Files
apf_portal/libs/feature/auth/src
Julien Gautier a1d02051de
CI / scan (pull_request) Successful in 2m46s
CI / commits (pull_request) Successful in 2m59s
CI / check (pull_request) Successful in 3m46s
CI / a11y (pull_request) Successful in 1m26s
CI / perf (pull_request) Successful in 6m4s
fix(feature-auth): use AUTH_PATH_PREFIX to skip the /me endpoint in the 401 interceptor
`bffUnauthorizedInterceptor` calls `AuthService.refresh()` on every
401 from a BFF route, and explicitly skips the `/me` endpoint to
avoid an infinite loop (the bootstrap /me legitimately 401s when
anonymous). The skip target was hardcoded to `/auth/me`, which
matched portal-shell but missed portal-admin's `/admin/auth/me`.

Symptom: opening portal-admin while anonymous fires the bootstrap
/me → 401 → interceptor sees the URL is NOT `/auth/me` → calls
refresh() → fires another /me → 401 → loop. Hits the 120/min
general rate limiter in seconds; the user lands on a `rate_limited`
error instead of the "Sign in" panel.

Fix: derive the skip URL from `AUTH_PATH_PREFIX` so it matches the
surface the host is on (`/auth/me` for portal-shell, `/admin/auth/me`
for portal-admin). The token is already provided by both apps via
`app.config.ts`.

Tests: +1 regression spec exercising the admin path. The new spec
asserts that no follow-up /me is issued after the bootstrap 401
when the prefix is `/admin/auth`.
2026-05-14 17:22:06 +02:00
..