vulncheck/vulncheck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): whitelist /auth/mfa/* and /mfa-setup page in 401 interceptor

Browse Source 
axios 401 handler was bouncing the user to /login whenever the
forced-setup endpoint returned 401 (expected for invalid/expired
setup tokens). That made the /mfa-setup page silently redirect
back to /login the moment its useEffect fired — user saw the
login form again on /mfa-setup URL.
This commit is contained in:
vulncheck
2026-05-25 11:13:47 +02:00
parent 746cf131fa
commit 3c2e51307c
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
frontend/lib/api.ts
+7 -3
View File
@@ -12,9 +12,13 @@ api.interceptors.response.use(
(error) => {
if (error.response && error.response.status === 401) {
const url: string = error.config?.url || '';
const isAuthCheck = url.includes('/auth/login') || url.includes('/auth/me');
const onLoginPage = typeof window !== 'undefined' && window.location.pathname === '/login';
if (!isAuthCheck && !onLoginPage && typeof window !== 'undefined') {
const isAuthCheck =
url.includes('/auth/login') ||
url.includes('/auth/me') ||
url.includes('/auth/mfa/'); // mfa verify + forced-setup
const path = typeof window !== 'undefined' ? window.location.pathname : '';
const onAuthPage = path === '/login' || path.startsWith('/mfa-setup');
if (!isAuthCheck && !onAuthPage && typeof window !== 'undefined') {
window.location.href = '/login';
}
}