search

hlxsites / zemax

AEM Franklin Solution for https://www.zemax.com/
https://main--zemax--hlxsites.hlx.page/
Apache License 2.0
3 stars 1 forks source link

Issue 121 profile #159

Closed agangam closed 1 year ago

agangam commented 1 year ago

Please always provide the GitHub issue(s) your PR is for, as well as test URLs where your change can be observed (before and after):

Fix #121

Test URLs:

Page without login : image

Click on login : image

Main page : image

aem-code-sync[bot] commented 1 year ago

Hello, I'm Franklin Bot and I will run some test suites that validate the page speed. In case there are problems, just click the checkbox below to rerun the respective action.

aem-code-sync[bot] commented 1 year ago
Page Score PSI Audit Google
/pages/profile SI FCP LCP TBT CLS PSI
aem-code-sync[bot] commented 1 year ago
Page Score PSI Audit Google
/pages/profile SI FCP LCP TBT CLS PSI
synox commented 1 year ago

@agangam looking at #121, I understand that when accessing https://issue-121-profile--zemax--hlxsites.hlx.page/pages/profile with an incognito window it should redirect to auth0? I don't see this happening.

agangam commented 1 year ago

@agangam looking at #121, I understand that when accessing https://issue-121-profile--zemax--hlxsites.hlx.page/pages/profile with an incognito window it should redirect to auth0? I don't see this happening.

You have to click the login button to get to authenticated. This is similar to how the main page works

synox commented 1 year ago

@agangam I am not sure what you fixed. The issue says Profile page - Restrict direct access to profile page is this what you are doing?

kunwarsaluja commented 1 year ago

@agangam i think what @synox is saying is if we directly go to the link https://zemax.com/pages/profile (in private window), you get redirected to auth0 to login now if the person is not authenticated and post login redirected to /pages/profile page

I think this what this issue is about

shehjadkhan-ansys commented 1 year ago

Sorry I should have added that as an acceptance criteria. Direct access to a protect page should be redirected to Auth0 login page.

@agangam @synox @kunwarsaluja @kmurugulla My suggestion for this implementation is we add page level metadata field called 'Gated' true or false on basis of that if the user is not logged in we redirect them to Auth0 login page. There are other pages like software download page which are not under directly profile page but are protected by login. For example open this page in incognito window https://www.zemax.com/pages/ansys-ob-downloads you will see that the user if not logged get redirected to the Auth0 login. Also might be a good idea to supplement this metadata field with some regex configuration so for example any page starting with /pages/profiles/* should be protected and thus we don't have to depend on authoring configuration for behavior to be imposed.

How do we determine the user is logged in or not for that I think we should look into Auth0 documentation for recommended approach. One simpler way would be to look at the localstorage value for accessToken, but that can be easily spoofed and thus other way would be call /token call and validate if the token is valid or not? Are there more efficient or secure way of doing this not sure but thats why I suggest to look into the documentation. Also some edge cases like when user's accessToken expiry do we internally refresh the token or to keep things simpler redirect the user to login screen (might not be the great user experience)

Happy to discuss this on a call but wanted to put initial thoughts here

aem-code-sync[bot] commented 1 year ago
Page Scores Audits Google
/pages/profile Lighthouse returned error: ERRORED_DOCUMENT_REQUEST. Lighthouse was unable to reliably load the page you requested. Make sure you are testing the correct URL and that the server is properly responding to all requests. (Status code: 403) PSI
aem-code-sync[bot] commented 1 year ago
Page Scores Audits Google
/pages/profile Lighthouse returned error: ERRORED_DOCUMENT_REQUEST. Lighthouse was unable to reliably load the page you requested. Make sure you are testing the correct URL and that the server is properly responding to all requests. (Status code: 403) PSI
aem-code-sync[bot] commented 1 year ago
Page Scores Audits Google
/pages/profile Lighthouse returned error: ERRORED_DOCUMENT_REQUEST. Lighthouse was unable to reliably load the page you requested. Make sure you are testing the correct URL and that the server is properly responding to all requests. (Status code: 403) PSI
aem-code-sync[bot] commented 1 year ago
Page Scores Audits Google
/ PERFORMANCE A11Y SEO BEST PRACTICES SI FCP FMP LCP TTI TBT CLS PSI
agangam commented 1 year ago

Sorry I should have added that as an acceptance criteria. Direct access to a protect page should be redirected to Auth0 login page.

@agangam @synox @kunwarsaluja @kmurugulla My suggestion for this implementation is we add page level metadata field called 'Gated' true or false on basis of that if the user is not logged in we redirect them to Auth0 login page. There are other pages like software download page which are not under directly profile page but are protected by login. For example open this page in incognito window https://www.zemax.com/pages/ansys-ob-downloads you will see that the user if not logged get redirected to the Auth0 login. Also might be a good idea to supplement this metadata field with some regex configuration so for example any page starting with /pages/profiles/* should be protected and thus we don't have to depend on authoring configuration for behavior to be imposed.

How do we determine the user is logged in or not for that I think we should look into Auth0 documentation for recommended approach. One simpler way would be to look at the localstorage value for accessToken, but that can be easily spoofed and thus other way would be call /token call and validate if the token is valid or not? Are there more efficient or secure way of doing this not sure but thats why I suggest to look into the documentation. Also some edge cases like when user's accessToken expiry do we internally refresh the token or to keep things simpler redirect the user to login screen (might not be the great user experience)

Happy to discuss this on a call but wanted to put initial thoughts here

Adding redirect to auth0 is a good idea. For now I added the checks for /pages/profiles/*. If user's token expires we should automatically refresh the token to give the user a good experience.