Yicong-Huang opened a new issue, #5391:
URL: https://github.com/apache/texera/issues/5391
### Task Summary
The frontend currently has two gaps that together caused the revert of #4903:
1. `JwtModule.forRoot()` is configured with `skipWhenExpired: false`
(`frontend/src/app/app.module.ts`), so any locally-stored JWT — including
expired ones — is appended as `Authorization: Bearer …` to every request, even
to public endpoints loaded before login.
2. There is no global `HttpInterceptor` handling `401` responses. Individual
services scatter `catchError` blocks, none of which clear the session or
redirect to `/login`. If the backend rejects a stale token, the user sees a
generic error toast but stays "logged in" client-side.
The previous attempt at #4901 (PR #4903) merged an eager-401 `JwtAuthFilter`
on the backend, but a stale localStorage token then triggered `401` on
`/api/config/gui` and `/api/config/user-system` from the very first page load,
blocking the login page itself (#5026). The revert (#5025) returned the backend
to lazy-401 behavior; the frontend gaps that exposed the issue are still
present.
Desired behavior:
- `JwtModule.forRoot({ skipWhenExpired: true })` so an expired token is not
attached, letting public endpoints serve anonymous responses normally.
- A global `HttpInterceptor` that on `401` — only when the request carried
an `Authorization` header — clears the stored token, shows a "session expired"
notification, and routes to `/login`.
This change is a prerequisite for re-attempting #4901; it is also a
correctness fix on its own under the current lazy-401 backend.
### Task Type
- [x] Other (frontend bugfix)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
