Rework Vue Router AuthGuard to apply permission and redirect to error pages

Author: lcharette

package-lock.json

@@ -1,5 +1,6 @@
 import AccountRoutes from '@userfrosting/sprinkle-account/routes'
 import AdminRoutes from '@userfrosting/sprinkle-admin/routes'
+import ErrorRoutes from '@userfrosting/sprinkle-core/routes'
 import { createRouter, createWebHistory } from 'vue-router'
 
 const router = createRouter({
@@ -24,7 +25,8 @@ const router = createRouter({
                     component: () => import('../views/AboutView.vue')
                 },
                 // Include sprinkles routes
-                ...AccountRoutes
+                ...AccountRoutes,
+                ...ErrorRoutes
             ]
         },
         {

packages/skeleton/app/assets/router/index.ts

@@ -1,6 +1,6 @@
 import { watchEffect } from 'vue'
 import { useAuthStore } from '../stores/auth'
-import type { Router } from 'vue-router'
+import type { RouteLocationRaw, Router } from 'vue-router'
 
 export function useAuthGuard(router: Router) {
     const auth = useAuthStore()
@@ -25,7 +25,18 @@ export function useAuthGuard(router: Router) {
     const applyAuthGuard = () => {
         const authGuard = getRouteAuth()
         if (authGuard !== null && !auth.isAuthenticated) {
-            const redirectTo = authGuard.redirect ?? '/login'
+            const redirectTo = authGuard.redirect ?? getErrorRoute('Unauthorized')
+            redirect(redirectTo)
+        }
+    }
+
+    /**
+     * Apply permission route guard
+     */
+    const applyPermissionGuard = () => {
+        const authGuard = getRouteAuth()
+        if (authGuard?.permission !== undefined && !auth.checkAccess(authGuard.permission)) {
+            const redirectTo = authGuard.redirect ?? getErrorRoute('Forbidden')
             redirect(redirectTo)
         }
     }
@@ -36,20 +47,38 @@ export function useAuthGuard(router: Router) {
     const applyGuestGuard = () => {
         const guestGuard = getRouteGuest()
         if (guestGuard !== null && auth.isAuthenticated) {
-            const redirectTo = guestGuard.redirect ?? '/'
+            const redirectTo = guestGuard.redirect ?? getErrorRoute('Unauthorized')
             redirect(redirectTo)
         }
     }
 
     /**
      * Redirect to the specified route
      */
-    const redirect = (redirectTo: string | { name: string }) => {
-        router.push(redirectTo)
+    const redirect = (redirectTo: RouteLocationRaw) => {
+        router.replace(redirectTo)
+    }
+
+    /**
+     * Get the error route location object for the specified route name.
+     *
+     * N.B.: Param is used to preserver the current path. Substring is used to
+     * remove the first char to avoid the target URL starting with `//`. Query
+     * and hash are used to preserve the current query and hash.
+     * @see https://router.vuejs.org/guide/essentials/dynamic-matching.html#Catch-all-404-Not-found-Route
+     */
+    const getErrorRoute = (name: string) => {
+        return {
+            name: name,
+            params: { pathMatch: router.currentRoute.value.path.substring(1).split('/') },
+            query: router.currentRoute.value.query,
+            hash: router.currentRoute.value.hash
+        }
     }
 
     watchEffect(() => {
         applyAuthGuard()
+        applyPermissionGuard()
         applyGuestGuard()
     })
 }

packages/sprinkle-account/app/assets/guards/authGuard.ts

@@ -2,7 +2,7 @@ export type { UserInterface } from './models/userInterface'
 export type { GroupInterface } from './models/groupInterface'
 export type { RoleInterface } from './models/roleInterface'
 export type { PermissionInterface, UserPermissionsMapInterface } from './models/permissionInterface'
-export type { RouteGuard } from './routes'
+export type { RouteAuthGuard, RouteGuestGuard } from './routes'
 export type { AuthCheckResponse } from './AuthCheckApi'
 export type { ProfileEditRequest } from './ProfileEditApi'
 export type { PasswordEditRequest } from './PasswordEditApi'

packages/sprinkle-account/app/assets/interfaces/index.ts

@@ -9,13 +9,18 @@
  */
 import 'vue-router'
 
-export interface RouteGuard {
-    redirect: string | { name: string }
+export interface RouteAuthGuard {
+    redirect?: string | { name: string }
+    permission?: string
+}
+
+export interface RouteGuestGuard {
+    redirect?: string | { name: string }
 }
 
 declare module 'vue-router' {
     interface RouteMeta {
-        auth?: RouteGuard
-        guest?: RouteGuard
+        auth?: RouteAuthGuard
+        guest?: RouteGuestGuard
     }
 }

packages/sprinkle-account/app/assets/interfaces/routes.ts

@@ -2,23 +2,25 @@
 import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest'
 import { useAuthGuard } from '../../guards/authGuard'
 import * as Auth from '../../stores/auth'
+import type { RouteAuthGuard, RouteGuestGuard } from 'app/assets/interfaces'
 
 // Default mock for the auth store and router
 const mockAuthStore = {
     isAuthenticated: false,
-    check: vi.fn()
+    checkAccess: vi.fn()
 }
 
 const mockRouter = {
     currentRoute: {
         value: {
+            path: '/foo/bar',
             meta: {
-                auth: null as null | { redirect?: string },
-                guest: null as null | { redirect?: string }
+                auth: undefined as RouteAuthGuard | undefined,
+                guest: undefined as RouteGuestGuard | undefined
             }
         }
     },
-    push: vi.fn()
+    replace: vi.fn()
 }
 
 describe('authGuard useAuthGuard() method', () => {
@@ -37,59 +39,69 @@ describe('authGuard useAuthGuard() method', () => {
         useAuthGuard(mockRouter as any)
 
         // Assert
-        expect(mockRouter.push).not.toHaveBeenCalled()
+        expect(mockRouter.replace).not.toHaveBeenCalled()
     })
 
     test('should redirect to login if route requires auth and user is not authenticated', () => {
         // Arrange
         mockRouter.currentRoute.value.meta.auth = { redirect: '/login' }
-        mockRouter.currentRoute.value.meta.guest = null
         mockAuthStore.isAuthenticated = false
 
         // Act
         useAuthGuard(mockRouter as any)
 
         // Assert
-        expect(mockRouter.push).toHaveBeenCalledWith('/login')
+        expect(mockRouter.replace).toHaveBeenCalled()
+        expect(mockRouter.replace).toHaveBeenCalledWith('/login')
     })
 
     test('should not redirect if route requires auth and user is authenticated', () => {
         // Arrange
         mockRouter.currentRoute.value.meta.auth = { redirect: '/login' }
-        mockRouter.currentRoute.value.meta.guest = null
         mockAuthStore.isAuthenticated = true
 
         // Act
         useAuthGuard(mockRouter as any)
 
         // Assert
-        expect(mockRouter.push).not.toHaveBeenCalled()
+        expect(mockRouter.replace).not.toHaveBeenCalled()
     })
 
-    test('should not redirect if route is for guests and user is not authenticated', () => {
+    test('should not redirect if route requires permission and user does not have it', () => {
         // Arrange
-        mockRouter.currentRoute.value.meta.auth = null
+        mockRouter.currentRoute.value.meta.auth = { permission: 'foo.bar', redirect: '/login' }
+        mockAuthStore.isAuthenticated = true
+
+        // Act
+        useAuthGuard(mockRouter as any)
+
+        // Assert
+        expect(mockRouter.replace).toHaveBeenCalledWith('/login')
+    })
+
+    test('should not redirect if route requires guests and user is not authenticated', () => {
+        // Arrange
+        mockRouter.currentRoute.value.meta.auth = undefined
         mockRouter.currentRoute.value.meta.guest = { redirect: '/' }
         mockAuthStore.isAuthenticated = false
 
