When the user tries to access https://{domain}/pages/profile and when not logged in showed be redirected to Auth0 page, user experience is same as when the user clicks on the login button on header
--
My suggestion for this implementation is we add page level metadata field called 'Gated' true or false on basis of that if the user is not logged in we redirect them to Auth0 login page. There are other pages like software download page which are not under directly profile page but are protected by login. For example open this page in incognito window https://www.zemax.com/pages/ansys-ob-downloads you will see that the user if not logged get redirected to the Auth0 login. Also might be a good idea to supplement this metadata field with some regex configuration so for example any page starting with /pages/profiles/* should be protected and thus we don't have to depend on authoring configuration for behavior to be imposed.
How do we determine the user is logged in or not for that I think we should look into Auth0 documentation for recommended approach. One simpler way would be to look at the localstorage value for accessToken, but that can be easily spoofed and thus other way would be call /token call and validate if the token is valid or not? Are there more efficient or secure way of doing this not sure but thats why I suggest to look into the documentation. Also some edge cases like when user's accessToken expiry do we internally refresh the token or to keep things simpler redirect the user to login screen (might not be the great user experience)
Happy to discuss this on a call but wanted to put initial thoughts here
agangam
commented
1 year ago
When the user tries to access https://{domain}/pages/profile and when not logged in showed be redirected to Auth0 page, user experience is same as when the user clicks on the login button on header
--
My suggestion for this implementation is we add page level metadata field called 'Gated' true or false on basis of that if the user is not logged in we redirect them to Auth0 login page. There are other pages like software download page which are not under directly profile page but are protected by login. For example open this page in incognito window https://www.zemax.com/pages/ansys-ob-downloads you will see that the user if not logged get redirected to the Auth0 login. Also might be a good idea to supplement this metadata field with some regex configuration so for example any page starting with /pages/profiles/* should be protected and thus we don't have to depend on authoring configuration for behavior to be imposed. How do we determine the user is logged in or not for that I think we should look into Auth0 documentation for recommended approach. One simpler way would be to look at the localstorage value for accessToken, but that can be easily spoofed and thus other way would be call /token call and validate if the token is valid or not? Are there more efficient or secure way of doing this not sure but thats why I suggest to look into the documentation. Also some edge cases like when user's accessToken expiry do we internally refresh the token or to keep things simpler redirect the user to login screen (might not be the great user experience) Happy to discuss this on a call but wanted to put initial thoughts here