diff --git a/.vscode/settings.json b/.vscode/settings.json
index d41a36c..6e5c8ea 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,3 +1,3 @@
 {
-  "cSpell.words": ["cookieconsent", "csrf"]
+  "cSpell.words": ["Rollbar", "cookieconsent", "csrf"]
 }
diff --git a/README.md b/README.md
index 885cea1..009d903 100644
--- a/README.md
+++ b/README.md
@@ -96,7 +96,7 @@ Some super helpful references to keep handy:
 
   - [+] chore: posts to github releases (not to npm)
 
-- [ ] feat: profile menu w/ login/logout (see alertgenie)
+- [+] feat: profile menu w/ login/logout
 
   - [ ] feat: logout endpoint (clears the session)
 
@@ -104,8 +104,8 @@ Some super helpful references to keep handy:
 
 - [ ] feat: CSRF token middleware in all state-changing APIs:
 
-  - [+] CSRF server support: automatic detection/rejection
-  - [ ] CSRF client support: Automatic inclusion of the token
+  - [ ] CSRF server support: automatic detection/rejection
+  - [+] CSRF client support: Automatic inclusion of the token
 
 - UserContext:
 
diff --git a/client/src/App.tsx b/client/src/App.tsx
index 72b1e8b..f79bafd 100644
--- a/client/src/App.tsx
+++ b/client/src/App.tsx
@@ -6,6 +6,7 @@ import Data from "./pages/Data"
 import Privacy from "./pages/policy/Privacy"
 import Terms from "./pages/policy/Terms"
 import { useCookieConsent } from "./lib/cookieConsent"
+import Profile from "./pages/Profile"
 
 export default function App(): JSX.Element {
   useCookieConsent()
@@ -28,6 +29,9 @@ export default function App(): JSX.Element {
             <Route exact path="/">
               <Home />
             </Route>
+            <Route exact path="/profile">
+              <Profile />
+            </Route>
             <Route path="/data">
               <Data />
             </Route>
diff --git a/client/src/components/IconicIcon.tsx b/client/src/components/IconicIcon.tsx
new file mode 100644
index 0000000..9ad9488
--- /dev/null
+++ b/client/src/components/IconicIcon.tsx
@@ -0,0 +1,25 @@
+import React, { CSSProperties } from "react"
+import openIconicSprite from "open-iconic/sprite/open-iconic.min.svg"
+
+interface Props {
+  icon: string
+  fillColor?: string
+  className?: string
+  style?: CSSProperties
+}
+
+const IconicIcon = (props: Props): JSX.Element => {
+  const className = props.className
+    ? "iconic-icon ".concat(props.className)
+    : "iconic-icon"
+  return (
+    <svg viewBox="0 0 8 8" className={className} style={props.style}>
+      <use
+        xlinkHref={openIconicSprite + "#" + props.icon}
+        style={{ fill: props.fillColor }}
+      ></use>
+    </svg>
+  )
+}
+
+export default IconicIcon
diff --git a/client/src/components/Layout.tsx b/client/src/components/Layout.tsx
index ee81105..f41c375 100644
--- a/client/src/components/Layout.tsx
+++ b/client/src/components/Layout.tsx
@@ -4,6 +4,7 @@ import "../style/style.scss"
 import Foot from "./Foot"
 import { Helmet } from "react-helmet"
 import Iconic from "./iconic"
+import { UserProvider } from "./auth/UserProvider"
 
 // https://nextjs.org/learn/basics/using-shared-components/rendering-children-components
 
@@ -21,11 +22,13 @@ const Layout = (props: Props): JSX.Element => {
         />
       </Helmet>
       <Iconic />
-      <Nav />
-      <main id="content" className="py-5">
-        <div className="container">{props.children}</div>
-      </main>
-      <Foot />
+      <UserProvider>
+        <Nav />
+        <main id="content" className="py-5">
+          <div className="container">{props.children}</div>
+        </main>
+        <Foot />
+      </UserProvider>
     </>
   )
 }
diff --git a/client/src/components/Nav.tsx b/client/src/components/Nav.tsx
index 82809b2..553950f 100644
--- a/client/src/components/Nav.tsx
+++ b/client/src/components/Nav.tsx
@@ -1,6 +1,9 @@
 import React from "react"
 import { Link } from "react-router-dom"
 import logoLight from "../images/logo-light.svg"
+import Avatar from "./auth/Avatar"
+import LoginOrLogout from "./auth/LoginOrLogout"
+import { useUserContext } from "./auth/UserProvider"
 
 const links: {
   href: string
@@ -25,6 +28,8 @@ function navItemClasses(isActive: boolean): string {
 }
 
 const Nav = (): JSX.Element => {
+  const { isAuthenticated, isLoading, user } = useUserContext()
+
   return (
     <header className="navbar navbar-expand-lg navbar-dark">
       <a href={`${process.env.PUBLIC_URL}/`}>
@@ -71,9 +76,42 @@ const Nav = (): JSX.Element => {
             )
           })}
         </ul>
+        <ul className="navbar-nav ml-auto">
+          <li key="profile-dropdown" className="nav-item dropdown">
+            <button
+              className="btn btn-link nav-link dropdown-toggle"
+              id="navbarDropdown"
+              data-toggle="dropdown"
+              aria-haspopup="true"
+              aria-expanded="false"
+            >
+              <Avatar isLoading={isLoading} user={user} />
+            </button>
+            <div
+              className="dropdown-menu dropdown-menu-right"
+              aria-labelledby="navbarDropdown"
+            >
+              <ProfileItem isAuthenticated={isAuthenticated} />
+              <LoginOrLogout />
+            </div>
+          </li>
+        </ul>
       </div>
     </header>
   )
 }
 
