() becomes true while the modal is open.
Login calls:
const storeId = this.tenantFacade.getCurrentStoreId();
this.authFacade.loginCustomer(email, password, storeId);
Registration calls:
this.authFacade.registerCustomer({
email,
password,
first_name,
last_name,
store_id: storeId,
});
The modal requires pending legal documents to be accepted before registration when any are returned by the legal service.
NgRx Auth Pattern
Dedicated customer actions exist: loginCustomer, loginCustomerSuccess, loginCustomerFailure, registerCustomer, registerCustomerSuccess, and registerCustomerFailure.
AuthFacade.loginCustomer() and AuthFacade.registerCustomer() dispatch those actions. Facade signals use toSignal(..., { initialValue }).
loginSuccess$ handles customer login success too. Customer login returns updatedEnvironment: 'STORE_ECOMMERCE'; do not rely on it being null.
registerCustomerSuccess persists auth state in the reducer and shows a success toast through its effect.
Tenant Context
The auth modal obtains store_id through TenantFacade.getCurrentStoreId(), which reads currentStore().id first and falls back to domainConfig().store_id.
Legal document APIs use x-store-id and live in apps/frontend/src/app/public/ecommerce/services/legal.service.ts.
Rules
- Use
loginCustomer/registerCustomer, not admin login/register, for ecommerce customers. - Use signals for modal state; do not copy old plain boolean examples.
- Use lowercase
customerwhen reasoning about backend role names. - Keep frontend password validators aligned with backend password requirements when a password is collected.
- Do not redirect customers to admin routes after login.
- Keep document acceptance in the registration flow when pending legal documents exist.
Related Skills
vendix-ecommerce-checkout- Guest vs authenticated checkout boundaryvendix-backend-auth- Backend auth guards and public routesvendix-zoneless-signals- Modal signal patternsvendix-multi-tenant-context- Store id resolution
Related Skills
rzyfront/mobile-dev
development
VerifiedTrustedCommunity
Mobile app development rules for Vendix Expo/React Native project. Trigger: When editing, creating, or modifying any file under apps/mobile, or when developing mobile-specific features.
5SKILL.mdUpdated May 29, 2026
rzyfront/vendix-subscription-gate
development
VerifiedTrustedCommunity
Feature gating by store subscription state: global store write guard, AI feature gate, Redis feature resolution, quota consumption, frontend paywall interceptor, banner, and subscription UI states. Trigger: When adding feature gates, paywalls, subscription-based access control, protecting store write operations, AI feature gates, or rollout flags.
5SKILL.mdUpdated May 16, 2026
rzyfront/vendix-saas-billing
testing
VerifiedTrustedCommunity
SaaS subscription billing for Vendix stores: plan pricing, invoices, Wompi platform payments, manual payments, partner commissions, payouts, proration, and dunning. Trigger: When creating SaaS invoices, working with partner rev-share, margin/surcharge pricing, invoice sequence allocation, partner payout batches, subscription payments, manual payments, or dunning flows.
5SKILL.mdUpdated May 16, 2026
rzyfront/vendix-redis-quota
development
VerifiedTrustedCommunity
Periodic quota counters with Redis, UTC period keys, Lua-based idempotent AI quota consumption, request-id deduplication, and post-success consumption. Trigger: When building quota counters, enforcing monthly/daily feature caps, or reusing AI quota patterns for uploads, emails, exports, or rate-limited features.
5SKILL.mdUpdated May 16, 2026