fix(auth-routing): require explicit preview opt-in, add unauthorized route handling, and normalize error-page redirects

Diogo Ferraz · Diogo Ferraz · commit 4fcfabcc07ec · 2026-02-19T03:35:53.000+01:00
diff --git a/src/app/app.component.ts b/src/app/app.component.ts
@@ -100,7 +100,8 @@ export class AppComponent {
     return currentUrl === '/' ||
       currentUrl.startsWith('/login') ||
       currentUrl.startsWith('/callback') ||
-      currentUrl.startsWith('/not-found');
+      currentUrl.startsWith('/not-found') ||
+      currentUrl.startsWith('/unauthorized');
   }
 
   ngOnDestroy() {
diff --git a/src/app/app.routes.ts b/src/app/app.routes.ts
@@ -12,6 +12,7 @@ import { authGuard } from './core/auth/guards/auth.guard';
 import { AuthCallbackComponent } from './features/login/components/auth-callback/auth-callback.component';
 import { LandingPageComponent } from './features/landing/components/landing-page/landing-page.component';
 import { NotFoundComponent } from './features/errors/components/not-found/not-found.component';
+import { UnauthorizedComponent } from './features/errors/components/unauthorized/unauthorized.component';
 import { SearchFiltersComponent } from './features/search/components/search-filters/search-filters.component';
 import { ProjectDocsComponent } from './features/docs/components/project-docs/project-docs.component';
 import { TaskCalendarComponent } from './features/calendar/components/task-calendar/task-calendar.component';
@@ -45,6 +46,8 @@ export const routes: Routes = [
   { path: 'tasks/my-tasks', component: UserTaskItemsComponent, canActivate: [authGuard] },
   { path: 'login', component: HomeLoginComponent },
   { path: 'callback', component: AuthCallbackComponent },
+  { path: 'notfound', redirectTo: 'not-found' },
   { path: 'not-found', component: NotFoundComponent },
-  { path: '**', component: NotFoundComponent }
+  { path: 'unauthorized', component: UnauthorizedComponent },
+  { path: '**', redirectTo: 'not-found' }
 ];
diff --git a/src/app/core/auth/guards/admin-role.guard.spec.ts b/src/app/core/auth/guards/admin-role.guard.spec.ts
@@ -25,7 +25,7 @@ describe('adminRoleGuard', () => {
     expect(routerMock.createUrlTree).not.toHaveBeenCalled();
   });
 
-  it('redirects non-admin users to dashboard', () => {
+  it('redirects non-admin users to unauthorized', () => {
     const redirectTree = {} as never;
     const authServiceMock = {
       hasRole: () => false
@@ -44,6 +44,6 @@ describe('adminRoleGuard', () => {
 
     const canActivate = TestBed.runInInjectionContext(() => adminRoleGuard({} as never, {} as never));
     expect(canActivate).toBe(redirectTree);
-    expect(routerMock.createUrlTree).toHaveBeenCalledWith(['/dashboard']);
+    expect(routerMock.createUrlTree).toHaveBeenCalledWith(['/unauthorized']);
   });
 });
diff --git a/src/app/core/auth/guards/admin-role.guard.ts b/src/app/core/auth/guards/admin-role.guard.ts
@@ -10,5 +10,5 @@ export const adminRoleGuard: CanActivateFn = () => {
     return true;
   }
 
-  return router.createUrlTree(['/dashboard']);
+  return router.createUrlTree(['/unauthorized']);
 };
diff --git a/src/app/core/auth/guards/auth.guard.spec.ts b/src/app/core/auth/guards/auth.guard.spec.ts
@@ -1,4 +1,5 @@
 import { TestBed } from '@angular/core/testing';
+import { Router } from '@angular/router';
 import { AuthService } from '../services/auth.service';
 import { authGuard } from './auth.guard';
 
@@ -7,50 +8,69 @@ describe('authGuard', () => {
     const authServiceMock = {
       isAuthenticated: () => true,
       authSession: () => null,
-      canStartDebugSession: () => false,
-      startLoginRedirect: jasmine.createSpy('startLoginRedirect').and.resolveTo()
+      canStartDebugSession: () => false
+    };
+
+    const routerMock = {
+      createUrlTree: jasmine.createSpy('createUrlTree')
     };
 
