@micha.bigler/ui-core-micha 2.2.12 → 2.2.14

package/dist/auth/apiClient.js

@@ -9,25 +9,52 @@ let redirectingToLogin = false;
 function isBrowser() {
     return typeof window !== "undefined";
 }
-// WICHTIG: Liste aller Routen, die OHNE Login funktionieren müssen.
-// Beginnt der Pfad mit einem dieser Strings, wird kein Auto-Redirect ausgelöst.
-const PUBLIC_PATHS = [
+// Routen, die OHNE Login funktionieren müssen. Library-eigene Pfade sind eingefroren
+// und können nicht entfernt werden — sonst würde z. B. `removePublicPath("/login")`
+// auf der Login-Page selbst einen Redirect-Loop auslösen.
+const BUILTIN_PUBLIC_PATHS = Object.freeze([
     "/login",
     "/signup",
-    "/reset-request-password", // Request Page
-    "/invite", // Invite Link (/invite/:uid/:token)
-    "/reset", // Reset Link (/reset/:uid/:token)
-    "/welcome" // Optional: Falls Welcome auch öffentlich ist
-];
+    "/reset-request-password",
+    "/invite", // /invite/:uid/:token
+    "/reset", // /reset/:uid/:token
+    "/welcome",
+]);
+const CONSUMER_PUBLIC_PATHS = new Set();
+/**
+ * Register an additional public path so a 401 on that route does not auto-redirect
+ * to `/login`. Typical use: a public landing on `/` in an otherwise authenticated app.
+ *
+ * MUST be called before the AuthProvider mounts (i.e. before `ReactDOM.render`).
+ * Calling it later won't help the bootstrap probe which fires on AuthProvider mount.
+ */
+export function addPublicPath(path) {
+    if (typeof path === "string" && path) {
+        CONSUMER_PUBLIC_PATHS.add(path);
+    }
+}
+/** Remove a consumer-added public path. Library-internal paths are protected. */
+export function removePublicPath(path) {
+    CONSUMER_PUBLIC_PATHS.delete(path);
+}
 function isPublicSitePath(pathname) {
     return pathname === "/sites" || pathname.startsWith("/sites/");
 }
+// Match rule: an entry of exactly "/" requires strict equality (avoids matching
+// every path with startsWith). Other entries keep the looser prefix match so
+// dynamic routes like /invite/:uid/:token still work.
+function matchesPublicPath(pathname, entry) {
+    if (entry === "/")
+        return pathname === "/";
+    return pathname.startsWith(entry);
+}
 function redirectToLoginOnce() {
     if (!isBrowser())
         return;
     const currentPath = window.location.pathname;
-    // 1. Check: Sind wir auf einer öffentlichen Seite?
-    const isPublicPage = isPublicSitePath(currentPath) || PUBLIC_PATHS.some(path => currentPath.startsWith(path));
+    const isPublicPage = isPublicSitePath(currentPath) ||
+        BUILTIN_PUBLIC_PATHS.some((path) => matchesPublicPath(currentPath, path)) ||
+        Array.from(CONSUMER_PUBLIC_PATHS).some((path) => matchesPublicPath(currentPath, path));
     // Wenn ja: NICHT weiterleiten. Der 401 Fehler wird an die Komponente durchgereicht.
     if (isPublicPage)
         return;
@@ -83,13 +110,18 @@ function extractAuthSignal(data) {
     return { code: null, i18nKey: null };
 }
 apiClient.interceptors.response.use((response) => response, (error) => {
-    var _a, _b, _c, _d;
+    var _a, _b, _c, _d, _e;
     const status = (_b = (_a = error === null || error === void 0 ? void 0 : error.response) === null || _a === void 0 ? void 0 : _a.status) !== null && _b !== void 0 ? _b : null;
     const data = (_d = (_c = error === null || error === void 0 ? void 0 : error.response) === null || _c === void 0 ? void 0 : _c.data) !== null && _d !== void 0 ? _d : {};
     const { code, i18nKey } = extractAuthSignal(data);
     const isAuthStatus = status === 401 || status === 403;
     const isNotAuthenticated = code === "not_authenticated" || i18nKey === "auth.not_authenticated";
-    if (isAuthStatus && isNotAuthenticated) {
+    // Per-request opt-out: bootstrap probes (e.g. fetchCurrentUser on app start)
+    // expect to handle 401 silently and must not trigger a redirect-on-mount.
+    // Carried as an axios config property, so it never travels to the backend
+    // (would otherwise trigger a CORS preflight on cross-origin requests).
+    const skipRedirect = ((_e = error === null || error === void 0 ? void 0 : error.config) === null || _e === void 0 ? void 0 : _e.skipAuthRedirect) === true;
+    if (isAuthStatus && isNotAuthenticated && !skipRedirect) {
         redirectToLoginOnce();
     }
     return Promise.reject(error);