         // Act
         useAuthGuard(mockRouter as any)
 
         // Assert
-        expect(mockRouter.push).not.toHaveBeenCalled()
+        expect(mockRouter.replace).not.toHaveBeenCalled()
     })
 
     test('should redirect to home if route is for guests and user is authenticated', () => {
         // Arrange
-        mockRouter.currentRoute.value.meta.auth = null
         mockRouter.currentRoute.value.meta.guest = { redirect: '/' }
         mockAuthStore.isAuthenticated = true
 
         // Act
         useAuthGuard(mockRouter as any)
 
         // Assert
-        expect(mockRouter.push).toHaveBeenCalledWith('/')
+        expect(mockRouter.replace).toHaveBeenCalledWith('/')
     })
 
     test('should use default redirect for auth guard if no redirect specified', () => {
@@ -101,7 +113,27 @@ describe('authGuard useAuthGuard() method', () => {
         useAuthGuard(mockRouter as any)
 
         // Assert
-        expect(mockRouter.push).toHaveBeenCalledWith('/login')
+        expect(mockRouter.replace).toHaveBeenCalledWith(
+            expect.objectContaining({
+                name: 'Unauthorized'
+            })
+        )
+    })
+
+    test('should use default redirect for permission guard if no redirect specified', () => {
+        // Arrange
+        mockRouter.currentRoute.value.meta.auth = { permission: 'foo.bar' }
+        mockAuthStore.isAuthenticated = false
+
+        // Act
+        useAuthGuard(mockRouter as any)
+
+        // Assert
+        expect(mockRouter.replace).toHaveBeenCalledWith(
+            expect.objectContaining({
+                name: 'Unauthorized'
+            })
+        )
     })
 
     test('should use default redirect for guest guard if no redirect specified', () => {
@@ -113,6 +145,10 @@ describe('authGuard useAuthGuard() method', () => {
         useAuthGuard(mockRouter as any)
 
         // Assert
-        expect(mockRouter.push).toHaveBeenCalledWith('/')
+        expect(mockRouter.replace).toHaveBeenCalledWith(
+            expect.objectContaining({
+                name: 'Unauthorized'
+            })
+        )
     })
 })

packages/sprinkle-account/app/assets/tests/guards/authGuard.test.ts

@@ -0,0 +1,28 @@
+/**
+ * Default error routes.
+ *
+ * N.B.: The first of these routes serve as a catch-all, so 404 not found must
+ * be first.
+ */
+export default [
+    {
+        path: '/:pathMatch(.*)*',
+        name: 'NotFound',
+        component: () => import('../views/404NotFound.vue')
+    },
+    {
+        path: '/:pathMatch(.*)*',
+        name: 'Unauthorized',
+        component: () => import('../views/401Unauthorized.vue')
+    },
+    {
+        path: '/:pathMatch(.*)*',
+        name: 'Forbidden',
+        component: () => import('../views/403Forbidden.vue')
+    },
+    {
+        path: '/:pathMatch(.*)*',
+        name: 'Error',
+        component: () => import('../views/500ServerError.vue')
+    }
+]

packages/sprinkle-core/app/assets/routes/index.ts

@@ -0,0 +1,4 @@
+<template>
+    <h1>{{ $t('ERROR.401.TITLE') }}</h1>
+    <p>{{ $t('ERROR.401.DESCRIPTION') }}</p>
+</template>

packages/sprinkle-core/app/assets/views/401Unauthorized.vue

@@ -0,0 +1,4 @@
+<template>
+    <h1>{{ $t('ERROR.403.TITLE') }}</h1>
+    <p>{{ $t('ERROR.403.DESCRIPTION') }}</p>
+</template>

packages/sprinkle-core/app/assets/views/403Forbidden.vue

@@ -0,0 +1,4 @@
+<template>
+    <h1>{{ $t('ERROR.404.TITLE') }}</h1>
+    <p>{{ $t('ERROR.404.DESCRIPTION') }}</p>
+</template>