     TestBed.configureTestingModule({
-      providers: [{ provide: AuthService, useValue: authServiceMock }]
+      providers: [
+        { provide: AuthService, useValue: authServiceMock },
+        { provide: Router, useValue: routerMock }
+      ]
     });
 
     const canActivate = TestBed.runInInjectionContext(() => authGuard({} as never, {} as never));
     expect(canActivate).toBeTrue();
-    expect(authServiceMock.startLoginRedirect).not.toHaveBeenCalled();
+    expect(routerMock.createUrlTree).not.toHaveBeenCalled();
   });
 
-  it('starts login redirect when user is not authenticated', () => {
+  it('redirects to unauthorized when user is not authenticated', () => {
+    const redirectTree = {} as never;
     const authServiceMock = {
       isAuthenticated: () => false,
       authSession: () => null,
-      canStartDebugSession: () => false,
-      startLoginRedirect: jasmine.createSpy('startLoginRedirect').and.resolveTo()
+      canStartDebugSession: () => false
+    };
+
+    const routerMock = {
+      createUrlTree: jasmine.createSpy('createUrlTree').and.returnValue(redirectTree)
     };
 
     TestBed.configureTestingModule({
-      providers: [{ provide: AuthService, useValue: authServiceMock }]
+      providers: [
+        { provide: AuthService, useValue: authServiceMock },
+        { provide: Router, useValue: routerMock }
+      ]
     });
 
     const canActivate = TestBed.runInInjectionContext(() => authGuard({} as never, {} as never));
-    expect(canActivate).toBeFalse();
-    expect(authServiceMock.startLoginRedirect).toHaveBeenCalled();
+    expect(canActivate).toBe(redirectTree);
+    expect(routerMock.createUrlTree).toHaveBeenCalledWith(['/unauthorized']);
   });
 
   it('allows navigation when debug session is active in preview mode', () => {
     const authServiceMock = {
       isAuthenticated: () => false,
       authSession: () => ({ isDebugSession: true }),
-      canStartDebugSession: () => true,
-      startLoginRedirect: jasmine.createSpy('startLoginRedirect').and.resolveTo()
+      canStartDebugSession: () => true
+    };
+
+    const routerMock = {
+      createUrlTree: jasmine.createSpy('createUrlTree')
     };
 
     TestBed.configureTestingModule({
-      providers: [{ provide: AuthService, useValue: authServiceMock }]
+      providers: [
+        { provide: AuthService, useValue: authServiceMock },
+        { provide: Router, useValue: routerMock }
+      ]
     });
 
     const canActivate = TestBed.runInInjectionContext(() => authGuard({} as never, {} as never));
     expect(canActivate).toBeTrue();
-    expect(authServiceMock.startLoginRedirect).not.toHaveBeenCalled();
+    expect(routerMock.createUrlTree).not.toHaveBeenCalled();
   });
 });
diff --git a/src/app/core/auth/guards/auth.guard.ts b/src/app/core/auth/guards/auth.guard.ts
@@ -1,9 +1,10 @@
-import { CanActivateFn } from '@angular/router';
+import { CanActivateFn, Router } from '@angular/router';
 import { inject } from '@angular/core';
 import { AuthService } from '../services/auth.service';
 
 export const authGuard: CanActivateFn = () => {
   const authService = inject(AuthService);
+  const router = inject(Router);
 
   const debugSession = authService.authSession();
   if (debugSession?.isDebugSession && authService.canStartDebugSession()) {
@@ -14,6 +15,5 @@ export const authGuard: CanActivateFn = () => {
     return true;
   }
 
-  void authService.startLoginRedirect();
-  return false;
+  return router.createUrlTree(['/unauthorized']);
 };
diff --git a/src/app/core/auth/guards/manager-or-admin.guard.ts b/src/app/core/auth/guards/manager-or-admin.guard.ts
@@ -10,6 +10,5 @@ export const managerOrAdminGuard: CanActivateFn = () => {
     return true;
   }
 
