6-progress.md

# Progress Report - Frontend & Admin Fixes Date: Friday, January 9, 2026 ## Issue Description After fixing the API to use `/v1` routes, the **web frontend** continued to fail with 404 errors on login, despite the code update to `apps/web/lib/api.ts`. * **Symptom**: `https://audivamax.com/login` failed with `404` for `api/auth/login`. * **Cause**: The environment file `apps/web/.env` contained `NEXT_PUBLIC_API_URL=https://audivamax.com/api`, which **overrode** the default value set in `lib/api.ts`. Next.js inlines this environment variable at build time, so the code change was ignored in favor of the env var. ## Resolution ### 1. Web App Env Update * Updated `apps/web/.env`: ```env # Old NEXT_PUBLIC_API_URL=https://audivamax.com/api # New NEXT_PUBLIC_API_URL=https://audivamax.com/api/v1 ``` ### 2. Clean Rebuild * Deleted `.next` cache: `rm -rf apps/web/.next` * Rebuilt web app: `npm run build` * Restarted service: `pm2 restart audivamax-web` ## Verification * **Env Check**: Confirmed `apps/web/.env` points to `/api/v1`. * **Frontend**: The build now embeds the correct API URL. Requests from the browser will now go to `https://audivamax.com/api/v1/auth/login`, which matches the working backend configuration. # Progress Report - iOS Audiobook Download & M4B Support Date: Saturday, January 10, 2026 ## Issue Description iOS users reported that audiobook downloads were hanging or returning HTML error pages instead of audio files. * **Symptom**: Downloads fail in the iOS app; binary audio is replaced by HTML 404/500 pages. * **Cause 1**: The `protect` middleware did not support authentication via query parameters, which is required for iOS background `URLSessionDownloadTask`. * **Cause 2**: The generated download URLs were missing the `/v1` prefix, leading to 404 errors from the API. * **Cause 3**: iOS requires specific headers (`Content-Type`, `Content-Length`) and prefers `.m4b` extensions for audiobook files. ## Resolution ### 1. Robust Authentication * Updated `protect` middleware in `apps/api/src/middleware/authMiddleware.ts` to check for tokens in `req.query.token` as a fallback to the `Authorization` header. * Added debug logging specifically for download requests to monitor token resolution. ### 2. Dedicated Download Endpoint * Implemented `GET /v1/library/:bookId/download` in `libraryController.ts`. * Added logic to serve files with `Content-Disposition: attachment; filename="audio.m4b"`. * Supported `Range` headers for resumable downloads. * Ensured the response returns the actual `file_size` and correct MIME types (`audio/mp4` for M4B/M4A). ### 3. URL Generation Fix * Updated `playbackController.ts` and `libraryController.ts` to include `/v1` in the default `baseUrl`. * Injected the authentication token directly into the `audioUrl` returned by the library sync to ensure "one-click" download compatibility for the mobile client. ## Verification * **Middleware Test**: Confirmed `curl` with `?token=...` correctly identifies the token and attempts verification (returning 401 JSON instead of 404 HTML). * **Path Test**: Verified that requests to `/v1/library/.../download` reach the controller, while old `/library/...` paths correctly 404. * **Header Test**: Verified `Content-Disposition` and `Content-Type` are correctly set for binary delivery.