[PR] fix(frontend): exclude /api/config/pre-login from JwtModule [texera]

Sat, 06 Jun 2026 10:40:56 -0700 


Yicong-Huang opened a new pull request, #5408:
URL: https://github.com/apache/texera/pull/5408

   ### What changes were proposed in this PR?
   
   Adds `api/config/pre-login` to `JwtModule.forRoot`'s `disallowedRoutes` in 
`frontend/src/app/app.module.ts`. Before this change the only entry was 
`forum/api/users`, so every other request — including the anonymous pre-login 
config fetch — carried whatever JWT was sitting in localStorage as 
`Authorization: Bearer …`. That attachment is unnecessary for an endpoint that 
is `@PermitAll` by definition, and turns out to be an active footgun: if the 
stored token's signature can't be verified server-side (backend signing-key 
rotation, manual localStorage tampering, cross-deployment bleed), the eager 
`JwtAuthFilter` from #5404 returns `401 error="invalid_token"` for the 
pre-login fetch, `GuiConfigService.loadPreLogin` (running inside 
`APP_INITIALIZER`) caches the error for the rest of the SPA session, and the 
login form fails to render until the user manually reloads.
   
   Only `/api/config/pre-login` qualifies for the disallowed list. The 
healthcheck endpoint isn't called from the front-end, and the public-dataset 
reads (`/dataset/public-*`, `/dataset/{did}/cover`, `/dataset/public/{did}`) 
take `@Auth Optional[SessionUser]` and intentionally use the JWT when one is 
present to surface a logged-in user's private content.
   
   ### Any related issues, documentation, discussions?
   
   Closes #5407. Companion to #5404 (eager `JwtAuthFilter`) — without this 
change, that PR introduces the SPA-blank-on-stale-token regression described 
above.
   
   ### How was this PR tested?
   
   `yarn test` (903 cases) and `yarn format:ci` clean. Verified manually in the 
browser: with #5404's backend running and a forged JWT in localStorage, before 
this change the login page would render without the form after the eager filter 
rejected pre-login; with this change the pre-login request carries no 
`Authorization`, returns 200, and the login form renders normally.
   
   ### Was this PR authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Code (Opus 4.7)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to