-  return router.createUrlTree(['/dashboard']);
+  return router.createUrlTree(['/unauthorized']);
 };
-
diff --git a/src/app/features/activity/components/activity-log/activity-log.component.ts b/src/app/features/activity/components/activity-log/activity-log.component.ts
@@ -187,11 +187,7 @@ export class ActivityLogComponent implements OnInit, OnDestroy {
   }
 
   private shouldUsePreviewMode(): boolean {
-    if (!this.appEnvironment.production) {
-      return true;
-    }
-
-    return this.authService.authSession()?.isDebugSession === true;
+    return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();
   }
 
   private loadPreviewData(detail: string): void {
@@ -305,4 +301,3 @@ export class ActivityLogComponent implements OnInit, OnDestroy {
     }
   }
 }
-
diff --git a/src/app/features/activity/components/my-activity/my-activity.component.ts b/src/app/features/activity/components/my-activity/my-activity.component.ts
@@ -217,11 +217,7 @@ export class MyActivityComponent implements OnInit, OnDestroy {
   }
 
   private shouldUsePreviewMode(): boolean {
-    if (!this.appEnvironment.production) {
-      return true;
-    }
-
-    return this.authService.authSession()?.isDebugSession === true;
+    return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();
   }
 
   private loadPreviewActivity(detail: string): void {
@@ -305,4 +301,3 @@ export class MyActivityComponent implements OnInit, OnDestroy {
     return value.replace(/<[^>]*>/g, ' ');
   }
 }
-
diff --git a/src/app/features/admin/components/admin-dashboard/admin-dashboard.component.ts b/src/app/features/admin/components/admin-dashboard/admin-dashboard.component.ts
@@ -275,11 +275,7 @@ export class AdminDashboardComponent implements OnInit {
   }
 
   private shouldUsePreviewMode(): boolean {
-    if (!this.appEnvironment.production) {
-      return true;
-    }
-
-    return this.authService.authSession()?.isDebugSession === true;
+    return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();
   }
 
   private loadPreviewUsers(detail: string): void {
diff --git a/src/app/features/errors/components/unauthorized/unauthorized.component.html b/src/app/features/errors/components/unauthorized/unauthorized.component.html
@@ -0,0 +1,11 @@
+<section class="unauthorized">
+  <div class="unauthorized__card">
+    <p class="unauthorized__code">401</p>
+    <h1>Unauthorized Access</h1>
+    <p>You need to sign in first, or explicitly start Preview Mode from the landing page.</p>
+    <div class="unauthorized__actions">
+      <a pButton label="Go to Landing" routerLink="/"></a>
+      <a pButton label="Sign In" routerLink="/" severity="secondary"></a>
+    </div>
+  </div>
+</section>
diff --git a/src/app/features/errors/components/unauthorized/unauthorized.component.scss b/src/app/features/errors/components/unauthorized/unauthorized.component.scss
@@ -0,0 +1,40 @@
+.unauthorized {
+  min-height: calc(100vh - 8rem);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  padding: 2rem 1rem;
+}
+
+.unauthorized__card {
+  width: min(34rem, 100%);
+  border: 1px solid var(--surface-border);
+  border-radius: 14px;
+  background: var(--surface-card);
+  padding: 2rem;
+  text-align: center;
+  box-shadow: none;
+}
+
+.unauthorized__code {
+  margin: 0;
+  font-size: 2.4rem;
+  font-weight: 700;
+  color: var(--primary-color);
+}
+
+.unauthorized h1 {
+  margin: 0.35rem 0 0;
+}
+
+.unauthorized p {
+  margin: 0.85rem 0 0;
+  color: var(--text-color-secondary);
+}
+
+.unauthorized__actions {
+  margin-top: 1.2rem;
+  display: inline-flex;
+  flex-wrap: wrap;
+  gap: 0.6rem;
+}
diff --git a/src/app/features/errors/components/unauthorized/unauthorized.component.ts b/src/app/features/errors/components/unauthorized/unauthorized.component.ts
@@ -0,0 +1,13 @@
+import { Component } from '@angular/core';
+import { RouterLink } from '@angular/router';
+import { ButtonModule } from 'primeng/button';
+
+@Component({
+  selector: 'app-unauthorized',
+  standalone: true,
+  imports: [RouterLink, ButtonModule],
+  templateUrl: './unauthorized.component.html',
+  styleUrl: './unauthorized.component.scss'
+})
+export class UnauthorizedComponent {}
+
diff --git a/src/app/features/projects/components/project-create/project-create.component.ts b/src/app/features/projects/components/project-create/project-create.component.ts
@@ -145,10 +145,6 @@ export class ProjectCreateComponent implements OnInit, OnDestroy {
   }
 