+const ProfileItem = (props: {
+  isAuthenticated: boolean
+}): JSX.Element | null => {
+  return props.isAuthenticated ? (
+    <>
+      <Link to="/profile">
+        <button className="btn btn-link dropdown-item">Profile</button>
+      </Link>
+      <div className="dropdown-divider"></div>
+    </>
+  ) : null
+}
+
 export default Nav
diff --git a/client/src/components/auth/Avatar.tsx b/client/src/components/auth/Avatar.tsx
new file mode 100644
index 0000000..edefe15
--- /dev/null
+++ b/client/src/components/auth/Avatar.tsx
@@ -0,0 +1,25 @@
+import React from "react"
+import IconicIcon from "../IconicIcon"
+import { AuthUser } from "./UserProvider"
+
+interface Props {
+  isLoading: boolean
+  user: AuthUser | null
+}
+
+const Avatar = (props: Props): JSX.Element => {
+  const { isLoading, user } = props
+  if (isLoading) {
+    return <IconicIcon icon="loop-circular" />
+  } else if (!user) {
+    return <IconicIcon icon="person" />
+  } else {
+    return (
+      <>
+        <IconicIcon icon="person" fillColor="white" />
+      </>
+    )
+  }
+}
+
+export default Avatar
diff --git a/client/src/components/auth/LoginOrLogout.tsx b/client/src/components/auth/LoginOrLogout.tsx
new file mode 100644
index 0000000..9e9cf51
--- /dev/null
+++ b/client/src/components/auth/LoginOrLogout.tsx
@@ -0,0 +1,34 @@
+import React from "react"
+import { useUserContext } from "./UserProvider"
+import SignInWithApple from "./SignInWithApple"
+import SignInWithGoogle from "./SignInWithGoogle"
+
+const LoginOrLogout = (): JSX.Element => {
+  return (
+    <>
+      <LogoutLink />
+      <LoginLinks />
+    </>
+  )
+}
+
+const LogoutLink = (): JSX.Element | null => {
+  const { isAuthenticated, logout } = useUserContext()
+  return isAuthenticated ? (
+    <button className="dropdown-item" onClick={logout}>
+      Logout
+    </button>
+  ) : null
+}
+
+const LoginLinks = (): JSX.Element | null => {
+  const { isAuthenticated } = useUserContext()
+  return isAuthenticated ? null : (
+    <>
+      <SignInWithApple buttonClassName="dropdown-item" />
+      <SignInWithGoogle buttonClassName="dropdown-item" />
+    </>
+  )
+}
+
+export default LoginOrLogout
diff --git a/client/src/components/auth/SignInWithApple.tsx b/client/src/components/auth/SignInWithApple.tsx
index 3a370bb..5a27971 100644
--- a/client/src/components/auth/SignInWithApple.tsx
+++ b/client/src/components/auth/SignInWithApple.tsx
@@ -1,19 +1,24 @@
 import React from "react"
 import "./SignInWithApple.css"
-import SignInWithProvider from "./SignInWithProvider"
+import SignInWithProvider, {
+  SignInWithProviderProps,
+} from "./SignInWithProvider"
 import providerLogo from "./images/apple_left_black_logo_small.svg"
+import { combineClassNames } from "../../lib/reactUtil"
 
 const providerName = "APPLE"
 const providerLabel = "Sign in with Apple"
 
+type Props = Pick<SignInWithProviderProps, "buttonClassName">
+
 // note styled according to https://developers.google.com/identity/branding-guidelines
-const SignInWithApple = (): JSX.Element => {
+const SignInWithApple = (props: Props): JSX.Element => {
   return (
     <SignInWithProvider
       provider={providerName}
       label={providerLabel}
       logoUrl={providerLogo}
-      buttonClassName="aapl"
+      buttonClassName={combineClassNames("aapl ", props.buttonClassName)}
     />
   )
 }
diff --git a/client/src/components/auth/SignInWithGoogle.tsx b/client/src/components/auth/SignInWithGoogle.tsx
index 4199143..8c5b80e 100644
--- a/client/src/components/auth/SignInWithGoogle.tsx
+++ b/client/src/components/auth/SignInWithGoogle.tsx
@@ -1,21 +1,26 @@
 import React from "react"
 import "./SignInWithGoogle.css"
-import SignInWithProvider from "./SignInWithProvider"
+import SignInWithProvider, {
+  SignInWithProviderProps,
+} from "./SignInWithProvider"
 import providerLogo from "./images/btn_google_light_normal_ios.svg"
+import { combineClassNames } from "../../lib/reactUtil"
 
 const providerName = "GOOGLE"
 const providerLabel = "Sign in with Google"
 
+type Props = Pick<SignInWithProviderProps, "buttonClassName">
+
 // note styled according to https://developers.google.com/identity/branding-guidelines
-const SignInWithGoogle2 = (): JSX.Element => {
+const SignInWithGoogle = (props: Props): JSX.Element => {
   return (
     <SignInWithProvider
       provider={providerName}
       label={providerLabel}
       logoUrl={providerLogo}
-      buttonClassName="goog"
+      buttonClassName={combineClassNames("goog", props.buttonClassName)}
     />
   )
 }
 
-export default SignInWithGoogle2
+export default SignInWithGoogle
diff --git a/client/src/components/auth/SignInWithProvider.tsx b/client/src/components/auth/SignInWithProvider.tsx
index f4f4716..8bc78f6 100644
--- a/client/src/components/auth/SignInWithProvider.tsx
+++ b/client/src/components/auth/SignInWithProvider.tsx
@@ -1,24 +1,26 @@
 import React from "react"
+import { combineClassNames } from "../../lib/reactUtil"
 import "./SignInWithProvider.css"
-import { doLogin } from "./authUtil"
+import { useUserContext } from "./UserProvider"
 
-interface Props {
+export interface SignInWithProviderProps {
   provider: string
   label: string
   logoUrl: string
   buttonClassName?: string
 }
 
