check search space access before redirect

surfsense_web/components/TokenHandler.tsx

@@ -2,8 +2,10 @@
 
 import { useRouter, useSearchParams } from "next/navigation";
 import { useEffect } from "react";
+import { membersApiService } from "@/lib/apis/members-api.service";
 import { getAndClearRedirectPath, setBearerToken } from "@/lib/auth-utils";
 import { trackLoginSuccess } from "@/lib/posthog/events";
+import { queryClient } from "@/lib/query-client/client";
 
 interface TokenHandlerProps {
 	redirectPath?: string; // Default path to redirect after storing token (if no saved path)
@@ -36,34 +38,54 @@ const TokenHandler = ({
 		const token = searchParams.get(tokenParamName);
 
 		if (token) {
-			try {
-				// Track login success for OAuth flows (e.g., Google)
-				// Local login already tracks success before redirecting here
-				const alreadyTracked = sessionStorage.getItem("login_success_tracked");
-				if (!alreadyTracked) {
-					// This is an OAuth flow (Google login) - track success
-					trackLoginSuccess("google");
+			const handleAuth = async () => {
+				try {
+					// Track login success for OAuth flows (e.g., Google)
+					// Local login already tracks success before redirecting here
+					const alreadyTracked = sessionStorage.getItem("login_success_tracked");
+					if (!alreadyTracked) {
+						// This is an OAuth flow (Google login) - track success
+						trackLoginSuccess("google");
+					}
+					// Clear the flag for future logins
+					sessionStorage.removeItem("login_success_tracked");
+
+					// Store token in localStorage using both methods for compatibility
+					localStorage.setItem(storageKey, token);
+					setBearerToken(token);
+
+					// Clear any cached data from previous sessions
+					queryClient.clear();
+
+					// Check if there's a saved redirect path from before the auth flow
+					const savedRedirectPath = getAndClearRedirectPath();
+
+					// Check if saved path contains a search space ID and verify access
+					const searchSpaceMatch = savedRedirectPath?.match(/^\/dashboard\/(\d+)/);
+					if (searchSpaceMatch && savedRedirectPath) {
+						const searchSpaceId = Number(searchSpaceMatch[1]);
+						try {
+							await membersApiService.getMyAccess({ search_space_id: searchSpaceId });
+							router.push(savedRedirectPath);
+							return;
+						} catch {
+							// User doesn't have access, fall through to default
+						}
+					}
+
+					// Use the saved path if available, otherwise use the default redirectPath
+					const finalRedirectPath = savedRedirectPath || redirectPath;
+
+					// Redirect to the appropriate path
+					router.push(finalRedirectPath);
+				} catch (error) {
+					console.error("Error storing token in localStorage:", error);
+					// Even if there's an error, try to redirect to the default path
+					router.push(redirectPath);
 				}
-				// Clear the flag for future logins
-				sessionStorage.removeItem("login_success_tracked");
+			};
 
-				// Store token in localStorage using both methods for compatibility
-				localStorage.setItem(storageKey, token);
-				setBearerToken(token);
-
-				// Check if there's a saved redirect path from before the auth flow
-				const savedRedirectPath = getAndClearRedirectPath();
-
-				// Use the saved path if available, otherwise use the default redirectPath
-				const finalRedirectPath = savedRedirectPath || redirectPath;
-
-				// Redirect to the appropriate path
-				router.push(finalRedirectPath);
-			} catch (error) {
-				console.error("Error storing token in localStorage:", error);
-				// Even if there's an error, try to redirect to the default path
-				router.push(redirectPath);
-			}
+			handleAuth();
 		}
 	}, [searchParams, tokenParamName, storageKey, redirectPath, router]);