package/dist/auth/authApi.js

@@ -12,7 +12,12 @@ function getCsrfToken() {
 // Session & User Core
 // -----------------------------
 export async function fetchCurrentUser() {
-    const res = await apiClient.get(`${USERS_BASE}/current/`);
+    // Bootstrap-Probe: 401 darf nicht in einen Login-Redirect umschlagen,
+    // damit Public-Landings auf "/" sichtbar bleiben. `skipAuthRedirect` ist eine
+    // client-seitige axios-Config-Property und wird nicht ans Backend gesendet.
+    const res = await apiClient.get(`${USERS_BASE}/current/`, {
+        skipAuthRedirect: true,
+    });
     return res.data;
 }
 export async function fetchAuthMethods() {

package/dist/index.js

@@ -1,7 +1,7 @@
 // index.js (Entry Point deiner Library)
 // --- 1. Auth Context (Essentiell für den Wrapper) ---
 export { AuthContext, AuthProvider } from './auth/AuthContext';
-export { default as apiClient, ensureCsrfToken } from "./auth/apiClient";
+export { default as apiClient, ensureCsrfToken, addPublicPath, removePublicPath, } from "./auth/apiClient";
 // --- 2. API & Services (Neue Struktur) ---
 // Statt dem 'authApi'-Objekt exportieren wir die Funktionen direkt.
 // Konsumenten können dann machen: import { loginWithPassword } from 'django-core-micha';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@micha.bigler/ui-core-micha",
-  "version": "2.2.12",
+  "version": "2.2.14",
   "main": "dist/index.js",
   "module": "dist/index.js",
   "repository": {

package/src/auth/apiClient.jsx

@@ -13,29 +13,60 @@ function isBrowser() {
   return typeof window !== "undefined";
 }
 
-// WICHTIG: Liste aller Routen, die OHNE Login funktionieren müssen.
-// Beginnt der Pfad mit einem dieser Strings, wird kein Auto-Redirect ausgelöst.
-const PUBLIC_PATHS = [
+// Routen, die OHNE Login funktionieren müssen. Library-eigene Pfade sind eingefroren
+// und können nicht entfernt werden — sonst würde z. B. `removePublicPath("/login")`
+// auf der Login-Page selbst einen Redirect-Loop auslösen.
+const BUILTIN_PUBLIC_PATHS = Object.freeze([
   "/login",
   "/signup",
-  "/reset-request-password", // Request Page
-  "/invite",                 // Invite Link (/invite/:uid/:token)
-  "/reset",                  // Reset Link (/reset/:uid/:token)
-  "/welcome"                 // Optional: Falls Welcome auch öffentlich ist
-];
+  "/reset-request-password",
+  "/invite",                 // /invite/:uid/:token
+  "/reset",                  // /reset/:uid/:token
+  "/welcome",
+]);
+
+const CONSUMER_PUBLIC_PATHS = new Set();
+
+/**
+ * Register an additional public path so a 401 on that route does not auto-redirect
+ * to `/login`. Typical use: a public landing on `/` in an otherwise authenticated app.
+ *
+ * MUST be called before the AuthProvider mounts (i.e. before `ReactDOM.render`).
+ * Calling it later won't help the bootstrap probe which fires on AuthProvider mount.
+ */
+export function addPublicPath(path) {
+  if (typeof path === "string" && path) {
+    CONSUMER_PUBLIC_PATHS.add(path);
+  }
+}
+
+/** Remove a consumer-added public path. Library-internal paths are protected. */
+export function removePublicPath(path) {
+  CONSUMER_PUBLIC_PATHS.delete(path);
+}
 
