4.3 KiB
Authentication Fix Summary
Problem
- Backend logs show: "AUTHENTICATION ERROR: No credentials provided for authenticated endpoint: GET /api/content-planning/enhanced-strategies/"
- Frontend window reloads and redirects to home page
- Cannot capture frontend logs due to redirect loop
Root Cause Analysis
-
Request Interceptor Issue: The interceptor was allowing requests to proceed even when
authTokenGetterreturnednull, which caused requests to be sent without Authorization headers. -
Response Interceptor Redirect: When backend returned 401, the response interceptor was immediately redirecting to home page, even for content-planning routes during initialization.
-
Race Condition: There might be a timing issue where:
- ProtectedRoute renders the component (user appears authenticated)
- But TokenInstaller's useEffect hasn't run yet, or
- Token getter returns null because Clerk token isn't ready yet
Fixes Applied
1. Enhanced Request Interceptor ✅
File: frontend/src/api/client.ts
Change: Reject requests when token getter returns null (not just when it's not set)
Before:
if (token) {
// Add token
} else {
// Still proceed with request - backend will return 401
}
After:
if (token) {
// Add token
} else {
// Reject request to prevent 401 errors
return Promise.reject(new Error('Authentication token not available...'));
}
2. Prevent Redirects for Content-Planning Routes ✅
File: frontend/src/api/client.ts
Change: Added isContentPlanningRoute check to prevent redirects during initialization
Before:
if (!isRootRoute && !isOnboardingRoute) {
// Redirect to home
}
After:
const isContentPlanningRoute = window.location.pathname.includes('/content-planning');
if (!isRootRoute && !isOnboardingRoute && !isContentPlanningRoute) {
// Redirect to home
} else if (isContentPlanningRoute) {
// Just log - ProtectedRoute will handle redirect if needed
console.warn('401 Unauthorized for content-planning route - ProtectedRoute should handle this');
}
3. Aligned with Established Pattern ✅
Files:
ContentStrategyTab.tsxContentPlanningDashboard.tsx
Change: Removed component-level auth checks, relying on ProtectedRoute (matches BlogWriter/StoryWriter pattern)
Expected Behavior After Fix
-
Request Interceptor:
- ✅ Rejects requests if
authTokenGetteris not set - ✅ Rejects requests if
authTokenGetterreturnsnull - ✅ Only proceeds with requests that have valid tokens
- ✅ Rejects requests if
-
Response Interceptor:
- ✅ Prevents redirect loops for content-planning routes
- ✅ Allows ProtectedRoute to handle authentication state
- ✅ Still redirects for other routes on 401 (after retry fails)
-
Components:
- ✅ Rely on ProtectedRoute for authentication checks
- ✅ Make API calls directly (no redundant auth checks)
- ✅ API interceptor handles token injection
Testing Checklist
- Navigate to
/content-planningwhen signed in - Verify no 401 errors in backend logs
- Verify no redirect to home page
- Verify API calls include Authorization header
- Verify frontend console shows token being added to requests
- Test with slow network (to catch race conditions)
- Test navigation from main dashboard to content-planning
Next Steps if Issue Persists
-
Add More Logging:
- Log when TokenInstaller sets authTokenGetter
- Log when request interceptor runs
- Log token value (first few chars) to verify it's not null
-
Check TokenInstaller Timing:
- Verify TokenInstaller runs before ProtectedRoute renders children
- Consider adding a small delay or state check
-
Verify Clerk Token Template:
- Check if
REACT_APP_CLERK_JWT_TEMPLATEis set correctly - Verify Clerk dashboard has the JWT template configured
- Check if
-
Backend Logging:
- Add logging to see if Authorization header is received
- Check if header format is correct (
Bearer <token>)
Status: ✅ FIXES APPLIED
All fixes have been applied. The system should now:
- Reject requests without tokens (preventing 401s)
- Not redirect content-planning routes during initialization
- Follow the same authentication pattern as other components