[PR] feat(config-service): split /config/pre-login from authenticated endpoints [texera]

Sun, 31 May 2026 21:12:20 -0700 


Yicong-Huang opened a new pull request, #5305:
URL: https://github.com/apache/texera/pull/5305

   ### What changes were proposed in this PR?
   
   `config-service` no longer broadcasts the full GUI configuration to 
anonymous callers. The four fields the frontend actually needs before login 
(`localLogin`, `googleLogin`, `defaultLocalUser`, `attributionEnabled`) move to 
a new `GET /api/config/pre-login` (`@PermitAll`). `GET /api/config/gui` and 
`GET /api/config/user-system` are now `@RolesAllowed("REGULAR", "ADMIN")` and 
only answer authenticated traffic.
   
   On the frontend, `GuiConfigService.load()` always fetches 
`/config/pre-login` at `APP_INITIALIZER`. When a JWT is already in 
`localStorage` (browser reload while logged in), it chains `/config/gui` + 
`/config/user-system` in the same await so the full config is in memory before 
any post-login component mounts. `UserService.handleAccessToken` does the same 
chaining on a fresh login so `loginWithExistingToken` (which reads 
`config.env.inviteOnly`) runs only after the authenticated config has resolved. 
Expired-token 403s on the post-login fetch are caught so a stale `localStorage` 
token cannot block bootstrap — that was the exact failure mode that caused 
#5025 to revert the earlier eager-401 lockdown.
   
   ### Any related issues, documentation, discussions?
   
   Closes #5304.
   
   Related: #4901 (eager-401 from `JwtAuthFilter`), #5025 (revert that broke 
`ConfigService` bootstrap last time we attempted a similar lockdown), #5199 
(re-applied `@RolesAllowed` enforcement on the microservices, with `@PermitAll` 
opt-out for the two pre-login endpoints).
   
   ### How was this PR tested?
   
   Added unit tests covering pre-login / gui / user-system access with and 
without a valid Bearer token, the orchestrator's branching on a stored token, 
the 403 fallback, and the `UserService.handleAccessToken` ordering guarantee.
   
   ### Was this PR authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Opus 4.7


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to