docs: specify required web login
This commit is contained in:
thibaud-leclere
parent
c1151607ac
commit
dacca46fbe
1 changed files with 55 additions and 0 deletions
|
|
@ -0,0 +1,55 @@
|
|||
# Require Web Login Design
|
||||
|
||||
## Goal
|
||||
|
||||
When a user opens the self-hosted Hoppscotch web frontend without an active
|
||||
session, the app must not be usable. The user should see only a login page
|
||||
until authentication succeeds.
|
||||
|
||||
## Scope
|
||||
|
||||
- Applies only to the web shell in `packages/hoppscotch-selfhost-web`.
|
||||
- Does not change the desktop shell behavior.
|
||||
- Does not change backend authentication endpoints or session semantics.
|
||||
- Reuses the existing Hoppscotch auth platform and login UI.
|
||||
|
||||
## Architecture
|
||||
|
||||
The self-hosted web platform will register a root UI extension that acts as an
|
||||
auth gate. The gate will subscribe to the existing `platform.auth` user stream
|
||||
and render above the app only when the current platform is web and no confirmed
|
||||
user exists.
|
||||
|
||||
The gate has three visible states:
|
||||
|
||||
- Auth check pending: show a centered spinner while `performAuthInit()` verifies
|
||||
the cookie-backed session.
|
||||
- Anonymous: show a full-screen login-only page using the existing
|
||||
`FirebaseLogin` component.
|
||||
- Authenticated: render nothing, allowing the normal Hoppscotch app to remain
|
||||
usable.
|
||||
|
||||
## Data Flow
|
||||
|
||||
`performAuthInit()` already checks the backend session and updates
|
||||
`currentUser$`. The auth gate must not perform its own token or cookie checks.
|
||||
It only observes the existing stream, so login, logout, refresh, and local auth
|
||||
continue to use the current implementation.
|
||||
|
||||
## Route Behavior
|
||||
|
||||
The gate blocks interaction with normal app routes by covering the UI, not by
|
||||
redirecting. This avoids changing common router behavior and avoids breaking
|
||||
special routes such as `/enter` and `/device-login`, which use the `empty`
|
||||
layout and are outside the normal application shell.
|
||||
|
||||
## Testing
|
||||
|
||||
Add a focused unit test for the gate state logic:
|
||||
|
||||
- pending auth check requires the blocking screen;
|
||||
- anonymous confirmed state requires the blocking screen;
|
||||
- authenticated state does not block;
|
||||
- desktop platform does not block.
|
||||
|
||||
Run the targeted test and a typecheck or lint command for the touched package.
|
||||
Loading…
Reference in a new issue