fix(api-client): generalize 401 redirect from /account/* to all 4 personas
All checks were successful
All checks were successful
Yesterday's redirectIfCustomerAreaUnauthorized was scoped to /account/*
only. Admin, store, and merchant pages still hit the same UX gap when
an AJAX call returned 401 on token expiry: apiClient cleared tokens
and threw, leaving the page in a broken state with whatever generic
error UI the caller had wired up — no redirect, no `?next=` round-trip,
identical bug to the customer flicker we fixed in `b04b36a2` /
`6564f138`.
Rename and dispatch by path:
- /account/* (not /account/login) → /account/login?next=…
- /admin/* (not /admin/login) → /admin/login?next=…
- /merchants/* (not /merchants/login) → /merchants/login?next=…
- /store/{code}/* (not /store/{code}/login) → /store/{code}/login?next=…
- anything else → return false (caller throws)
Store paths include the per-store code, so the helper does a small regex
to extract `{code}` from the current pathname and builds the persona's
login URL with the right prefix.
All three 401 handlers in apiClient (request, requestFormData, getBlob)
already wrap this with the `return new Promise(() => {})` pattern from
6564f138, so the caller's `.finally(() => loading = false)` doesn't fire
before navigation completes — kills the wrong-state UI flash on every
persona, not just customer.
Login pages updated to honour `?next=` precedence over the existing
`*_last_visited_page` localStorage fallback, with persona-specific
safety checks (must start with /admin/, /merchants/, /store/{code}/
respectively; must not be a login or onboarding URL). The store login
also normalises the basePath because the store-code path prefix can
flip between subdomain (/store/{code}/...) and dev/path-based
(/platforms/{platform}/store/{code}/...) modes.
Customer login already honoured `?next=` from bbb481aa; left unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -157,18 +157,33 @@ function storeLogin() {
|
||||
? `/platforms/${platformCode}/store/${this.storeCode}`
|
||||
: `/store/${this.storeCode}`;
|
||||
|
||||
// Check for last visited page (saved before logout)
|
||||
// Decide where to land after login. Precedence:
|
||||
// 1. ?next=<path> — set by apiClient on 401 mid-session;
|
||||
// must be a /store/{code}/... URL that doesn't loop back
|
||||
// to login or onboarding.
|
||||
// 2. store_last_visited_page localStorage — fallback for
|
||||
// organic logins (preserves the store-relative sub-path
|
||||
// even if the basePath prefix changed, e.g. domain swap).
|
||||
// 3. {basePath}/dashboard — last-resort default.
|
||||
const nextParam = new URLSearchParams(window.location.search).get('next');
|
||||
const lastPage = localStorage.getItem('store_last_visited_page');
|
||||
let redirectTo = `${basePath}/dashboard`;
|
||||
const isSafeStoreUrl = (u) =>
|
||||
u && u.includes(`/store/${this.storeCode}/`) &&
|
||||
!u.includes('/login') && !u.includes('/onboarding');
|
||||
|
||||
if (lastPage && !lastPage.includes('/login') && !lastPage.includes('/onboarding')) {
|
||||
// Extract the store-relative path (strip any existing prefix)
|
||||
let redirectTo = `${basePath}/dashboard`;
|
||||
if (isSafeStoreUrl(nextParam)) {
|
||||
redirectTo = nextParam;
|
||||
} else if (lastPage && !lastPage.includes('/login') && !lastPage.includes('/onboarding')) {
|
||||
// Preserve only the store-relative sub-path; basePath
|
||||
// may have changed (subdomain ↔ /platforms/... etc.)
|
||||
const storePathMatch = lastPage.match(/\/store\/[^/]+(\/.*)/);
|
||||
if (storePathMatch) {
|
||||
redirectTo = `${basePath}${storePathMatch[1]}`;
|
||||
}
|
||||
}
|
||||
|
||||
storeLoginLog.info('next param:', nextParam);
|
||||
storeLoginLog.info('Last visited page:', lastPage);
|
||||
storeLoginLog.info('Redirecting to:', redirectTo);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user