Return 403 when unlogged instead of redirect.

js/src/common/API.js

@@ -5,7 +5,9 @@
  * See /LICENSE for more information.
  */
 
-const API_URL_PREFIX = process.env.LIGHTTPD ? '/reforis/api' : '/api';
+import {REFORIS_URL_PREFIX} from './constants';
+
+const API_URL_PREFIX = `${REFORIS_URL_PREFIX}/api`;
 
 const API_URLs = new Proxy({
         notifications: '/notifications',

js/src/common/APIhooks.js

@@ -7,6 +7,7 @@
 
 import {useCallback, useReducer} from 'react';
 import axios from 'axios';
+import {ForisURLs} from './constants';
 
 const POST_HEADERS = {
     'Accept': 'application/json',
@@ -58,7 +59,7 @@ export function useAPIGet(url) {
             });
             dispatch({type: API_ACTIONS.SUCCESS, payload: result.data});
         } catch (error) {
-            dispatch({type: API_ACTIONS.FAILURE, payload: error.response.data});
+            dispatch({type: API_ACTIONS.FAILURE, payload: error.response.data, status: error.response.status});
         }
     }, [url]);
 
@@ -81,6 +82,8 @@ const APIGetReducer = (state, action) => {
                 data: action.payload,
             };
         case API_ACTIONS.FAILURE:
+            if (action.status === 403)
+                window.location.assign(ForisURLs.login);
             return {
                 ...state,
                 isLoading: false,
@@ -109,7 +112,7 @@ export function useAPIPost(url) {
             });
             dispatch({type: API_ACTIONS.SUCCESS, payload: result.data});
         } catch (error) {
-            dispatch({type: API_ACTIONS.FAILURE, payload: error.response.data});
+            dispatch({type: API_ACTIONS.FAILURE, payload: error.response.data, status: error.response.status});
         }
     };
     return [state, post];
@@ -133,6 +136,8 @@ const APIPostReducer = (state, action) => {
                 data: action.payload
             };
         case API_ACTIONS.FAILURE:
+            if (action.status === 403)
+                window.location.assign(ForisURLs.login);
             return {
                 ...state,
                 isSending: false,

reforis/auth.py

@@ -12,7 +12,7 @@ Set of authentication helpers.
 
 import base64
 
-from flask import session, redirect, current_app, request, url_for
+from flask import session, current_app, request, render_template
 
 
 def login_to_foris(password):
@@ -61,6 +61,7 @@ def register_login_required(app):
 
     :param app: Flask application
     """
+
     # pylint: disable=unused-variable,inconsistent-return-statements
     @app.before_request
     def require_login():
@@ -88,4 +89,4 @@ def register_login_required(app):
         if not view:
             return
 
-        return redirect(url_for('Foris.login'))
+        return render_template('errors/403.html'), 403

reforis/templates/errors/403.html

+{% extends 'base.html' %}
+
+{% block title %}
+    {% trans %}403 - Forbidden{% endtrans %}
+{% endblock %}
+
+{% block content %}
+    <h1>403</h1>
+    <h3>{% trans %}Forbidden You don't have permission to access{% endtrans %}</h3>
+    <a>{% trans %}Do you want to <a href="{url_for('Foris.login')}">log in</a>?{% endtrans %}</a>
+{% endblock %}

tests/test_auth.py

@@ -35,11 +35,10 @@ def test_login_is_open(client):
     assert response.status_code == 200
 
 
-def test_login_redirect(client):
+def test_login_403(client):
     client.get('/logout')  # Make sure user is logged out.
     response = client.get('/')
-    assert response.status_code == 302
-    assert '/login' in response.headers['Location']
+    assert response.status_code == 403
 
 
 def test_redirect_when_logged(client):