-const SignInWithProvider = (props: Props): JSX.Element => {
-  const buttonClassName =
-    "sign-in" + (props.buttonClassName ? " " + props.buttonClassName : "")
+const SignInWithProvider = (props: SignInWithProviderProps): JSX.Element => {
+  const { login } = useUserContext()
   return (
     <button
-      className={buttonClassName}
-      onClick={() => doLogin(props.provider)}
+      className={combineClassNames("sign-in", props.buttonClassName)}
+      onClick={() => {
+        login(props.provider)
+      }}
       {...props}
     >
-      <img className="logo" src={props.logoUrl} />
+      <img className="logo" src={props.logoUrl} alt={props.label} />
       <span className="label">{props.label}</span>
     </button>
   )
diff --git a/client/src/components/auth/UserProvider.tsx b/client/src/components/auth/UserProvider.tsx
new file mode 100644
index 0000000..70eeded
--- /dev/null
+++ b/client/src/components/auth/UserProvider.tsx
@@ -0,0 +1,81 @@
+import React, { useContext, useEffect, useState } from "react"
+import { fetchJson } from "../../lib/fetch"
+import { doLogin, doLogout } from "./authUtil"
+
+/** Defines the attributes of an authenticated user. */
+export interface AuthUser {
+  /** The unique identifier for the user (the subject). */
+  sub: string
+  /** Time User last updated (milliseconds since epoch) */
+  updatedAt: number
+  /** If specified, specifies the email address of the user. */
+  email?: string
+  /** If specified, specifies the name of the user. */
+  name?: string
+}
+
+export interface ProvidedUserContext {
+  user: AuthUser | null
+  isAuthenticated: boolean
+  isLoading: boolean
+  login: (providerName: string) => Promise<void>
+  logout: () => Promise<void>
+  // TODO: add the below login/logout/token implementations:
+  // getAccessToken: (options?: AccessTokenOptions) => Promise<string>
+}
+
+const DefaultUserContext: ProvidedUserContext = {
+  user: null,
+  isAuthenticated: false,
+  isLoading: true,
+  login: async (providerName: string) => {
+    doLogin(providerName)
+  },
+  logout: async () => {
+    doLogout()
+  },
+}
+
+const UserContext = React.createContext<ProvidedUserContext>(DefaultUserContext)
+export const useUserContext = (): ProvidedUserContext => useContext(UserContext)
+
+interface Props {
+  children?: React.ReactNode
+}
+
+export const UserProvider = (props: Props): JSX.Element => {
+  const [user, setUser] = useState<AuthUser | null>(null)
+  const [isLoading, setIsLoading] = useState(true)
+
+  useEffect(() => {
+    async function go(): Promise<void> {
+      try {
+        // see if this user is authenticated by calling the UserInfo endpoint
+        const userInfo = await fetchJson<AuthUser>(
+          `${process.env.PUBLIC_URL}/auth/me`
+        )
+        setUser(userInfo)
+      } catch (e) {
+        // TODO: fix fetchJson so we can get the response code and get error body (AuthUser | AuthError).
+        // eslint-disable-next-line no-console
+        console.error("Failed to authenticate user: " + e.toString())
+      }
+      setIsLoading(false)
+    }
+    go()
+  }, [])
+
+  return (
+    <UserContext.Provider
+      value={{
+        user,
+        isAuthenticated: Boolean(user),
+        isLoading,
+        login: DefaultUserContext.login,
+        logout: DefaultUserContext.logout,
+      }}
+    >
+      {props.children}
+    </UserContext.Provider>
+  )
+}
diff --git a/client/src/components/auth/authUtil.ts b/client/src/components/auth/authUtil.ts
index ce4a624..fa68c1b 100644
--- a/client/src/components/auth/authUtil.ts
+++ b/client/src/components/auth/authUtil.ts
@@ -1,7 +1,18 @@
+import { trackAction } from "../../lib/analytics"
+
 /**
  * Initiates the login flow with the specified provider.
  * @param providerName The name of the provider to start the login flow with
  */
-export function doLogin(providerName: string) {
+export async function doLogin(providerName: string): Promise<void> {
+  trackAction("login")
   window.location.href = process.env.PUBLIC_URL + `/auth/login/${providerName}`
 }
+
+/**
+ * Initiates the logout procedure.
+ */
+export async function doLogout(): Promise<void> {
+  trackAction("logout")
+  window.location.href = process.env.PUBLIC_URL + `/auth/logout`
+}
diff --git a/client/src/lib/analytics.ts b/client/src/lib/analytics.ts
new file mode 100644
index 0000000..7f95e87
--- /dev/null
+++ b/client/src/lib/analytics.ts
@@ -0,0 +1,74 @@
+import { useEffect } from "react"
+import { useUserContext } from "../components/auth/UserProvider"
+
+const isProduction = (): boolean => process.env.NODE_ENV === "production"
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const trace = (...args: any[]): void => {
+  if (!isProduction()) {
+    // eslint-disable-next-line no-console
+    console.log(...args)
+  }
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const warn = (...args: any[]): void => {
+  // eslint-disable-next-line no-console
+  console.warn(...args)
+}
+
+/**
+ * Tracks a user action on the client.
+ * @param event The event/action name.
+ * @param properties Any additional properties to log
+ */
+export const trackAction = (
+  event: string,
+  properties?: Record<string, string | number>
+): void => {
+  trace("trackAction", event, properties)
+  if (!isProduction()) {
+    warn("not tracking analytics actions due to non-production environment")
+    return
+  }
+  // TODO: implement analytics
+  warn("trackAction: window or window.analytics unavailable")
+}
+
+/**
+ * Associate current user to a recognizable userId and traits.
+ * https://segment.com/docs/sources/website/analytics.js/#identify
+ * @param props
+ */
+export const Identify = (): JSX.Element | null => {
+  const { isAuthenticated, user } = useUserContext()
+  useEffect(() => {
+    if (isProduction()) {
+      if (isAuthenticated && user && window) {
+        trace(`identify (${process.env.NODE_ENV})`, {
+          sub: user.sub,
+          name: user.name,
+        })
+        /*
+        window.analytics.identify(user.sub, {
+          name: user.name,
+          nickname: user.nickname
+        })
+        */
+      }
+      if (isAuthenticated && window && window.Rollbar && user) {
+        window.Rollbar?.configure({ payload: { person: { id: user.sub } } })
+      }
+    } else {
+      // only report this warning if we would have otherwise identified:
+      if (isAuthenticated) {
+        warn(
+          "not identifying analytics actions due to non-production environment"
+        )
+      }
+    }
+  }, [isAuthenticated, user])
+  // TODO: This should be a hook!
+  // NOTE: We deliberately don't render anything here. We just want to identify the user.
+  return null
+}
diff --git a/client/src/lib/fetch.ts b/client/src/lib/fetch.ts
index 9f144b9..277af4b 100644
--- a/client/src/lib/fetch.ts
+++ b/client/src/lib/fetch.ts
@@ -13,3 +13,17 @@ export async function fetchJson<T>(
     )
   }
 }
+
+export async function fetchText(
+  url: string,
+  init?: RequestInit
+): Promise<string> {
+  const resp = await fetch(url, init)
+  if (resp.ok) {
+    return await resp.text()
+  } else {
+    throw new Error(
+      `Unsuccessful HTTP response fetching ${url}: ${resp.status}: ${resp.statusText}`
+    )
+  }
+}
diff --git a/client/src/lib/reactUtil.ts b/client/src/lib/reactUtil.ts
new file mode 100644
index 0000000..fb82002
--- /dev/null
+++ b/client/src/lib/reactUtil.ts
@@ -0,0 +1,13 @@
+type ClassName = string | undefined
+
+/** Combines the specified `className` values for react and ensures each are space delimited. Handles provided as string or unspecified `className` values. */
+export function combineClassNames(
+  className: ClassName,
+  ...moreClassNames: ClassName[]
+): string {
+  let combined = className || ""
+  for (const cls of moreClassNames) {
+    if (cls) combined += " " + cls
+  }
+  return combined
+}
diff --git a/client/src/lib/useApiHooks.ts b/client/src/lib/useApiHooks.ts
index 9f65a9b..0fe2fa1 100644
--- a/client/src/lib/useApiHooks.ts
+++ b/client/src/lib/useApiHooks.ts
@@ -1,5 +1,5 @@
 import { useEffect, useState, SetStateAction, Dispatch } from "react"
-import { fetchJson } from "./fetch"
+import { fetchJson, fetchText } from "./fetch"
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export type ApiResponseHookResult<TResponseData> = [
@@ -20,20 +20,13 @@ export type ApiResponseHookResult<TResponseData> = [
  */
 export const useApiGet = <TData>(
   initialUrl: string,
-  initialApiResponse: TData,
-  options: { requiresAuthentication: boolean } = {
-    requiresAuthentication: true,
-  }
+  initialApiResponse: TData
 ): ApiResponseHookResult<TData> => {
   const [url, setUrl] = useState(initialUrl)
   const [response, setResponse] = useState<TData>(initialApiResponse)
   const [isLoading, setIsLoading] = useState(false)
   const [isError, setIsError] = useState(false)
   const [error, setError] = useState<Error | undefined>(undefined)
-  // TODO: if you need authentication, handle that here...
-  //const { isAuthenticated } = useUserContext()
-  const isAuthenticated = false
-  const accessToken = useAccessToken()
 
