Skip to content

Validate Active Session in /admin Endpoint #29

Description

@amorindev

Objective:

Modify the Admin handler so that, in addition to checking whether an administrator exists, it also validates whether the user has an active session before redirecting.

Location:

  • web/admin/api/handler/admin.go

Current Behavior:

  • The /admin endpoint checks whether an administrator exists in the system using ExistsAdmin.
  • If it exists, it redirects to /v1/admin/sign-in.
  • If it does not exist, it redirects to /v1/admin/sign-up.
  • If an error occurs, it renders an error page.

Currently, it does not validate whether the user already has an active session.

New Expected Behavior:

When a user accesses /admin, the flow must be as follows:

  1. Validate active session:

    • Read the accessToken from the cookie.
    • Attempt to validate it.
  2. If the access token is valid:

    • Redirect to /v1/admin/home.
  3. If the access token is expired (for example, an error of type domain.ErrTokenExpired):

    • Attempt to refresh the session using the refresh_token.
  4. If the refresh is successful:

    • Set new cookies.
    • Redirect to /v1/admin/home.
  5. If the refresh fails:

    • Redirect to /v1/admin/sign-in.
  6. If no token exists or it is invalid:

    • Continue with the normal flow:
      • If admin exists → /v1/admin/sign-in
      • If admin does not exist → /v1/admin/sign-up

Architecture Considerations:

  • Token validation must not be directly coupled to the handler.
  • The existing TokenSrv or CookieSrv must be used.

Expected Result:

  • The /admin endpoint must behave as an intelligent entry point:
    • If the user already has an active session, redirect to home.
    • If the user does not have a session, redirect to login or registration as appropriate.
    • If the access token is expired but the refresh token is valid, the session must be automatically renewed.

Notes:

  • Questions or better solutions should be discussed in the issue comments.

Similar Examples:

  • web/shared/api/middlewares/authenticate.go

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions