Enforce requiresAuth routes in global router guard with login return-to redirects

Co-Authored-By: Codex <codex@openai.com>
2026-03-08 19:07:56 +08:00
parent 90cc6689c8
commit b3f4ace13f
2 changed files with 80 additions and 10 deletions
--- a/src/router/index.ts
+++ b/src/router/index.ts
@@ -10,6 +10,8 @@
 */

 import { createRouter, createWebHistory } from "vue-router";
+import { useLoginStore } from "@/stores/login";
+import { getCookie, setCookie } from "@/utils/cookieUtil";
 import AuthContainer from "@/views/AuthContainer.vue";
 import MainContainer from "@/views/MainContainer.vue";
 import Login from "@/views/Login/LoginPage.vue";
@@ -171,18 +173,51 @@ const router = createRouter({
  routes,
 });

+/**
+ * Builds a login redirect target with a return-to query.
+ * @param {string} fullPath - The destination path to return after login.
+ * @returns {{path: string, query: {"return-to": string}}} The redirect target.
+ */
+function buildLoginRedirect(fullPath: string) {
+  return {
+    path: "/login",
+    query: {
+      "return-to": btoa(fullPath),
+    },
+  };
+}
+
 // Global navigation guard
-router.beforeEach((to, from) => {
+router.beforeEach(async (to) => {
  // to: Route: the target route object being navigated to
-  // from: Route: the current route being navigated away from
+  const hasLoginMarker = Boolean(getCookie("isLuciaLoggedIn"));
+  const hasAccessToken = Boolean(getCookie("luciaToken"));
+  const hasRefreshToken = Boolean(getCookie("luciaRefreshToken"));
+  const isAuthenticated = hasLoginMarker && hasAccessToken;

  // When navigating to the login page, redirect to Files if already logged in
-  if (to.name === "Login") {
-    const isLoggedIn = document.cookie
-      .split(";")
-      .some((c) => c.trim().startsWith("isLuciaLoggedIn="));
-    if (isLoggedIn) return { name: "Files" };
+  if (to.name === "Login" && isAuthenticated) {
+    return { name: "Files" };
  }
+
+  const requiresAuth = to.matched.some((routeRecord) => routeRecord.meta.requiresAuth);
+  if (!requiresAuth || isAuthenticated) {
+    return undefined;
+  }
+
+  if (hasRefreshToken) {
+    const loginStore = useLoginStore();
+    try {
+      await loginStore.refreshToken();
+      loginStore.setIsLoggedIn(true);
+      setCookie("isLuciaLoggedIn", "true");
+      return undefined;
+    } catch {
+      return buildLoginRedirect(to.fullPath);
+    }
+  }
+
+  return buildLoginRedirect(to.fullPath);
 });

 export default router;
--- a/tests/router/routerGuard.test.js
+++ b/tests/router/routerGuard.test.js
@@ -18,18 +18,34 @@ describe("router beforeEach guard logic", () => {

  // Simulate the guard logic from router/index.ts
  function runGuard(to) {
-    const isLoggedIn = document.cookie
+    const hasLoginMarker = document.cookie
      .split(";")
      .some((c) => c.trim().startsWith("isLuciaLoggedIn="));
+    const hasAccessToken = document.cookie
+      .split(";")
+      .some((c) => c.trim().startsWith("luciaToken="));
+    const isAuthenticated = hasLoginMarker && hasAccessToken;

    if (to.name === "Login") {
-      if (isLoggedIn) return { name: "Files" };
+      if (isAuthenticated) return { name: "Files" };
    }
+
+    const requiresAuth = (to.matched || []).some((r) => r.meta?.requiresAuth);
+    if (requiresAuth && !isAuthenticated) {
+      return {
+        path: "/login",
+        query: {
+          "return-to": btoa(to.fullPath || to.path || "/"),
+        },
+      };
+    }
+
    return undefined;
  }

  it("redirects logged-in user from Login to Files", () => {
    document.cookie = "isLuciaLoggedIn=true";
+    document.cookie = "luciaToken=token";
    expect(runGuard({ name: "Login" })).toEqual({ name: "Files" });
  });

@@ -37,8 +53,27 @@ describe("router beforeEach guard logic", () => {
    expect(runGuard({ name: "Login" })).toBeUndefined();
  });

+  it("redirects unauthenticated user when route requiresAuth", () => {
+    const result = runGuard({
+      name: "Files",
+      path: "/files",
+      fullPath: "/files",
+      matched: [{ meta: { requiresAuth: true } }],
+    });
+    expect(result.path).toBe("/login");
+    expect(atob(result.query["return-to"])).toBe("/files");
+  });
+
  it("does not interfere with non-Login routes", () => {
    document.cookie = "isLuciaLoggedIn=true";
-    expect(runGuard({ name: "Files" })).toBeUndefined();
+    document.cookie = "luciaToken=token";
+    expect(
+      runGuard({
+        name: "Files",
+        path: "/files",
+        fullPath: "/files",
+        matched: [{ meta: { requiresAuth: true } }],
+      }),
+    ).toBeUndefined();
  });
 });