   useEffect(() => {
     async function fetchApi(): Promise<void> {
@@ -43,13 +36,7 @@ export const useApiGet = <TData>(
         return
       }
       try {
-        if (options.requiresAuthentication && !isAuthenticated) {
-          // this may not be as bad as it seems; just wait for state to get updated and we'll quite possibly get an authenticated state and continue through this in a subsequent render...
-          return
-        }
         setIsLoading(true)
-        //TODO: WTF, use this resolvedAccessToken and fix it like alert genie.
-        const resolvedAccessToken = await accessToken
         const rawData = await fetchJson<TData>(url, {
           method: "get",
         })
@@ -66,7 +53,7 @@ export const useApiGet = <TData>(
       }
     }
     fetchApi()
-  }, [url, isAuthenticated, options.requiresAuthentication, accessToken])
+  }, [url])
   // caller can use setUrl to fetch a different page.
   return [{ response, isLoading, isError, error }, setUrl]
 }
@@ -74,6 +61,9 @@ export const useApiGet = <TData>(
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 type ApiPostData = any
 
+export const CSRF_HEADER_NAME = "X-CSRF-TOKEN"
+
+// TODO: Refactor useApiPost to a common method and add useApiPut, useApiPatch, useApiUpdate, useApiDelete, etc.
 /**
  * A hook to use an API response from the local backend API.
  * @param initialUrl The url to fetch. This is a RELATIVE path for the local backend API.
@@ -88,27 +78,23 @@ export const useApiPost = <TData>(
   const [response, setResponse] = useState(initialApiResponse)
   const [isLoading, setIsLoading] = useState(false)
   const [isError, setIsError] = useState(false)
-  const accessToken = useAccessToken()
+  const csrfToken = useCsrfToken()
 
   useEffect(() => {
     async function fetchApi(): Promise<void> {
-      if (!accessToken) {
+      if (!csrfToken) {
         // eslint-disable-next-line no-console
-        console.error("No access token but useApiPost requires it")
+        console.error("No csrf token but useApiPost requires it")
         return
       }
       try {
         setIsLoading(true)
-        /*
-        const rawData = await new BackendApi().post<TData, ApiPostData>(url, {
-          body: postBody,
-          authorization: await accessToken
-        })
-        */
         const rawData = await fetchJson<TData>(url, {
           body: JSON.stringify(postBody),
           method: "post",
-          //TODO: Authorization: authorization: await accessToken
+          headers: {
+            CSRF_HEADER_NAME: await csrfToken,
+          },
         })
         setResponse(rawData)
         setIsError(false)
@@ -121,17 +107,18 @@ export const useApiPost = <TData>(
       }
     }
     fetchApi()
-  }, [url, accessToken, postBody])
+  }, [url, csrfToken, postBody])
   return [{ response, isLoading, isError }, setUrl]
 }
 
 /**
- * A react hook to return the access token used for authorizing API requests.
+ * A react hook to return the CSRF token used for authorizing API requests for state-changing requests (PUT, POST, UPDATE, DELETE, PATCH, etc. see https://developer.mozilla.org/en-US/docs/Glossary/safe).
+ * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#token-based-mitigation
  */
-const useAccessToken = (): Promise<string> => {
+const useCsrfToken = (): Promise<string> => {
   /**
    * What's going on here?
-   * The goal here is to always return the same promise to useApi* functions and let then wait in a "loading" state while we resolve the accessToken.
+   * The goal here is to always return the same promise to useApi* functions and let them wait in a "loading" state while we resolve the accessToken.
    * If we just were to use useState's `setAccessToken` dispatch, then useApi* ends up failing during the initial renders because there's no accessToken yet available.
    * So we keep a pending Promise as the state, and don't ever change the state, but we also keep the Promise's resolve function around so we can later resolve it.
    * This lets useApi* sit in a loading state while it waits on our promise.
@@ -159,31 +146,13 @@ const useAccessToken = (): Promise<string> => {
       rejectToken,
     }
   })
-  // TODO: const userContext = useUserContext()
-  const userContext = null
   useEffect(() => {
     async function getToken(): Promise<void> {
-      /*
-      if (userContext && userContext.isAuthenticated) {
-        const promisedToken = userContext.getAccessToken({
-          audience: AUTH_AUDIENCE(process.env.BUILD_ENV),
-          scope: AUTH_SCOPE(process.env.BUILD_ENV),
-        })
-        // now wait on the promise to resolve and when resolved update use it to resolve the original promise that we returned as state:
-        promisedToken
-          .then(tokenState.resolveToken)
-          .catch(tokenState.rejectToken)
-      }
-      */
-      // TODO: Implement a proper local token (get it from cookie?)
-      tokenState.resolveToken("not yet implemented")
+      const promisedToken = fetchText(`${process.env.PUBLIC_URL}/auth/csrf`)
+      // now wait on the promise to resolve and when resolved update use it to resolve the original promise that we returned as state:
+      promisedToken.then(tokenState.resolveToken).catch(tokenState.rejectToken)
     }
     getToken()
-  }, [
-    tokenState.rejectToken,
-    tokenState.resolveToken,
-    userContext,
-    //userContext.isAuthenticated
-  ])
+  }, [tokenState.rejectToken, tokenState.resolveToken])
   return tokenState.promisedToken
 }
diff --git a/client/src/pages/Data.tsx b/client/src/pages/Data.tsx
index 29bd49f..91b3aec 100644
--- a/client/src/pages/Data.tsx
+++ b/client/src/pages/Data.tsx
@@ -23,8 +23,7 @@ const Page = (): JSX.Element => (
 const ApiResult: React.FunctionComponent = (): React.ReactElement => {
   const [{ response, isError, isLoading }] = useApiGet(
     `${process.env.PUBLIC_URL}/api/echo`,
-    {},
-    { requiresAuthentication: false }
+    {}
   )
 
   return (
diff --git a/client/src/pages/Home.tsx b/client/src/pages/Home.tsx
index 3cb8030..4d2e5a0 100644
--- a/client/src/pages/Home.tsx
+++ b/client/src/pages/Home.tsx
@@ -1,9 +1,6 @@
 import React from "react"
 import Layout from "../components/Layout"
 import { Helmet } from "react-helmet"
-import { useApiGet } from "../lib/useApiHooks"
-import SignInWithGoogle from "../components/auth/SignInWithGoogle"
-import SignInWithApple from "../components/auth/SignInWithApple"
 
 const Page = (): JSX.Element => (
   <Layout>
@@ -14,41 +11,8 @@ const Page = (): JSX.Element => (
       <h1>Home</h1>
 
