Depriving Regular Users of Acess The Platform When It is Private

public/locales/en/unauthorized.json

@@ -1,5 +1,6 @@
 {
-    "firstPartMessage": "You do not have permission to access the page ",
+    "firstPartMessageURL": "You do not have permission to access the page ",
+    "firstPartMessage": "You do not have permission to access the page",
     "secondPartMessage": ", because you're a user with the role ",
     "inactiveAccountTitle": "Your account has been disabled.",
     "inactiveAccountBody": "Contact us by e-mail - contato@aletheiafact.org"

public/locales/pt/unauthorized.json

@@ -1,5 +1,6 @@
 {
-    "firstPartMessage": "Você não tem permissão de acesso a página ",
+    "firstPartMessageURL": "Você não tem permissão de acesso a página ",
+    "firstPartMessage": "Você não tem permissão de acesso a página",
     "secondPartMessage": ", pois você é um usuário com o papel ",
     "inactiveAccountTitle": "Sua conta foi desativada.",
     "inactiveAccountBody": "Entre em contato pelo nosso e-mail - contato@aletheiafact.org"

server/auth/session.guard.ts

@@ -2,6 +2,7 @@ import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
 import { Configuration, V0alpha2Api } from "@ory/client";
 import { Reflector } from "@nestjs/core";
 import { ConfigService } from "@nestjs/config";
+import { Roles } from "./ability/ability.factory";
 
 @Injectable()
 export class SessionGuard implements CanActivate {
@@ -42,33 +43,49 @@ export class SessionGuard implements CanActivate {
                     role: session?.identity?.traits?.role,
                     status: session?.identity.state,
                 };
-                return true;
+                const overridePublicRoutes =
+                    session?.identity?.traits?.role === Roles.Regular &&
+                    this.configService.get<string>("override_public_routes");
+
+                if (overridePublicRoutes) {
+                    return this.checkAndRedirect(
+                        request,
+                        response,
+                        isPublic,
+                        "/unauthorized"
+                    );
+                } else {
+                    return true;
+                }
             }
 
-            return this.next(request, response, isPublic);
+            return this.checkAndRedirect(request, response, isPublic, "/login");
         } catch (e) {
-            // TODO: logging
-            return this.next(request, response, isPublic);
+            return this.checkAndRedirect(request, response, isPublic, "/login");
         }
     }
 
-    next(request, response, isPublic) {
+    private checkAndRedirect(request, response, isPublic, redirectPath) {
         const isAllowedPublicUrl = [
             "/login",
+            "/unauthorized",
             "/_next",
             "/api/.ory",
             "/api/health",
         ].some((route) => request.url.startsWith(route));
+
         const overridePublicRoutes =
             !isAllowedPublicUrl &&
             this.configService.get<string>("override_public_routes");
-        if (isPublic && !overridePublicRoutes) {
+
+        if (
+            (isPublic && !overridePublicRoutes) ||
+            request.url.startsWith("/api")
+        ) {
             return true;
-        }
-        if (request.url.startsWith("/api")) {
-            return false;
         } else {
-            response.redirect("/login");
+            response.redirect(redirectPath);
+            return false;
         }
     }
 }

src/components/AccessDeniedPage.tsx

@@ -19,7 +19,9 @@ const AcessDeniedPage = ({ originalUrl, status }) => {
                     fontWeight: 600,
                 }}
             >
-                {t("unauthorized:firstPartMessage")}
+                {originalUrl
+                    ? t("unauthorized:firstPartMessageURL")
+                    : t("unauthorized:firstPartMessage")}
                 {originalUrl === "/" ? "Home" : originalUrl}
                 {t("unauthorized:secondPartMessage")}
                 {role}

src/pages/access-denied-page.tsx

@@ -18,8 +18,12 @@ export async function getServerSideProps({ locale, locales, req, query }) {
     return {
         props: {
             ...(await serverSideTranslations(locale)),
-            originalUrl: JSON.parse(JSON.stringify(query?.originalUrl)),
-            status: JSON.parse(JSON.stringify(query?.status)),
+            originalUrl: query?.originalUrl
+                ? JSON.parse(JSON.stringify(query?.originalUrl))
+                : null,
+            status: query?.status
+                ? JSON.parse(JSON.stringify(query?.status))
+                : null,
         },
     };
 }