fix(feature-auth): use AUTH_PATH_PREFIX to skip the /me endpoint in the 401 interceptor #135
Reference in New Issue
Block a user
Delete Branch "fix/portal-admin-auth-me-refresh-loop"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Regression introduced by PR #134 / merged minutes ago: opening portal-admin while anonymous fires the bootstrap
/admin/auth/me→ 401 →bffUnauthorizedInterceptortriggersAuthService.refresh()→ which re-fires/admin/auth/me→ 401 → tight loop that exhausts the BFF's 120/min rate limiter in seconds. The user lands on arate_limitederror instead of the "Sign in" panel.Root cause
bffUnauthorizedInterceptordeliberately skips the/meendpoint to avoid the loop (the bootstrap/melegitimately 401s when anonymous). But the skip target was hardcoded to${bffBaseUrl}/auth/me:When portal-admin overrides
AUTH_PATH_PREFIXto/admin/auth(per PR #134), the bootstrap URL becomes${bffBaseUrl}/admin/auth/me, which does not start with${bffBaseUrl}/auth/me. The interceptor treats it as a regular protected route, callsrefresh(), and we're off to the races.The reported log shows the rate-limit counter dropping
remaining=3 → 2 → 1 → 0over four/mecalls within ~25 ms, all 401.Fix
Derive the skip URL from
AUTH_PATH_PREFIX(which the interceptor already has access to via DI — same module as the AuthService):Same behaviour for portal-shell (the default
/authfactory keeps the skip URL at/auth/me), correct behaviour for portal-admin (/admin/auth/me), and any future surface that picks a different prefix inherits the fix automatically.Test plan
pnpm nx test feature-auth— 30 specs pass (was 29; +1 regression spec asserting that no follow-up/meis issued after a bootstrap 401 when the prefix is/admin/auth).pnpm exec nx affected -t format:check lint test build --base=origin/main— clean.pnpm nx serve portal-admin, visithttp://localhost:4300/, observe the BFF log — exactly one/admin/auth/merequest (the bootstrap), 401, no follow-up, no rate-limit hit. The home page renders the "No admin session detected" + Sign in button.Notes for the reviewer
AUTH_PATH_PREFIXwould have hit the same trap. Making the skip target derive from the token is the structural fix; the regression spec pins it./auth, so the existing fixtures continue exercising${bffBaseUrl}/auth/meas the skip target.