       <p>Welcome to our home.</p>
-
-      <p>
-        <SignInWithGoogle />
-        <SignInWithApple />
-      </p>
-
-      <div>
-        <UserInfo />
-      </div>
     </div>
   </Layout>
 )
 
-const UserInfo: React.FunctionComponent = (): React.ReactElement => {
-  const [{ response, isError, isLoading }] = useApiGet(
-    `${process.env.PUBLIC_URL}/auth/me`,
-    {},
-    { requiresAuthentication: false }
-  )
-
-  return (
-    <div>
-      <p>
-        If you are currently logged in, you should see some stuff about you
-        below:
-      </p>
-      {isError && <p>Error!</p>}
-      {isLoading && <p>Loading...</p>}
-      {!isLoading && (
-        <pre style={{ border: "1px solid pink" }}>
-          {JSON.stringify(response, null, "  ")}
-        </pre>
-      )}
-    </div>
-  )
-}
-
 export default Page
diff --git a/client/src/pages/Profile.tsx b/client/src/pages/Profile.tsx
new file mode 100644
index 0000000..803c2b9
--- /dev/null
+++ b/client/src/pages/Profile.tsx
@@ -0,0 +1,62 @@
+import React from "react"
+import Layout from "../components/Layout"
+import { Helmet } from "react-helmet"
+import { useUserContext } from "../components/auth/UserProvider"
+import LoginOrLogout from "../components/auth/LoginOrLogout"
+import IconicIcon from "../components/IconicIcon"
+
+const Page = (): JSX.Element => {
+  return (
+    <Layout>
+      <Helmet>
+        <title>Profile</title>
+      </Helmet>
+      <UserInfo />
+    </Layout>
+  )
+}
+
+const UserInfo = (): JSX.Element => {
+  const userContext = useUserContext()
+  const { user } = userContext
+
+  if (userContext.isLoading) {
+    return <div>Loading...</div>
+  }
+
+  if (!userContext.isAuthenticated) {
+    return (
+      <div>
+        <p>Please login to see you profile.</p>
+        <LoginOrLogout />
+      </div>
+    )
+  }
+
+  const indent = 2
+  const notAvailable = "n/a"
+  return (
+    <div>
+      <IconicIcon icon="person" className="rounded-circle" />
+      <div>
+        <h2>ID:</h2>
+        <p>{user?.sub || notAvailable}</p>
+      </div>
+      <div>
+        <h2>Name:</h2>
+        <p>{user?.name || notAvailable}</p>
+      </div>
+
+      <div>
+        <h2>Email:</h2>
+        <p>{user?.email || notAvailable}</p>
+      </div>
+
+      <div>
+        <h3>Full User Profile:</h3>
+        <pre>{JSON.stringify(user, null, indent)}</pre>
+      </div>
+    </div>
+  )
+}
+export default Page
diff --git a/client/src/rollbar-env.d.ts b/client/src/rollbar-env.d.ts
new file mode 100644
index 0000000..0708660
--- /dev/null
+++ b/client/src/rollbar-env.d.ts
@@ -0,0 +1,7 @@
+import Rollbar from "rollbar"
+
+declare global {
+  interface Window {
+    Rollbar: Rollbar
+  }
+}
diff --git a/server/app.arc b/server/app.arc
index e2aad03..6dcd41d 100644
--- a/server/app.arc
+++ b/server/app.arc
@@ -9,6 +9,7 @@ get  /auth/redirect/:provider
 post /auth/redirect/:provider
 get  /auth/login/:provider
 get  /auth/me
+get  /auth/csrf
 
 @aws
 region us-west-2
diff --git a/server/src/http/get-auth-csrf/config.arc b/server/src/http/get-auth-csrf/config.arc
new file mode 100644
index 0000000..2091b85
--- /dev/null
+++ b/server/src/http/get-auth-csrf/config.arc
@@ -0,0 +1,5 @@
+@aws
+runtime nodejs12.x
+# memory 1152
+# timeout 30
+# concurrency 1
diff --git a/server/src/http/get-auth-csrf/index.ts b/server/src/http/get-auth-csrf/index.ts
new file mode 100644
index 0000000..83696e5
--- /dev/null
+++ b/server/src/http/get-auth-csrf/index.ts
@@ -0,0 +1,4 @@
+import csrfGetHandlerFactory from "@architect/shared/lambda/csrfHandler"
+
+const handlerImp = csrfGetHandlerFactory()
+export const handler = handlerImp
diff --git a/server/src/shared/README.md b/server/src/shared/README.md
index f6d0724..8b2f499 100644
--- a/server/src/shared/README.md
+++ b/server/src/shared/README.md
@@ -1,4 +1,4 @@
-NOTE: This is specific to Architect to allow each http handler to be bundled (since in essence each http handler is it's own completely isolated module).
+NOTE: This "shared" folder is specific to Architect to allow each http handler to be bundled (since in essence each http handler is it's own completely isolated module).
 See https://arc.codes/docs/en/guides/developer-experience/sharing-code
 
 NOTE: A potentially cleaner and less-specific approach to architect would be to put all code from shared into it's own package that is referenced by the web project itself (this is essentially what architect is doing but it kinda hides it).
diff --git a/server/src/shared/lambda/middleware/csrf.spec.ts b/server/src/shared/lambda/csrf.spec.ts
similarity index 74%
rename from server/src/shared/lambda/middleware/csrf.spec.ts
rename to server/src/shared/lambda/csrf.spec.ts
index 41f92b3..62c3d40 100644
--- a/server/src/shared/lambda/middleware/csrf.spec.ts
+++ b/server/src/shared/lambda/csrf.spec.ts
@@ -1,12 +1,6 @@
 import sinon from "sinon"
-import { randomInt } from "../../../../test/support"
-import { LambdaHttpResponse } from "../../lambda"
-import {
-  addCsrfTokenToResponse,
-  createCSRFToken,
-  CSRF_HEADER_NAME,
-  isTokenValid,
-} from "./csrf"
+import { randomInt } from "../../../test/support"
+import { createCSRFToken, isTokenValid } from "./csrf"
 
 describe("csrf", () => {
   // preserve environment
@@ -23,19 +17,6 @@ describe("csrf", () => {
     sinon.restore()
   })
 
