Yicong-Huang opened a new issue, #5407:
URL: https://github.com/apache/texera/issues/5407
### Task Summary
`frontend/src/app/app.module.ts` configures `JwtModule.forRoot` with
`disallowedRoutes: ["forum/api/users"]`, meaning every other request gets the
`Authorization: Bearer <token>` header auto-attached when a JWT is in
localStorage. `/api/config/pre-login` is by definition an anonymous-only
endpoint (returns flags needed to render the login page), so attaching a bearer
token is both unnecessary and an active footgun.
If the stored token's signature is invalid (e.g. after a backend signing-key
rotation, manual localStorage tampering, or migrating between deployment
environments), the eager `JwtAuthFilter` in #5404 returns 401 +
`error="invalid_token"` to the pre-login request.
`GuiConfigService.loadPreLogin` runs during `APP_INITIALIZER` and has no retry
on failure, so the entire SPA session is stuck without the config flags the
login form depends on; the user sees a blank-ish landing page until they
manually reload.
Adding `"api/config/pre-login"` to `disallowedRoutes` makes the front-end
stop sending auth there, which removes the regression path without weakening
the backend's strict invariant ("invalid tokens always 401, even on
`@PermitAll`").
### Task Type
- [x] Other (frontend bugfix)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
