Skip to content

Move auth check to frontend for CDN-friendly caching#166

Merged
zhenghaoz merged 3 commits intogorse-io:masterfrom
zhangzhenghao:frontend-auth-check
Apr 26, 2026
Merged

Move auth check to frontend for CDN-friendly caching#166
zhenghaoz merged 3 commits intogorse-io:masterfrom
zhangzhenghao:frontend-auth-check

Conversation

@zhangzhenghao
Copy link
Copy Markdown
Contributor

@zhangzhenghao zhangzhenghao commented Apr 25, 2026

Summary

  • Backend: Remove login checks from page routes (/, /login, /privacy, 404) - all routes now directly return static index.html
  • Backend: Add /api/me endpoint for frontend to check authentication status
  • Backend: Add Cache-Control: private, no-store, no-cache, must-revalidate headers to all /api/* endpoints to prevent CDN caching
  • Frontend: Add router guard (beforeEach) to check auth via /api/me before allowing access to protected routes

Benefits

  1. CDN-friendly: All page routes return static files that can be safely cached by CDN
  2. Reduced backend load: Static file serving can be handled by CDN edge nodes
  3. Better performance: Users get faster page loads from CDN cache
  4. Security: API endpoints explicitly disable caching to protect user data

Changes

Backend (app.py)

  • Removed @login_required and redirect logic from /, /login, /privacy, and page_not_found
  • Added /api/me endpoint returning {is_authenticated: true/false, login: string}
  • Added Cache-Control header in set_headers() for all /api/* paths

Frontend (frontend/src/main.js)

  • Added meta: { requiresAuth: true } to protected routes
  • Added router.beforeEach guard that calls /api/me and redirects to /login if not authenticated

Testing

Tested locally:

  • Unauthenticated users are redirected to /login when accessing / or /favorites
  • Authenticated users can access all routes normally
  • /api/me returns correct authentication status

@zhangzhenghao
Move auth check to frontend for CDN-friendly caching
abe403b 
- Backend: Remove login checks from page routes (/ /login /privacy /404)
- Backend: Add /api/me endpoint for frontend auth status check
- Backend: Add Cache-Control headers to disable CDN caching on API endpoints
- Frontend: Add router guard to check authentication before accessing protected routes

This change makes all page routes return static files that can be safely cached
by CDN, while authentication logic is handled by the frontend.
@zhangzhenghao
feat: add auth state cache and global 401 handler
fd26a88 
- Add localStorage cache for auth state with 5-minute expiry
- Add axios interceptor to handle 401 errors globally
- Clear cache and redirect to login on auth failure
- Reduce unnecessary /api/me requests
@zhenghaoz zhenghaoz merged commit 92d2a30 into gorse-io:master Apr 26, 2026
1 check passed
@zhangzhenghao zhangzhenghao mentioned this pull request Apr 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zhangzhenghao @zhenghaoz