-  it("should write csrf token to response", async () => {
-    const res: LambdaHttpResponse = {}
-    await addCsrfTokenToResponse("foo", res)
-    expect(res).toHaveProperty("headers")
-    expect(res.headers).toHaveProperty(CSRF_HEADER_NAME)
-  })
-
-  it("should require response", async () => {
-    expect(
-      addCsrfTokenToResponse("foo", (null as unknown) as LambdaHttpResponse)
-    ).rejects.toThrowError(/response/)
-  })
-
   describe("isTokenValid", () => {
     it("should accept valid token", async () => {
       const testSessionID = `test-${randomInt()}`
diff --git a/server/src/shared/lambda/csrf.ts b/server/src/shared/lambda/csrf.ts
new file mode 100644
index 0000000..edf57dc
--- /dev/null
+++ b/server/src/shared/lambda/csrf.ts
@@ -0,0 +1,52 @@
+import { secretFromEnvironment } from "../secretEnvironment"
+import Tokenater from "../Tokenater"
+
+export const CSRF_HEADER_NAME = "X-CSRF-TOKEN"
+
+/**
+ * Creates a CSRF token that is matched to the specified session ID.
+ * @param sessionID The session id that the token should be matched to
+ */
+export async function createCSRFToken(sessionID: string): Promise<string> {
+  const ater = createTokenater()
+  return ater.createToken(sessionID)
+}
+
+/**
+ * Indicates if the specified token is valid for the specified session id.
+ * @param token The CSRF token to validate.
+ * @param sessionID The session that this CSRF token should be matched to.
+ */
+export function isTokenValid(token: string, sessionID: string): boolean {
+  const ater = createTokenater()
+  if (!ater.isValid(token)) {
+    warn("CSRF token is expired or has been tampered with")
+    return false
+  }
+  // our CSRF token has the session id in it. Now that we've validated the token, extract the session id and make sure that it matches
+  const csrfSessionID = ater.getTokenValue(token)
+  if (csrfSessionID != sessionID) {
+    warn("CSRF token does not match session:", csrfSessionID, "!=", sessionID)
+    return false
+  }
+  return true
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function warn(message?: any, ...optionalParams: any[]): void {
+  if (!("CSRF_TOKEN_WARNING_DISABLE" in process.env)) {
+    // eslint-disable-next-line no-console
+    console.warn(message, optionalParams)
+  }
+}
+
+const createTokenater = (): Tokenater =>
+  new Tokenater(getSecret(), Tokenater.DAYS_IN_MS * 1)
+
+function getSecret(): string {
+  const KEY_LENGTH = 32
+  return secretFromEnvironment(
+    "WAS_CSRF_SECRET",
+    `${process.env.NODE_ENV}`
+  ).padEnd(KEY_LENGTH, ".")
+}
diff --git a/server/src/shared/lambda/csrfHandler.ts b/server/src/shared/lambda/csrfHandler.ts
new file mode 100644
index 0000000..c6f042d
--- /dev/null
+++ b/server/src/shared/lambda/csrfHandler.ts
@@ -0,0 +1,32 @@
+import {
+  TextResponse,
+  LambdaHttpHandler,
+  LambdaHttpResponse,
+  LambdaHttpRequest,
+} from "./lambda"
+import { readSessionID } from "./session"
+import * as STATUS from "./httpStatus"
+import { createCSRFToken } from "./csrf"
+
+/**
+ * A factory for a handler to return CSRF tokens in response to get requests.
+ * The user must have an active session (even as a anonymous session).
+ */
+export default function csrfGetHandlerFactory(): LambdaHttpHandler {
+  async function handlerImp(
+    req: LambdaHttpRequest
+  ): Promise<LambdaHttpResponse> {
+    const session = readSessionID(req)
+    if (!session) {
+      // NOTE: even an anonymous session is okay for us, and that will come back with a legit session
+      return TextResponse(
+        STATUS.UNAUTHENTICATED,
+        "error: request not authenticated"
+      )
+    }
+
+    const csrf = await createCSRFToken(session.userID)
+    return TextResponse(STATUS.OK, csrf)
+  }
+  return handlerImp
+}
diff --git a/server/src/shared/lambda/oauth/handlers/httpStatus.ts b/server/src/shared/lambda/httpStatus.ts
similarity index 100%
rename from server/src/shared/lambda/oauth/handlers/httpStatus.ts
rename to server/src/shared/lambda/httpStatus.ts
diff --git a/server/src/shared/lambda.ts b/server/src/shared/lambda/lambda.ts
similarity index 72%
rename from server/src/shared/lambda.ts
rename to server/src/shared/lambda/lambda.ts
index 67c4888..f9a461f 100644
--- a/server/src/shared/lambda.ts
+++ b/server/src/shared/lambda/lambda.ts
@@ -37,6 +37,23 @@ export function JsonResponse(
     body: JSON.stringify(body),
   }
 }
-
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 type HttpJsonBody = any
+
+/**
+ * Helper to build an response for plain text data.
+ * @param httpStatusCode HttpStatus code
+ * @param body The boy as plain text. It will not be parsed or converted.
+ */
+export function TextResponse(
+  httpStatusCode: number,
+  body: string
+): LambdaHttpResponse {
+  return {
+    statusCode: httpStatusCode,
+    headers: {
+      "content-type": "text/plain",
+    },
+    body,
+  }
+}
diff --git a/server/src/shared/lambda/middleware/csrf.ts b/server/src/shared/lambda/middleware/csrf.ts
deleted file mode 100644
index 0c47136..0000000
--- a/server/src/shared/lambda/middleware/csrf.ts
+++ /dev/null
@@ -1,100 +0,0 @@
-import assert from "assert"
-import {
-  LambdaHttpHandler,
-  LambdaHttpRequest,
-  LambdaHttpResponse,
-} from "../../lambda"
-import { secretFromEnvironment } from "../../secretEnvironment"
-import Tokenater from "../../Tokenater"
-import { readSessionID } from "./session"
-
-export const CSRF_HEADER_NAME = "X-CSRF-TOKEN-X"
-
-/**
- * Creates a CSRF token that is matched to the specified session ID.
- * @param sessionID The session id that the token should be matched to
- */
-export async function createCSRFToken(sessionID: string): Promise<string> {
-  const ater = createTokenater()
-  return ater.createToken(sessionID)
-}
-
-/**
- * Indicates if the specified token is valid for the specified session id.
- * @param token The CSRF token to validate.
- * @param sessionID The session that this CSRF token should be matched to.
- */
-export function isTokenValid(token: string, sessionID: string): boolean {
-  const ater = createTokenater()
-  if (!ater.isValid(token)) {
-    warn("CSRF token is expired or has been tampered with")
-    return false
-  }
-  // our CSRF token has the session id in it. Now that we've validated the token, extract the session id and make sure that it matches
-  const csrfSessionID = ater.getTokenValue(token)
-  if (csrfSessionID != sessionID) {
-    warn("CSRF token does not match session:", csrfSessionID, "!=", sessionID)
-    return false
-  }
-  return true
-}
-
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-function warn(message?: any, ...optionalParams: any[]): void {
-  if (!("CSRF_TOKEN_WARNING_DISABLE" in process.env)) {
-    // eslint-disable-next-line no-console
-    console.warn(message, optionalParams)
-  }
-}
-
-/**
- * Response middleware to add a CSRF token to the response that can be read/validated with the @see expectCsrfTokenWithRequest request middleware function.
- * @param handler Your HTTP handler that should run before this middleware adds the CSRF token header to the response.
- */
-export function csrfResponseMiddleware(
-  handler: LambdaHttpHandler
-): LambdaHttpHandler {
-  async function thunk(req: LambdaHttpRequest): Promise<LambdaHttpResponse> {
-    const response = await handler(req)
-    assert(response, "response expected from handler")
-    // get the current session id:
-    const session = readSessionID(req)
-    if (!session) {
-      throw new Error("session not on request session!")
-    }
-    // add the CSRF token:
-    await addCsrfTokenToResponse(session.userID, response)
-    return response
-  }
-  return thunk
-}
-
-type HttpResponseLike = Pick<LambdaHttpResponse, "headers">
-
-/**
- * Adds a CSRF token to the specified response object according to the [HMAC Based Token Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#hmac-based-token-pattern)
- * The token can be validated in a subsequent request with `expectCsrfTokenWithRequest`.
- * The request must also have a session ID header as specified by
- * @param response The http response to add the token to
- */
-export async function addCsrfTokenToResponse(
-  sessionID: string,
-  response: HttpResponseLike
-): Promise<void> {
-  if (!response) {
-    throw new Error("response must be provided")
-  }
-  response.headers = response.headers || {}
-  response.headers[CSRF_HEADER_NAME] = await createCSRFToken(sessionID)
-}
-
-const createTokenater = (): Tokenater =>
-  new Tokenater(getSecret(), Tokenater.DAYS_IN_MS * 1)
-
-function getSecret(): string {
-  const KEY_LENGTH = 32
-  return secretFromEnvironment(
-    "WAS_CSRF_SECRET",
-    `${process.env.NODE_ENV}`
-  ).padEnd(KEY_LENGTH, ".")
-}
diff --git a/server/src/shared/lambda/oauth/handlers/common.ts b/server/src/shared/lambda/oauth/handlers/common.ts
index ee1a86d..b710051 100644
--- a/server/src/shared/lambda/oauth/handlers/common.ts
+++ b/server/src/shared/lambda/oauth/handlers/common.ts
@@ -1,6 +1,6 @@
-import { LambdaHttpRequest, LambdaHttpResponse } from "../../../lambda"
-import { UserSession, writeSessionID } from "../../middleware/session"
-import { BAD_REQUEST, INTERNAL_SERVER_ERROR } from "./httpStatus"
+import { LambdaHttpRequest, LambdaHttpResponse } from "../../lambda"
+import { UserSession, writeSessionID } from "../../session"
+import { BAD_REQUEST, INTERNAL_SERVER_ERROR } from "../../httpStatus"
 
