Open petertgiles opened 1 month ago
@petertgiles Just a note that we can change the "refresh this page" language if we're redirecting to a static page (because I'm assuming that would just refresh the error page, not actually attempt to reconnect to the previous, restricted page).
can change the "refresh this page" language if we're redirecting to a static page
Unfortunately, there's some nuance here because we're a SPA. If your browser requests a page at /admin/whatever our app won't even boot and you'll get redirected to the very bare-bones error page directly from the firewall.
If the app is booted and you navigate (in-app, not a full browser navigate) to an admin page and the app makes an unauthorized API request then you're in the scenario I showed above. We can show a rich error experience that's localized, themed, and all the rest. Really, this is against the spirit of our security restrictions. I think IMTD would like our app to not boot at all if an admin page is requested.
I can think of two ways to make this better:
1) There's interest on the team of exploring SSG pages. This would let us generate nice-looking static error pages even when the app doesn't boot. Unfortunately we've got a lot of groundwork to lay before this can be done and it's not really being prioritized by the product owners.
2) Maybe we can convince IMTD that with the protected endpoint the firewall only needs to block /admin/graphql and let the app boot normally for all other paths. This seems sensible to me but I imagine they would be quite uncomfortable loosening any existing security measures.
✨ Feature
The new protected endpoint is now active for off-VPN admin usage. It's secure, but pretty ugly. Some pages dump out the HTML of the error page and some just load up an empty table.
📸 Screenshot
🙋♀️ Proposed Implementation
@substrae design file: https://www.figma.com/design/IMotJGU7wGMpKWGWC9nVDv/Restriction-error-page-(All-users)?node-id=1-2&t=O9CscJb7vkheWukq-0
✅ Acceptance Criteria
🛑 Blockers