   private shouldUsePreviewMode(): boolean {
-    if (!this.appEnvironment.production) {
-      return true;
-    }
-
-    return this.authService.authSession()?.isDebugSession === true;
+    return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();
   }
 }
diff --git a/src/app/features/projects/components/project-details/project-details.component.ts b/src/app/features/projects/components/project-details/project-details.component.ts
@@ -253,11 +253,7 @@ export class ProjectDetailsComponent implements OnInit, OnDestroy {
   }
 
   private shouldUsePreviewMode(): boolean {
-    if (!this.appEnvironment.production) {
-      return true;
-    }
-
-    return this.authService.authSession()?.isDebugSession === true;
+    return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();
   }
 
   private resolveInitialProjectId(projects: ProjectDto[], queryProjectId: string | null): string | null {
@@ -422,4 +418,3 @@ export class ProjectDetailsComponent implements OnInit, OnDestroy {
     ];
   }
 }
-
diff --git a/src/app/features/projects/components/project-kanban/project-kanban.component.ts b/src/app/features/projects/components/project-kanban/project-kanban.component.ts
@@ -569,7 +569,7 @@ export class ProjectKanbanComponent implements OnInit, OnDestroy {
     this.previewDetail = null;
     this.errors = [];
 
-    if (!this.appEnvironment.production || this.authService.authSession()?.isDebugSession) {
+    if (this.shouldUsePreviewMode()) {
       this.loadPreviewBoard('Development preview mode active. Backend calls are disabled for Kanban.');
       return;
     }
@@ -905,7 +905,7 @@ export class ProjectKanbanComponent implements OnInit, OnDestroy {
   }
 
   private shouldUsePreviewMode(): boolean {
-    return this.authService.authSession()?.isDebugSession === true || !this.appEnvironment.production;
+    return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();
   }
 
   private normalizeTasksOrder(tasks: TaskItemDto[]): TaskItemDto[] {
diff --git a/src/app/features/projects/components/project-list/project-list.component.ts b/src/app/features/projects/components/project-list/project-list.component.ts
@@ -92,7 +92,7 @@ export class ProjectListComponent implements OnInit, OnDestroy {
     this.isPreviewMode = false;
     this.previewDetail = null;
 
-    if (!this.appEnvironment.production || this.authService.authSession()?.isDebugSession) {
+    if (this.shouldUsePreviewMode()) {
       this.loadPreviewProjects('Preview mode active. Showing local project data.');
       return;
     }
@@ -127,11 +127,7 @@ export class ProjectListComponent implements OnInit, OnDestroy {
   }
 
   private shouldUsePreviewMode(): boolean {
-    if (!this.appEnvironment.production) {
-      return true;
-    }
-
-    return this.authService.authSession()?.isDebugSession === true;
+    return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();
   }
 
   private loadPreviewProjects(detail: string): void {
diff --git a/src/app/features/projects/components/project-members/project-members.component.ts b/src/app/features/projects/components/project-members/project-members.component.ts
@@ -189,11 +189,7 @@ export class ProjectMembersComponent implements OnInit, OnDestroy {
   }
 
   private shouldUsePreviewMode(): boolean {
-    if (!this.appEnvironment.production) {
-      return true;
-    }
-
-    return this.authService.authSession()?.isDebugSession === true;
+    return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();
   }
 
   private loadPreviewProjects(detail: string): void {
diff --git a/src/app/features/search/components/search-filters/search-filters.component.ts b/src/app/features/search/components/search-filters/search-filters.component.ts
@@ -308,11 +308,7 @@ export class SearchFiltersComponent implements OnInit, OnDestroy {
   }
 
   private shouldUsePreviewMode(): boolean {
-    if (!this.appEnvironment.production) {
-      return true;
-    }
-
-    return this.authService.authSession()?.isDebugSession === true;
+    return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();
   }
 
   private loadPreviewData(detail: string): void {
diff --git a/src/app/features/task-item/components/task-item-create/task-item-create.component.ts b/src/app/features/task-item/components/task-item-create/task-item-create.component.ts
@@ -201,11 +201,7 @@ export class TaskItemCreateComponent implements OnInit, OnDestroy {
   }
 
   private shouldUsePreviewMode(): boolean {
-    if (!this.appEnvironment.production) {
-      return true;
-    }
-
-    return this.authService.authSession()?.isDebugSession === true;
+    return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();
   }
 
   private buildPreviewProjects(): ProjectDto[] {
diff --git a/src/app/features/task-item/components/task-item-list/task-item-list.component.ts b/src/app/features/task-item/components/task-item-list/task-item-list.component.ts
diff --git a/src/app/features/task-item/components/user-task-items/user-task-items.component.ts b/src/app/features/task-item/components/user-task-items/user-task-items.component.ts