 /**
  * Returns the name of the provider that should be used for authentication from the specified request.
diff --git a/server/src/shared/lambda/oauth/handlers/login.spec.ts b/server/src/shared/lambda/oauth/handlers/login.spec.ts
index acc74ba..c1b851e 100644
--- a/server/src/shared/lambda/oauth/handlers/login.spec.ts
+++ b/server/src/shared/lambda/oauth/handlers/login.spec.ts
@@ -2,7 +2,7 @@ import { createMockRequest } from "../../../../../test/support/lambda"
 import loginHandlerFactory from "./login"
 import { URL } from "url"
 import assert from "assert"
-import { LambdaHttpRequest } from "../../../lambda"
+import { LambdaHttpRequest } from "../../lambda"
 import { expectSession } from "../../../../../test/support"
 import userRepositoryFactory from "../repository/UserRepository"
 
diff --git a/server/src/shared/lambda/oauth/handlers/login.ts b/server/src/shared/lambda/oauth/handlers/login.ts
index 75818e9..50f6409 100644
--- a/server/src/shared/lambda/oauth/handlers/login.ts
+++ b/server/src/shared/lambda/oauth/handlers/login.ts
@@ -1,18 +1,18 @@
-import { createCSRFToken } from "../../middleware/csrf"
+import { createCSRFToken } from "../../csrf"
 import {
   createAnonymousSessionID,
   readSessionID,
   UserSession,
-} from "../../middleware/session"
+} from "../../session"
 import { OAuthProviderConfig, Config } from "../OAuthProviderConfig"
 import { addResponseSession, errorResponse, getProviderName } from "./common"
-import { INTERNAL_SERVER_ERROR } from "./httpStatus"
+import { INTERNAL_SERVER_ERROR } from "../../httpStatus"
 import { URL } from "url"
 import {
   LambdaHttpHandler,
   LambdaHttpRequest,
   LambdaHttpResponse,
-} from "../../../lambda"
+} from "../../lambda"
 import { UserRepository } from "../repository/UserRepository"
 
 export default function loginHandlerFactory(
diff --git a/server/src/shared/lambda/oauth/handlers/me.spec.ts b/server/src/shared/lambda/oauth/handlers/me.spec.ts
index 1ccca64..6043ad3 100644
--- a/server/src/shared/lambda/oauth/handlers/me.spec.ts
+++ b/server/src/shared/lambda/oauth/handlers/me.spec.ts
@@ -1,7 +1,7 @@
 import sinon from "sinon"
 import { randomInt } from "../../../../../test/support"
 import { createMockRequest } from "../../../../../test/support/lambda"
-import { injectSessionToRequest } from "../../middleware/session"
+import { injectSessionToRequest } from "../../session"
 import identityRepositoryFactory, {
   StoredIdentity,
 } from "../repository/IdentityRepository"
diff --git a/server/src/shared/lambda/oauth/handlers/me.ts b/server/src/shared/lambda/oauth/handlers/me.ts
index 7791d94..f1c2afb 100644
--- a/server/src/shared/lambda/oauth/handlers/me.ts
+++ b/server/src/shared/lambda/oauth/handlers/me.ts
@@ -4,12 +4,12 @@ import {
   LambdaHttpHandler,
   LambdaHttpRequest,
   LambdaHttpResponse,
-} from "../../../lambda"
-import { readSessionID } from "../../middleware/session"
+} from "../../lambda"
+import { readSessionID } from "../../session"
 import { IdentityRepository } from "../repository/IdentityRepository"
 import { StoredUser, UserRepository } from "../repository/UserRepository"
 
