Remove login routes when federated

[alexandrudanpop]

Fixes OPS-3163

[linear]

OPS-3163 Remove login routes when federated

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/routes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR adds conditional routing to remove authentication-related routes when federated login is enabled, controlled by the FEDERATED_LOGIN_ENABLED feature flag.

• Introduces feature flag check for FEDERATED_LOGIN_ENABLED to conditionally include routes
• Restructures route definitions to separate regular login routes from always-available routes
• Wraps authentication routes (sign-in, sign-up, password reset, email verification) in a conditional block

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The condition !isFederatedLogin will evaluate to true when isFederatedLogin is undefined, causing regular login routes to be included even when the flag state hasn't loaded yet. This could lead to race conditions. Consider adding an explicit check: if (isFederatedLogin === false) to only include routes when the flag is definitively disabled.

Suggested change

	if (!isFederatedLogin) {
	if (isFederatedLogin === false) {

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[greptile-apps]

Greptile Overview

Greptile Summary

Conditionally registers login-related routes (/sign-in, /sign-up, /forget-password, /reset-password, /verify-email) based on the FEDERATED_LOGIN_ENABLED flag. When federated login is enabled via Frontegg, these traditional authentication routes are excluded from the router configuration, preventing direct access to custom login flows.

Confidence Score: 4/5

• Safe to merge with minor consideration for UNAUTHENTICATED_ROUTES cleanup in global-layout.tsx
• The implementation correctly conditionalizes authentication routes based on the federated login flag. The logic is sound and consistent with existing patterns (e.g., SignInPage already checks this flag). One minor issue: UNAUTHENTICATED_ROUTES in global-layout.tsx:37-48 still hardcodes these routes, which means they'll bypass auth guards before hitting the wildcard redirect - not a critical bug but a code quality concern for maintainability.
• Consider updating global-layout.tsx to dynamically compute UNAUTHENTICATED_ROUTES based on the federated login flag

Important Files Changed

File Analysis

Filename	Score	Overview
packages/react-ui/src/app/router.tsx	5/5	Conditionally registers login routes based on FEDERATED_LOGIN_ENABLED flag - moves authentication routes from static array into conditional block

Sequence Diagram

sequenceDiagram
    participant User
    participant Router as ApplicationRouter
    participant GlobalLayout
    participant AuthGuard as AllowOnlyLoggedInUserOnlyGuard
    participant Flag as flagsHooks
    participant Frontegg
    
    Note over Router,Flag: Federated Login Enabled
    
    Router->>Flag: useFlag(FEDERATED_LOGIN_ENABLED)
    Flag-->>Router: isFederatedLogin = true
    Router->>Router: Skip registering /sign-in, /sign-up, etc.
    
    User->>GlobalLayout: Navigate to /flows
    GlobalLayout->>GlobalLayout: Check UNAUTHENTICATED_ROUTES
    GlobalLayout->>AuthGuard: Path not in unauthenticated list
    AuthGuard->>Flag: useFlag(FEDERATED_LOGIN_ENABLED)
    Flag-->>AuthGuard: isFederatedLogin = true
    AuthGuard->>Frontegg: Check fronteggToken
    
    alt User authenticated
        Frontegg-->>AuthGuard: Valid token
        AuthGuard->>User: Render protected content
    else User not authenticated
        Frontegg-->>AuthGuard: No token
        AuthGuard->>User: Redirect to Frontegg login
    end
    
    Note over Router,Flag: Traditional Login (Federated Disabled)
    
    Router->>Flag: useFlag(FEDERATED_LOGIN_ENABLED)
    Flag-->>Router: isFederatedLogin = false
    Router->>Router: Register /sign-in, /sign-up, etc.
    
    User->>GlobalLayout: Navigate to /sign-in
    GlobalLayout->>GlobalLayout: Path in UNAUTHENTICATED_ROUTES
    GlobalLayout->>User: Render SignInPage (no auth guard)

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: UNAUTHENTICATED_ROUTES in global-layout.tsx:37-48 still includes these routes. When federated login is enabled, users navigating to /sign-in, /sign-up, etc. will bypass auth guards but hit 404s.

