fix: prevent admin page redirect during token refresh

adminFetch called logout() directly on 401/403 responses, which cleared roles and caused RequireAdmin to redirect to /exchanges while users were editing forms. Now adminFetch attempts a token refresh before failing, and RequireAdmin tolerates a transient empty-roles state during refresh. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-09 18:28:45 +02:00
parent 3f9fd44ea5
commit b6b93dc3cc
2 changed files with 52 additions and 3 deletions
--- a/ui/src/auth/RequireAdmin.tsx
+++ b/ui/src/auth/RequireAdmin.tsx
@@ -1,8 +1,24 @@
 import { Navigate, Outlet } from 'react-router';
-import { useIsAdmin } from './auth-store';
+import { useAuthStore, useIsAdmin } from './auth-store';

+/**
+ * Route guard for admin pages.
+ *
+ * Redirects non-admin users to '/'.  The guard is intentionally lenient when
+ * the user is authenticated but their roles array is transiently empty (e.g.
+ * during a token refresh).  In that case we render nothing rather than
+ * navigating away — the refresh will restore the roles within milliseconds and
+ * avoid losing unsaved form state on admin pages.
+ */
 export function RequireAdmin() {
  const isAdmin = useIsAdmin();
+  const roles = useAuthStore((s) => s.roles);
+  const isAuthenticated = useAuthStore((s) => s.isAuthenticated);
+
+  // Authenticated but roles not yet populated (token refresh in progress) —
+  // render nothing and wait rather than redirecting.
+  if (isAuthenticated && roles.length === 0) return null;
+
  if (!isAdmin) return <Navigate to="/" replace />;
  return <Outlet />;
 }