-import * as STATUS from "./httpStatus"
+import * as STATUS from "../../httpStatus"
 
 /**
  * Factory to create a handler for the [Authorization Response](https://tools.ietf.org/html/rfc6749#section-4.1.2) when the user is directed with a `code` from the OAuth Authorization Server back to the OAuth client application.
diff --git a/server/src/shared/lambda/oauth/handlers/redirect.spec.ts b/server/src/shared/lambda/oauth/handlers/redirect.spec.ts
index e5146c9..08f455a 100644
--- a/server/src/shared/lambda/oauth/handlers/redirect.spec.ts
+++ b/server/src/shared/lambda/oauth/handlers/redirect.spec.ts
@@ -1,11 +1,11 @@
 import { randomBytes } from "crypto"
 import { createMockRequest } from "../../../../../test/support/lambda"
-import { createCSRFToken } from "../../middleware/csrf"
+import { createCSRFToken } from "../../csrf"
 import {
   createAnonymousSessionID,
   injectSessionToRequest,
   readSessionID,
-} from "../../middleware/session"
+} from "../../session"
 import identityRepositoryFactory, {
   IdentityRepository,
   StoredIdentityProposal,
@@ -24,7 +24,7 @@ import {
 import sinon from "sinon"
 import { URL, URLSearchParams } from "url"
 import assert from "assert"
-import { LambdaHttpRequest } from "../../../lambda"
+import { LambdaHttpRequest } from "../../lambda"
 import { APIGatewayProxyEventQueryStringParameters } from "aws-lambda"
 
 // note to self: Jest's auto-mocking voodoo wastes more time than it saves. Just inject dependencies (e.g. w/ oAuthRedirectHandlerFactory)
diff --git a/server/src/shared/lambda/oauth/handlers/redirect.ts b/server/src/shared/lambda/oauth/handlers/redirect.ts
index 96c3037..c9e6056 100644
--- a/server/src/shared/lambda/oauth/handlers/redirect.ts
+++ b/server/src/shared/lambda/oauth/handlers/redirect.ts
@@ -1,6 +1,6 @@
 import { fetchJson as fetchJsonImpl, FetchJsonFunc } from "../../../fetch"
-import { isTokenValid } from "../../middleware/csrf"
-import { readSessionID } from "../../middleware/session"
+import { isTokenValid } from "../../csrf"
+import { readSessionID } from "../../session"
 import { Config, OAuthProviderConfig } from "../OAuthProviderConfig"
 import { IdentityRepository } from "../repository/IdentityRepository"
 import { StoredUser, UserRepository } from "../repository/UserRepository"
@@ -9,7 +9,7 @@ import {
   INTERNAL_SERVER_ERROR,
   UNAUTHENTICATED,
   FORBIDDEN,
-} from "./httpStatus"
+} from "../../httpStatus"
 import * as jwt from "node-webtokens"
 import { addResponseSession, errorResponse, getProviderName } from "./common"
 import { URL, URLSearchParams } from "url"
@@ -19,7 +19,7 @@ import {
   LambdaHttpHandler,
   LambdaHttpRequest,
   LambdaHttpResponse,
-} from "../../../lambda"
+} from "../../lambda"
 import { secondsToMilliseconds } from "../../../time"
 import { fromBase64 } from "../../../encoding"
 
@@ -94,6 +94,13 @@ export default function oAuthRedirectHandlerFactory(
       )
     }
 
+    if (!("UNIT_TESTING" in process.env)) {
+      // eslint-disable-next-line no-console
+      console.log(
+        `Found the following claims for provider '${providerName}':`,
+        Object.keys(parsed.payload)
+      )
+    }
     const claimsError = validateClaims(parsed.payload, providerName)
     if (claimsError) {
       return claimsError
diff --git a/server/src/shared/lambda/middleware/session.spec.ts b/server/src/shared/lambda/session.spec.ts
similarity index 91%
rename from server/src/shared/lambda/middleware/session.spec.ts
rename to server/src/shared/lambda/session.spec.ts
index c301f60..37b9bb2 100644
--- a/server/src/shared/lambda/middleware/session.spec.ts
+++ b/server/src/shared/lambda/session.spec.ts
@@ -4,7 +4,7 @@ import {
   UserSession,
   createAnonymousSessionID,
 } from "./session"
-import { createMockRequest } from "../../../../test/support/lambda"
+import { createMockRequest } from "../../../test/support/lambda"
 
 describe("session", () => {
   let testSesson: UserSession
diff --git a/server/src/shared/lambda/middleware/session.ts b/server/src/shared/lambda/session.ts
similarity index 97%
rename from server/src/shared/lambda/middleware/session.ts
rename to server/src/shared/lambda/session.ts
index 42f13e9..d469398 100644
--- a/server/src/shared/lambda/middleware/session.ts
+++ b/server/src/shared/lambda/session.ts
@@ -4,14 +4,14 @@ import {
   parse as parseCookie,
   serialize as serializeCookie,
 } from "cookie"
-import { LambdaHttpRequest, LambdaHttpResponse } from "../../lambda"
+import { LambdaHttpRequest, LambdaHttpResponse } from "./lambda"
 import { assert } from "console"
 import {
   daysToSeconds,
   millisecondsToSeconds,
   secondsToMilliseconds,
-} from "../../time"
-import { secretFromEnvironment } from "../../secretEnvironment"
+} from "../time"
+import { secretFromEnvironment } from "../secretEnvironment"
 import * as jwt from "node-webtokens"
 
 /** The name of the session key to get the session ID value.
diff --git a/server/test/support/index.ts b/server/test/support/index.ts
index 3311804..d133ab7 100644
--- a/server/test/support/index.ts
+++ b/server/test/support/index.ts
@@ -1,5 +1,5 @@
-import { SESSION_COOKIE_NAME } from "../../src/shared/lambda/middleware/session"
-import { LambdaHttpResponse } from "../../src/shared/lambda"
+import { SESSION_COOKIE_NAME } from "../../src/shared/lambda/session"
+import { LambdaHttpResponse } from "../../src/shared/lambda/lambda"
 
 export function randomEmail(): string {
   return `${randomInt()}@foo.bar`
diff --git a/server/test/support/setup.ts b/server/test/support/setup.ts
index d512014..a5730d4 100644
--- a/server/test/support/setup.ts
+++ b/server/test/support/setup.ts
@@ -1,4 +1,5 @@
 process.env.DEBUG = ""
+process.env.UNIT_TESTING = ""
 process.env.WAS_CSRF_SECRET = "jest-secret"
 process.env.SESSION_TOKEN_SECRET = "jest-secret"
 process.env.CSRF_TOKEN_WARNING_DISABLE = ""