diff --git a/server/SHServ/Controllers/AuthController.php b/server/SHServ/Controllers/AuthController.php
index 697def6..b0145ea 100644
--- a/server/SHServ/Controllers/AuthController.php
+++ b/server/SHServ/Controllers/AuthController.php
@@ -15,23 +15,15 @@
 {
     use AuthControllerTrait;
 
-    private function logAuth(string $msg): void
-    {
-        $path = dirname(__DIR__, 2) . '/Logs/gauth_debug.log';
-        @file_put_contents($path, date('Y-m-d H:i:s') . ' ' . $msg . "\n", FILE_APPEND | LOCK_EX);
-    }
-
     /**
      * GET /auth/login
      * Redirect user to gnexus-auth authorization page.
      */
     public function login()
     {
-        $this->logAuth('login() called');
         $service = new AuthService();
         $returnTo = $_GET['return_to'] ?? '/';
         $url = $service->buildLoginUrl($returnTo);
-        $this->logAuth("login() redirect to: {$url}");
         return $this->utils()->redirect($url);
     }
 
@@ -45,73 +37,47 @@
             @session_start();
         }
 
-        $this->logAuth('callback() called');
-        try {
-            $code = isset($_GET['code']) ? (string) $_GET['code'] : '';
-            $state = isset($_GET['state']) ? (string) $_GET['state'] : '';
+        $code = isset($_GET['code']) ? (string) $_GET['code'] : '';
+        $state = isset($_GET['state']) ? (string) $_GET['state'] : '';
 
-            $this->logAuth("callback() code={$code}, state={$state}");
-
-            if ($code === '' || $state === '') {
-                $this->logAuth('callback() empty code/state');
-                return $this->utils()->response_error('invalid_callback');
-            }
-
-            $service = new AuthService();
-            $this->logAuth('callback() AuthService created');
-
-            try {
-                $user = $service->handleCallback($code, $state);
-                $this->logAuth('callback() handleCallback OK, userId=' . $user->userId);
-            } catch (\GNexus\GAuth\Exception\GAuthException $e) {
-                $this->logAuth('callback() GAuthException: ' . $e->getMessage());
-                return $this->utils()->response_error('auth_failed', [], ['message' => $e->getMessage()]);
-            } catch (\Throwable $e) {
-                $this->logAuth('callback() Throwable in handleCallback: ' . get_class($e) . ' - ' . $e->getMessage());
-                throw $e;
-            }
-
-            $resolver = new UserResolver();
-            $this->logAuth('callback() UserResolver created');
-
-            try {
-                $localUserId = $resolver->resolve($user);
-                $this->logAuth('callback() resolve OK, localUserId=' . $localUserId);
-            } catch (\Throwable $e) {
-                $this->logAuth('callback() Throwable in resolve: ' . get_class($e) . ' - ' . $e->getMessage());
-                throw $e;
-            }
-
-            $_SESSION['shserv_user_id'] = $localUserId;
-
-            // Persist tokens to DB now that we have the local user ID
-            $sessionToken = $_SESSION['shserv_auth_token'] ?? null;
-            $tokenData = $_SESSION['shserv_last_token_set'] ?? null;
-            if ($sessionToken && $tokenData) {
-                $expiresAt = $tokenData['expires_at'] ? new \DateTimeImmutable($tokenData['expires_at']) : null;
-                $tokenSet = new TokenSet(
-                    accessToken: $tokenData['access_token'],
-                    refreshToken: $tokenData['refresh_token'] ?? null,
-                    tokenType: $tokenData['token_type'] ?? 'Bearer',
-                    expiresIn: $expiresAt ? (int) $expiresAt->format('U') - time() : 0,
-                    expiresAt: $expiresAt,
-                );
-                $dbStore = new DbTokenStore(app()->thin_builder);
-                $dbStore->put($sessionToken, $tokenSet, $localUserId);
-                unset($_SESSION['shserv_last_token_set']);
-                $this->logAuth('callback() DbTokenStore->put() OK');
-            }
-
-            // Redirect back to app
-            $context = $_SESSION['gauth_state'][$state]['context'] ?? [];
-            $returnTo = $context['return_to'] ?? '/';
-            $this->logAuth("callback() redirect to: {$returnTo}");
-            return $this->utils()->redirect($returnTo);
-        } catch (\Throwable $e) {
-            $this->logAuth('callback() UNCAUGHT Throwable: ' . get_class($e) . ' - ' . $e->getMessage());
-            $this->logAuth('callback() Stack: ' . str_replace("\n", ' | ', $e->getTraceAsString()));
-            throw $e;
+        if ($code === '' || $state === '') {
+            return $this->utils()->response_error('invalid_callback');
         }
+
+        $service = new AuthService();
+
+        try {
+            $user = $service->handleCallback($code, $state);
+        } catch (\GNexus\GAuth\Exception\GAuthException $e) {
+            return $this->utils()->response_error('auth_failed', [], ['message' => $e->getMessage()]);
+        }
+
+        $resolver = new UserResolver();
+        $localUserId = $resolver->resolve($user);
+
+        $_SESSION['shserv_user_id'] = $localUserId;
+
+        // Persist tokens to DB now that we have the local user ID
+        $sessionToken = $_SESSION['shserv_auth_token'] ?? null;
+        $tokenData = $_SESSION['shserv_last_token_set'] ?? null;
+        if ($sessionToken && $tokenData) {
+            $expiresAt = $tokenData['expires_at'] ? new \DateTimeImmutable($tokenData['expires_at']) : null;
+            $tokenSet = new TokenSet(
+                accessToken: $tokenData['access_token'],
+                refreshToken: $tokenData['refresh_token'] ?? null,
+                tokenType: $tokenData['token_type'] ?? 'Bearer',
+                expiresIn: $expiresAt ? (int) $expiresAt->format('U') - time() : 0,
+                expiresAt: $expiresAt,
+            );
+            $dbStore = new DbTokenStore(app()->thin_builder);
+            $dbStore->put($sessionToken, $tokenSet, $localUserId);
+            unset($_SESSION['shserv_last_token_set']);
+        }
+
+        // Redirect back to app
+        $context = $_SESSION['gauth_state'][$state]['context'] ?? [];
+        $returnTo = $context['return_to'] ?? '/';
+        return $this->utils()->redirect($returnTo);
     }
 
