Extract reusable auth guard decision logic and test router auth behavior against it
Co-Authored-By: Codex <codex@openai.com>
This commit is contained in:
74
src/router/authGuard.ts
Normal file
74
src/router/authGuard.ts
Normal file
@@ -0,0 +1,74 @@
|
||||
// The Lucia project.
|
||||
// Copyright 2026-2026 DSP, inc. All rights reserved.
|
||||
// Authors:
|
||||
// imacat.yang@dsp.im (imacat), 2026/03/08
|
||||
/**
|
||||
* @module router/authGuard Shared auth-guard decision logic for router.beforeEach
|
||||
* and unit tests.
|
||||
*/
|
||||
|
||||
/** Minimal route shape used by auth guard decision logic. */
|
||||
export interface GuardRouteTarget {
|
||||
name?: unknown;
|
||||
path?: string;
|
||||
fullPath?: string;
|
||||
matched?: Array<{ meta?: { requiresAuth?: boolean } }>;
|
||||
}
|
||||
|
||||
/** Dependency contract for evaluating authentication navigation decisions. */
|
||||
export interface AuthGuardDependencies {
|
||||
/** Reads a cookie value by name. */
|
||||
getCookie: (name: string) => string | null;
|
||||
/** Attempts to refresh session credentials. */
|
||||
refreshSession: () => Promise<void>;
|
||||
/** Persists the logged-in marker cookie after successful refresh. */
|
||||
setLoginMarker: () => void;
|
||||
/** Encodes return-to path into query-safe payload. */
|
||||
encodeReturnTo: (returnToPath: string) => string;
|
||||
}
|
||||
|
||||
/**
|
||||
* Evaluates auth-related navigation decisions.
|
||||
* @param {GuardRouteTarget} to - Target route object from router guard.
|
||||
* @param {AuthGuardDependencies} deps - Side-effect dependencies for auth checks.
|
||||
* @returns {Promise<{name: string}|{path: string, query: {"return-to": string}}|undefined>}
|
||||
* Redirect target when needed, otherwise undefined.
|
||||
*/
|
||||
export async function evaluateAuthNavigation(
|
||||
to: GuardRouteTarget,
|
||||
deps: AuthGuardDependencies,
|
||||
) {
|
||||
const hasLoginMarker = Boolean(deps.getCookie("isLuciaLoggedIn"));
|
||||
const hasAccessToken = Boolean(deps.getCookie("luciaToken"));
|
||||
const hasRefreshToken = Boolean(deps.getCookie("luciaRefreshToken"));
|
||||
const isAuthenticated = hasLoginMarker && hasAccessToken;
|
||||
|
||||
if (to.name === "Login" && isAuthenticated) {
|
||||
return { name: "Files" };
|
||||
}
|
||||
|
||||
const requiresAuth = (to.matched || []).some(
|
||||
(routeRecord) => routeRecord.meta?.requiresAuth,
|
||||
);
|
||||
if (!requiresAuth || isAuthenticated) {
|
||||
return undefined;
|
||||
}
|
||||
|
||||
if (hasRefreshToken) {
|
||||
try {
|
||||
await deps.refreshSession();
|
||||
deps.setLoginMarker();
|
||||
return undefined;
|
||||
} catch {
|
||||
// Fall through to login redirect below.
|
||||
}
|
||||
}
|
||||
|
||||
const returnToPath = to.fullPath || to.path || "/";
|
||||
return {
|
||||
path: "/login",
|
||||
query: {
|
||||
"return-to": deps.encodeReturnTo(returnToPath),
|
||||
},
|
||||
};
|
||||
}
|
||||
@@ -13,6 +13,7 @@ import { createRouter, createWebHistory } from "vue-router";
|
||||
import { useLoginStore } from "@/stores/login";
|
||||
import { getCookie, setCookie } from "@/utils/cookieUtil";
|
||||
import { encodeReturnTo } from "@/utils/returnToEncoding";
|
||||
import { evaluateAuthNavigation } from "@/router/authGuard";
|
||||
import AuthContainer from "@/views/AuthContainer.vue";
|
||||
import MainContainer from "@/views/MainContainer.vue";
|
||||
import Login from "@/views/Login/LoginPage.vue";
|
||||
@@ -174,51 +175,18 @@ const router = createRouter({
|
||||
routes,
|
||||
});
|
||||
|
||||
/**
|
||||
* Builds a login redirect target with a return-to query.
|
||||
* @param {string} fullPath - The destination path to return after login.
|
||||
* @returns {{path: string, query: {"return-to": string}}} The redirect target.
|
||||
*/
|
||||
function buildLoginRedirect(fullPath: string) {
|
||||
return {
|
||||
path: "/login",
|
||||
query: {
|
||||
"return-to": encodeReturnTo(fullPath),
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
// Global navigation guard
|
||||
router.beforeEach(async (to) => {
|
||||
// to: Route: the target route object being navigated to
|
||||
const hasLoginMarker = Boolean(getCookie("isLuciaLoggedIn"));
|
||||
const hasAccessToken = Boolean(getCookie("luciaToken"));
|
||||
const hasRefreshToken = Boolean(getCookie("luciaRefreshToken"));
|
||||
const isAuthenticated = hasLoginMarker && hasAccessToken;
|
||||
|
||||
// When navigating to the login page, redirect to Files if already logged in
|
||||
if (to.name === "Login" && isAuthenticated) {
|
||||
return { name: "Files" };
|
||||
}
|
||||
|
||||
const requiresAuth = to.matched.some((routeRecord) => routeRecord.meta.requiresAuth);
|
||||
if (!requiresAuth || isAuthenticated) {
|
||||
return undefined;
|
||||
}
|
||||
|
||||
if (hasRefreshToken) {
|
||||
const loginStore = useLoginStore();
|
||||
try {
|
||||
return evaluateAuthNavigation(to, {
|
||||
getCookie,
|
||||
refreshSession: async () => {
|
||||
const loginStore = useLoginStore();
|
||||
await loginStore.refreshToken();
|
||||
loginStore.setIsLoggedIn(true);
|
||||
setCookie("isLuciaLoggedIn", "true");
|
||||
return undefined;
|
||||
} catch {
|
||||
return buildLoginRedirect(to.fullPath);
|
||||
}
|
||||
}
|
||||
|
||||
return buildLoginRedirect(to.fullPath);
|
||||
},
|
||||
setLoginMarker: () => setCookie("isLuciaLoggedIn", "true"),
|
||||
encodeReturnTo,
|
||||
});
|
||||
});
|
||||
|
||||
export default router;
|
||||
|
||||
Reference in New Issue
Block a user