back to worker quest hub

azure static web app auth readiness

Generated: 2026-06-29

current state

The live worker hub is still in public preview mode with draft-safe forms.

Do not treat the mock profile password box as real authentication. It is only a front-end preview of the intended profile flow and does not save the password.

intended production auth

Use Microsoft Entra ID / Azure Static Web Apps authentication.

Recommended roles:

section gates

static web apps route plan

After Entra roles are ready, protect:

Keep / available to anonymous only if you want public preview/landing access. For a fully private worker hub, protect / as authenticated.

Prepared files:

Preview the protected-mode config before applying it:

```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File launch\set-static-web-app-auth-mode.ps1 -Mode preview
```

Apply only after Microsoft Entra / Static Web Apps roles are configured:

```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File launch\set-static-web-app-auth-mode.ps1 -Mode apply
powershell -NoProfile -ExecutionPolicy Bypass -File launch\deploy-static-web-app-direct.ps1
```

If you need to return to public preview mode after testing:

```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File launch\set-static-web-app-auth-mode.ps1 -Mode restore-preview
```

go-live checklist

1. Configure Microsoft Entra authentication for Azure Static Web Apps.
2. Assign approved users to authenticated, worker, and admin roles.
3. Replace the mock profile password behavior with Microsoft sign-in status.
4. Protect /outputs/* before placing sensitive setup reports there.
5. Confirm SharePoint Lists/forms exist, then run npm.cmd run verify:sharepoint-forms.
6. Run npm.cmd run forms:live only after form verification passes.
7. Run npm.cmd run verify, npm.cmd run verify:live, and npm.cmd run verify:render.

sensitive info rule

Never store passwords, recovery codes, ID photos, billing/card/bank info, payout settings, private fan/customer records, private creator records, or platform recovery details in the website. Use owner-only private record required when sensitive proof exists elsewhere.