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,8 @@ export class AppComponent {`
`100`	`100`	`return currentUrl === '/' \|\|`
`101`	`101`	`currentUrl.startsWith('/login') \|\|`
`102`	`102`	`currentUrl.startsWith('/callback') \|\|`
`103`		`- currentUrl.startsWith('/not-found');`
	`103`	`+ currentUrl.startsWith('/not-found') \|\|`
	`104`	`+ currentUrl.startsWith('/unauthorized');`
`104`	`105`	`}`
`105`	`106`
`106`	`107`	`ngOnDestroy() {`
Original file line number	Diff line number	Diff line change
`@@ -10,5 +10,5 @@ export const adminRoleGuard: CanActivateFn = () => {`
`10`	`10`	`return true;`
`11`	`11`	`}`
`12`	`12`
`13`		`- return router.createUrlTree(['/dashboard']);`
	`13`	`+ return router.createUrlTree(['/unauthorized']);`
`14`	`14`	`};`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,5 @@ export const managerOrAdminGuard: CanActivateFn = () => {`
`10`	`10`	`return true;`
`11`	`11`	`}`
`12`	`12`
`13`		`- return router.createUrlTree(['/dashboard']);`
	`13`	`+ return router.createUrlTree(['/unauthorized']);`
`14`	`14`	`};`
`15`		`-`
Original file line number	Diff line number	Diff line change
`@@ -187,11 +187,7 @@ export class ActivityLogComponent implements OnInit, OnDestroy {`
`187`	`187`	`}`
`188`	`188`
`189`	`189`	`private shouldUsePreviewMode(): boolean {`
`190`		`- if (!this.appEnvironment.production) {`
`191`		`- return true;`
`192`		`- }`
`193`		`-`
`194`		`- return this.authService.authSession()?.isDebugSession === true;`
	`190`	`+ return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();`
`195`	`191`	`}`
`196`	`192`
`197`	`193`	`private loadPreviewData(detail: string): void {`
`@@ -305,4 +301,3 @@ export class ActivityLogComponent implements OnInit, OnDestroy {`
`305`	`301`	`}`
`306`	`302`	`}`
`307`	`303`	`}`
`308`		`-`
Original file line number	Diff line number	Diff line change
`@@ -217,11 +217,7 @@ export class MyActivityComponent implements OnInit, OnDestroy {`
`217`	`217`	`}`
`218`	`218`
`219`	`219`	`private shouldUsePreviewMode(): boolean {`
`220`		`- if (!this.appEnvironment.production) {`
`221`		`- return true;`
`222`		`- }`
`223`		`-`
`224`		`- return this.authService.authSession()?.isDebugSession === true;`
	`220`	`+ return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();`
`225`	`221`	`}`
`226`	`222`
`227`	`223`	`private loadPreviewActivity(detail: string): void {`
`@@ -305,4 +301,3 @@ export class MyActivityComponent implements OnInit, OnDestroy {`
`305`	`301`	`return value.replace(/<[^>]*>/g, ' ');`
`306`	`302`	`}`
`307`	`303`	`}`
`308`		`-`
Original file line number	Diff line number	Diff line change
`@@ -275,11 +275,7 @@ export class AdminDashboardComponent implements OnInit {`
`275`	`275`	`}`
`276`	`276`
`277`	`277`	`private shouldUsePreviewMode(): boolean {`
`278`		`- if (!this.appEnvironment.production) {`
`279`		`- return true;`
`280`		`- }`
`281`		`-`
`282`		`- return this.authService.authSession()?.isDebugSession === true;`
	`278`	`+ return this.authService.authSession()?.isDebugSession === true && this.authService.canStartDebugSession();`
`283`	`279`	`}`
`284`	`280`
`285`	`281`	`private loadPreviewUsers(detail: string): void {`