dark
dark copied to clipboard
darklang
Don't create client-side rollbars for Unauthorized responses when auth has expired
i.e. https://rollbar.com/darkops/darklang/items/3191 we shouldn't see this as a rollbar, I believe.
A few options:
- teach the client to not make calls when auth has expired
- teach the client to check for the auth expiration after making API calls, and not rollbar in those cases
- teach the server to have a specific response for expired (I don't like this), and treat that special in the client
- ignore, as these rollbars are pretty rare
FWIW I could be wrong about the expiration passing for that specific rollbar; making an assumption.
I think if the client makes a request and gets a 401, we should:
- pop up a note on the client, prompting the user to log back in
- dont raise an exception in client or server
I wonder what the 'note' here would look like - a tiny modal with some text and a link?
probably a modal with a login form? I'm not sure how that would work since we don't run the login form, but maybe we can make the auth0 login form appear somehow in an overlay? Otherwise I think a link is best, yeah.
- we could use Auth0's "embedded login"
- or we could build our own login form
- or link to our current "universal login"
The first two options come with some security risks, which Auth0 warns about all over those pages, but results in a smoother UX. The first two options also demand a bit more Auth0 setup (I've done this before - it's not bad but worth consideration)
I'm thinking that adding a link to the "universal login" page is sufficient for now, and we can iterate later with an embedded or custom form later. Maybe the "embedded login" is a nice middle-ground, though
I guess a link is a good start. I'd like to move this in-house but we're not there yet. When we do the homepage rewrite I plan to add login there.