Merge pull request #4645 from systeminit/victor/eng-2677-tos-updates

fix: don't redirect to default workspace when tos needs updated

app/auth-portal/src/App.vue

@@ -49,7 +49,7 @@
  <header class="flex p-md items-center">
  <RouterLink
  id="header-logo"
- :to="{ name: 'home' }"
+ :to="{ name: 'workspaces' }"
  class="mr-md shrink-0 relative"
  >
  <div id="header-logo-inner">
@@ -312,6 +312,10 @@ const hasCheckedOnboardingStatus = ref(false);
 // could make sense to live in the router, but easier to interact with the auth loading state here
 const router = useRouter();
 const route = useRoute();
+
+// onMounted for a component may run before this watch does,
+// So a component may override these redirects if itself redirects navigation
+// This can happen on DefaultWorkspacePage, for example
 watch([checkAuthReq, route], () => {
  // if we're still checking auth, do nothing
  if (!checkAuthReq.value.isRequested || checkAuthReq.value.isPending) return;
@@ -346,33 +350,28 @@ watch([checkAuthReq, route], () => {
  // Check that the user is not quarantined or suspended
  if (user.value.quarantinedAt) {
  if (!["quarantine-notice"].includes(currentRouteName)) {
- saveLoginSuccessRedirect();
  return router.push({ name: "quarantine-notice" });
  }
  return;
  }
  if (user.value.suspendedAt) {
  if (!["suspension-notice"].includes(currentRouteName)) {
- saveLoginSuccessRedirect();
  return router.push({ name: "suspension-notice" });
  }
  return;
  }
 
  // If the user is not quarantined or suspended, do not allow them to go to the quarantine notice
  if (currentRouteName === "quarantine-notice") {
- saveLoginSuccessRedirect();
  return router.push({ name: "workspaces" });
  }
  if (currentRouteName === "suspension-notice") {
- saveLoginSuccessRedirect();
  return router.push({ name: "workspaces" });
  }
 
  // check user has agreed to TOS
  if (user.value.needsTosUpdate) {
  if (currentRouteName !== "review-legal") {
- saveLoginSuccessRedirect();
  // eslint-disable-next-line @typescript-eslint/no-floating-promises
  router.push({ name: "review-legal" });
  }

app/auth-portal/src/pages/DefaultWorkspacePage.vue

@@ -1,6 +1,6 @@
 <template><div>Redirect to default workspace</div></template>
 
-<script setup lang="ts">
+<script lang="ts" setup>
 import { computed, onMounted } from "vue";
 import { useRouter } from "vue-router";
 import { useWorkspacesStore } from "@/store/workspaces.store";
@@ -16,9 +16,17 @@ onMounted(async () => {
  if (import.meta.env.SSR) return;
  if (
  !authStore.userIsLoggedIn ||
- !authStore.user?.onboardingDetails?.reviewedProfile
+ !authStore.user ||
+ !authStore.user.onboardingDetails?.reviewedProfile
  )
  return;
+
+ if (authStore.user.needsTosUpdate) {
+ return router.push({
+ name: "review-legal",
+ });
+ }
+
  // eslint-disable-next-line @typescript-eslint/no-floating-promises
  await workspacesStore.LOAD_WORKSPACES();
  if (defaultWorkspace.value) {

app/auth-portal/src/pages/LoginPage.vue

@@ -17,7 +17,7 @@
  </RichText>
 </template>
 
-<script setup lang="ts">
+<script lang="ts" setup>
 import { onBeforeMount, onMounted } from "vue";
 import { useRoute, useRouter } from "vue-router";
 import { RichText } from "@si/vue-lib/design-system";

bin/auth-api/src/routes/workspace.routes.ts

@@ -26,6 +26,7 @@ import { validate } from "../lib/validation-helpers";
 import { CustomRouteContext } from "../custom-state";
 import { createSdfAuthToken } from "../services/auth.service";
 import { tracker } from "../lib/tracker";
+import { findLatestTosForUser } from "../services/tos.service";
 import { extractAuthUser, router } from ".";
 
 router.get("/workspaces", async (ctx) => {
@@ -355,6 +356,15 @@ router.get("/workspaces/:workspaceId/go", async (ctx) => {
  }
  }
 
+ const latestTos = await findLatestTosForUser(authUser);
+ if (latestTos > authUser.agreedTosVersion) {
+ throw new ApiError(
+ "Unauthorized",
+ "MissingTosAcceptance",
+ "Terms of Service have been updated, return to the SI auth portal to accept them.",
+ );
+ }
+
  // generate a new single use authentication code that we will send to the instance
  const connectCode = nanoid(24);
  await setCache(