     /**
diff --git a/webclient/config.php b/webclient/config.php
index b1aa07f..188d71a 100644
--- a/webclient/config.php
+++ b/webclient/config.php
@@ -7,6 +7,7 @@
 	// Какие пути разрешены (белый список) — подстрой под себя
 	"allowed_prefixes" => [
 		"/api/v1/",
+		"/auth/",
 	],
 	"proxy" => [
 		// Кто может обращаться (CORS)
diff --git a/webclient/proxy.php b/webclient/proxy.php
index 797d3f9..1c65f03 100644
--- a/webclient/proxy.php
+++ b/webclient/proxy.php
@@ -115,6 +115,11 @@
 	$forward_headers[] = 'Accept: ' . $headers_in['accept'];
 }
 
+// Cookie — required for session-based auth to work through proxy
+if (!empty($headers_in['cookie'])) {
+	$forward_headers[] = 'Cookie: ' . $headers_in['cookie'];
+}
+
 // Можно добавить свой заголовок, например X-Proxy
 $forward_headers[] = 'X-Proxy: php';
 
diff --git a/webclient/src/components/layout/AppShell.vue b/webclient/src/components/layout/AppShell.vue
index fefde8f..862d4c4 100644
--- a/webclient/src/components/layout/AppShell.vue
+++ b/webclient/src/components/layout/AppShell.vue
@@ -9,33 +9,41 @@
     :current="pageTitle"
   >
     <template #content>
-      <div class="relative">
-        <div class="app-user-bar">
-          <div v-if="authStore.isAuthenticated" class="user-info">
-            <span v-if="authStore.user?.display_name" class="user-name">
-              {{ authStore.user.display_name }}
-            </span>
-            <GnButton variant="ghost" size="sm" @click="handleLogout">
-              <template #icon>
-                <i class="ph ph-sign-out" />
-              </template>
-              Logout
-            </GnButton>
-          </div>
-          <GnButton
-            v-else
-            variant="ghost"
-            size="sm"
-            @click="handleLogin"
-          >
-            <template #icon>
-              <i class="ph ph-sign-in" />
-            </template>
-            Login
-          </GnButton>
-        </div>
-        <slot />
-      </div>
+      <slot />
+    </template>
+
+    <template #footer>
+      <GnUserCard
+        v-if="authStore.isAuthenticated"
+        :name="authStore.user?.display_name || 'User'"
+        :email="authStore.user?.email || ''"
+        :role="formatRole(authStore.user?.system_role)"
+        :avatar="{
+          src: authStore.user?.avatar_url || '',
+          initials: getInitials(authStore.user?.display_name),
+          size: 'sm',
+        }"
+        compact
+        :actions="[
+          {
+            label: 'Logout',
+            icon: 'ph-sign-out',
+            variant: 'ghost',
+            onClick: handleLogout,
+          },
+        ]"
+      />
+      <GnButton
+        v-else
+        variant="primary"
+        size="sm"
+        @click="handleLogin"
+      >
+        <template #icon>
+          <i class="ph ph-sign-in" />
+        </template>
+        Sign in
+      </GnButton>
     </template>
   </GnNavigationShell>
 </template>
@@ -43,7 +51,7 @@
 <script setup>
 import { computed } from "vue";
 import { useRoute } from "vue-router";
-import { GnNavigationShell, GnButton } from "gnexus-ui-kit/vue";
+import { GnNavigationShell, GnButton, GnUserCard } from "gnexus-ui-kit/vue";
 import { useAuthStore } from "../../stores/auth.js";
 
 const route = useRoute();
@@ -92,6 +100,20 @@
   });
 });
 
+function getInitials(name) {
+  if (!name) return "";
+  return name
+    .split(/\s+/)
+    .slice(0, 2)
+    .map((w) => w[0]?.toUpperCase())
+    .join("");
+}
+
+function formatRole(role) {
+  if (!role) return "";
+  return role.charAt(0).toUpperCase() + role.slice(1);
+}
+
 function handleLogin() {
   const returnTo = window.location.hash || "#/";
   window.location.href = `/auth/login?return_to=${encodeURIComponent(returnTo)}`;
@@ -101,31 +123,3 @@
   authStore.logout();
 }
 </script>
-
-<style scoped>
-.app-user-bar {
-  position: absolute;
-  top: 0.5rem;
-  right: 0.5rem;
-  z-index: 50;
-  display: flex;
-  align-items: center;
-  gap: 0.5rem;
-}
-
-.user-info {
-  display: flex;
-  align-items: center;
-  gap: 0.5rem;
-}
-
-.user-name {
-  font-size: 0.875rem;
-  font-weight: 500;
-  color: var(--color-text-secondary, #6b7280);
-  max-width: 120px;
-  overflow: hidden;
-  text-overflow: ellipsis;
-  white-space: nowrap;
-}
-</style>