Suggested change

	if (!isFederatedLogin) {
	const regularLoginRoutes = [
	{
	path: 'forget-password',
	element: (
	<OpsErrorBoundary>
	<PageTitle title="Forget Password">
	<ResetPasswordPage />
	</PageTitle>
	</OpsErrorBoundary>
	),
	errorElement: <RouteErrorBoundary />,
	},
	{
	path: 'reset-password',
	element: (
	<OpsErrorBoundary>
	<PageTitle title="Reset Password">
	<ChangePasswordPage />
	</PageTitle>
	</OpsErrorBoundary>
	),
	errorElement: <RouteErrorBoundary />,
	},
	{
	path: 'sign-in',
	element: (
	<OpsErrorBoundary>
	<PageTitle title="Sign In">
	<SignInPage />
	</PageTitle>
	</OpsErrorBoundary>
	),
	errorElement: <RouteErrorBoundary />,
	},
	{
	path: 'verify-email',
	element: (
	<OpsErrorBoundary>
	<PageTitle title="Verify Email">
	<VerifyEmail />
	</PageTitle>
	</OpsErrorBoundary>
	),
	errorElement: <RouteErrorBoundary />,
	},
	{
	path: 'sign-up',
	element: (
	<OpsErrorBoundary>
	<PageTitle title="Sign Up">
	<SignUpPage />
	</PageTitle>
	</OpsErrorBoundary>
	),
	errorElement: <RouteErrorBoundary />,
	},
	];
	routes.push(...regularLoginRoutes);
	}
	if (!isFederatedLogin) {
	const regularLoginRoutes = [
	{
	path: 'forget-password',
	element: (
	<OpsErrorBoundary>
	<PageTitle title="Forget Password">
	<ResetPasswordPage />
	</PageTitle>
	</OpsErrorBoundary>
	),
	errorElement: <RouteErrorBoundary />,
	},
	{
	path: 'reset-password',
	element: (
	<OpsErrorBoundary>
	<PageTitle title="Reset Password">
	<ChangePasswordPage />
	</PageTitle>
	</OpsErrorBoundary>
	),
	errorElement: <RouteErrorBoundary />,
	},
	{
	path: 'sign-in',
	element: (
	<OpsErrorBoundary>
	<PageTitle title="Sign In">
	<SignInPage />
	</PageTitle>
	</OpsErrorBoundary>
	),
	errorElement: <RouteErrorBoundary />,
	},
	{
	path: 'verify-email',
	element: (
	<OpsErrorBoundary>
	<PageTitle title="Verify Email">
	<VerifyEmail />
	</PageTitle>
	</OpsErrorBoundary>
	),
	errorElement: <RouteErrorBoundary />,
	},
	{
	path: 'sign-up',
	element: (
	<OpsErrorBoundary>
	<PageTitle title="Sign Up">
	<SignUpPage />
	</PageTitle>
	</OpsErrorBoundary>
	),
	errorElement: <RouteErrorBoundary />,
	},
	];
	routes.push(...regularLoginRoutes);
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/react-ui/src/app/router.tsx
Line: 232:291

Comment:
**logic:** `UNAUTHENTICATED_ROUTES` in `global-layout.tsx:37-48` still includes these routes. When federated login is enabled, users navigating to `/sign-in`, `/sign-up`, etc. will bypass auth guards but hit 404s.

```suggestion
  if (!isFederatedLogin) {
    const regularLoginRoutes = [
      {
        path: 'forget-password',
        element: (
          <OpsErrorBoundary>
            <PageTitle title="Forget Password">
              <ResetPasswordPage />
            </PageTitle>
          </OpsErrorBoundary>
        ),
        errorElement: <RouteErrorBoundary />,
      },
      {
        path: 'reset-password',
        element: (
          <OpsErrorBoundary>
            <PageTitle title="Reset Password">
              <ChangePasswordPage />
            </PageTitle>
          </OpsErrorBoundary>
        ),
        errorElement: <RouteErrorBoundary />,
      },
      {
        path: 'sign-in',
        element: (
          <OpsErrorBoundary>
            <PageTitle title="Sign In">
              <SignInPage />
            </PageTitle>
          </OpsErrorBoundary>
        ),
        errorElement: <RouteErrorBoundary />,
      },
      {
        path: 'verify-email',
        element: (
          <OpsErrorBoundary>
            <PageTitle title="Verify Email">
              <VerifyEmail />
            </PageTitle>
          </OpsErrorBoundary>
        ),
        errorElement: <RouteErrorBoundary />,
      },
      {
        path: 'sign-up',
        element: (
          <OpsErrorBoundary>
            <PageTitle title="Sign Up">
              <SignUpPage />
            </PageTitle>
          </OpsErrorBoundary>
        ),
        errorElement: <RouteErrorBoundary />,
      },
    ];
    routes.push(...regularLoginRoutes);
  }
```

How can I resolve this? If you propose a fix, please make it concise.