sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(storefront-auth): apiClient redirects to login on 401 from /account/*
Some checks failed
CI / dependency-scanning (push) Has been cancelled
Details
CI / pytest (push) Has been cancelled
Details
CI / ruff (push) Successful in 17s
Details
CI / validate (push) Has been cancelled
Details
CI / docs (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details

Browse Source 
When the customer's JWT (30-min TTL via JWT_EXPIRE_MINUTES) expires in
localStorage, subsequent API calls from a customer-area page returned
401 → callers showed an unrelated error UI (loyalty dashboard rendered
the "join now" CTA because card came back null on the catch path).

Three changes in static/shared/js/api-client.js:

1. Path detection in getToken() + clearTokens() now recognises
   /account/* and /api/v1/storefront/* as customer-area routes (the
   only existing checks were for /shop/* which was never used in this
   codebase). Also clears customer_user alongside customer_token.

2. New redirectIfCustomerAreaUnauthorized() helper: on a /account/*
   page, sends the browser to /account/login?next=<current path>
   (with a guard to skip the redirect when already on the login page,
   avoiding loops). Called from all three 401 paths (request,
   requestFormData, getBlob).

3. login.html now honours the ?next= query param (in addition to the
   legacy ?return=), so the redirect lands the user back where their
   session expired.

Other personas (admin/store/merchant) are unaffected — the helper is
a no-op outside /account/*.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-05-29 21:28:34 +02:00
parent 3ce9468397
commit a0ae638821
2 changed files with 44 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/modules/customers/templates/customers/storefront/login.html
View File

@@ -295,9 +295,12 @@
this.showAlert('Login successful! Redirecting...', 'success');
// Redirect to account page or return URL
// Redirect to account page or return URL.
// Accepts `?next=` (apiClient's 401-handler convention)
// or `?return=` (legacy) — `next` wins.
setTimeout(() => {
const returnUrl = new URLSearchParams(window.location.search).get('return') || '{{ base_url }}account';
const params = new URLSearchParams(window.location.search);
const returnUrl = params.get('next') || params.get('return') || '{{ base_url }}account';
window.location.href = returnUrl;
}, 1000);