Redirect to login on auth errors

[henrist]

Summary

• Auth-gated routes showed page-level errors (e.g. "Ukjent bruker") instead of redirecting to login when unauthenticated
• Add a QueryCache onError handler that detects auth errors and redirects to SAML login with the current path as returnTo
• Restores behavior from the old Laravel+SPA app where RedirectToLogin component triggered on NotAuthedError

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f408fec and 658f59c.

📒 Files selected for processing (1)

• app/src/routes/__root.tsx

---

Walkthrough

The root route imports QueryCache and adds AUTH_ERROR_MESSAGE. QueryClient is initialized with a QueryCache onError handler that detects the auth error message and redirects the browser to the SAML login with a return-to parameter before any retry logic runs.

Changes

Cohort / File(s)	Summary
QueryClient Authentication Error Handling app/src/routes/__root.tsx	Added QueryCache import and AUTH_ERROR_MESSAGE constant. Wrapped QueryClient with a QueryCache that uses onError to detect auth errors and perform window.location.assign to the SAML login URL (including a return-to parameter) before retries.

Sequence Diagram(s)

sequenceDiagram
    participant Browser as Browser (client)
    participant App as React App (QueryClient/QueryCache)
    participant SAML as SAML Login (Auth Server)

    Browser->>App: Execute query via QueryClient
    App->>App: QueryCache.onError receives error
    alt error.message == AUTH_ERROR_MESSAGE
        App->>Browser: window.location.assign(samlLogin?return_to=currentUrl)
        Browser->>SAML: Redirect to SAML login
    else other error
        App->>App: Normal error handling / retries
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A query nibble went awry in the night,
An auth message glowed, a warning light.
QueryCache leapt, steered the path just right,
To SAML's door with a return-to flight.
Hop, login, return — all safe in sight. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Redirect to login on auth errors' clearly and concisely summarizes the main change: adding authentication error handling that redirects users to login instead of showing error messages.
Description check	✅ Passed	The description provides relevant context about the problem (auth-gated routes showing errors instead of redirecting), the solution (QueryCache onError handler detecting auth errors), and references the previous behavior being restored.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-auth-redirect

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

app/src/routes/__root.tsx (1)

32-37: Consider a one-shot guard against concurrent auth-error redirects.

QueryCache global callbacks run once per cache entry. If multiple queries with distinct keys all fail with AUTH_ERROR_MESSAGE in the same tick, window.location.assign is called once per failing query key. The first navigation makes the rest harmless, but a simple flag makes the intent explicit and avoids any theoretical double-navigation side effects.

♻️ Proposed guard

+let redirectingToLogin = false
 const queryClient = new QueryClient({
   queryCache: new QueryCache({
     onError(error) {
       if (error instanceof Error && error.message === AUTH_ERROR_MESSAGE) {
+        if (redirectingToLogin) return
+        redirectingToLogin = true
         const returnTo = encodeURIComponent(window.location.pathname)
         window.location.assign(`/intern/api/saml2/login?returnTo=${returnTo}`)
       }
     },
   }),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/src/routes/__root.tsx` around lines 32 - 37, The onError global callback
handling AUTH_ERROR_MESSAGE should use a one-shot guard to prevent concurrent
redirects: add a module-level boolean (e.g., didAuthRedirect or
isAuthRedirecting) checked at the top of the onError handler and return early if
already set, set it true immediately before calling
window.location.assign(`/intern/api/saml2/login?returnTo=${returnTo}`), and keep
the existing check for error instanceof Error && error.message ===
AUTH_ERROR_MESSAGE; reference the onError callback, AUTH_ERROR_MESSAGE, and
window.location.assign to locate where to add the guard.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/src/routes/__root.tsx`:
- Line 34: The returnTo value currently uses window.location.pathname which
drops query params; change the construction of returnTo in __root.tsx to include
both pathname and search (e.g., window.location.pathname +
window.location.search) before calling encodeURIComponent so users are returned
to the exact URL (including ?...); update the declaration that defines returnTo
accordingly.

---

Nitpick comments:
In `@app/src/routes/__root.tsx`:
- Around line 32-37: The onError global callback handling AUTH_ERROR_MESSAGE
should use a one-shot guard to prevent concurrent redirects: add a module-level
boolean (e.g., didAuthRedirect or isAuthRedirecting) checked at the top of the
onError handler and return early if already set, set it true immediately before
calling window.location.assign(`/intern/api/saml2/login?returnTo=${returnTo}`),
and keep the existing check for error instanceof Error && error.message ===
AUTH_ERROR_MESSAGE; reference the onError callback, AUTH_ERROR_MESSAGE, and
window.location.assign to locate where to add the guard.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 44cd3d4 and f408fec.

📒 Files selected for processing (1)

• app/src/routes/__root.tsx

[henrist]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.