 function isPublicSitePath(pathname) {
   return pathname === "/sites" || pathname.startsWith("/sites/");
 }
 
+// Match rule: an entry of exactly "/" requires strict equality (avoids matching
+// every path with startsWith). Other entries keep the looser prefix match so
+// dynamic routes like /invite/:uid/:token still work.
+function matchesPublicPath(pathname, entry) {
+  if (entry === "/") return pathname === "/";
+  return pathname.startsWith(entry);
+}
+
 function redirectToLoginOnce() {
   if (!isBrowser()) return;
 
   const currentPath = window.location.pathname;
 
-  // 1. Check: Sind wir auf einer öffentlichen Seite?
-  const isPublicPage = isPublicSitePath(currentPath) || PUBLIC_PATHS.some(path => currentPath.startsWith(path));
-  
+  const isPublicPage =
+    isPublicSitePath(currentPath) ||
+    BUILTIN_PUBLIC_PATHS.some((path) => matchesPublicPath(currentPath, path)) ||
+    Array.from(CONSUMER_PUBLIC_PATHS).some((path) => matchesPublicPath(currentPath, path));
+
   // Wenn ja: NICHT weiterleiten. Der 401 Fehler wird an die Komponente durchgereicht.
   if (isPublicPage) return;
 
@@ -108,7 +139,13 @@ apiClient.interceptors.response.use(
     const isNotAuthenticated =
       code === "not_authenticated" || i18nKey === "auth.not_authenticated";
 
-    if (isAuthStatus && isNotAuthenticated) {
+    // Per-request opt-out: bootstrap probes (e.g. fetchCurrentUser on app start)
+    // expect to handle 401 silently and must not trigger a redirect-on-mount.
+    // Carried as an axios config property, so it never travels to the backend
+    // (would otherwise trigger a CORS preflight on cross-origin requests).
+    const skipRedirect = error?.config?.skipAuthRedirect === true;
+
+    if (isAuthStatus && isNotAuthenticated && !skipRedirect) {
       redirectToLoginOnce();
     }
     return Promise.reject(error);

package/src/auth/authApi.jsx

@@ -14,7 +14,12 @@ function getCsrfToken() {
 // -----------------------------
 
 export async function fetchCurrentUser() {
-  const res = await apiClient.get(`${USERS_BASE}/current/`);
+  // Bootstrap-Probe: 401 darf nicht in einen Login-Redirect umschlagen,
+  // damit Public-Landings auf "/" sichtbar bleiben. `skipAuthRedirect` ist eine
+  // client-seitige axios-Config-Property und wird nicht ans Backend gesendet.
+  const res = await apiClient.get(`${USERS_BASE}/current/`, {
+    skipAuthRedirect: true,
+  });
   return res.data;
 }
 

package/src/index.js

@@ -3,7 +3,12 @@
 // --- 1. Auth Context (Essentiell für den Wrapper) ---
 export { AuthContext, AuthProvider } from './auth/AuthContext';
 
-export { default as apiClient, ensureCsrfToken } from "./auth/apiClient";
+export {
+  default as apiClient,
+  ensureCsrfToken,
+  addPublicPath,
+  removePublicPath,
+} from "./auth/apiClient";
 
 // --- 2. API & Services (Neue Struktur) ---
 // Statt dem 'authApi'-Objekt exportieren wir die Funktionen direkt.