I’ve failed move my rules to actions as recommended, and in trying to fix that up, I realise need to go back to basics.
My current implementation may be overly complicated, and I’ve downloaded the sample app for a Single Page Application to re-assess, however, either the access token is not actually being sent and validated, or it’s far from clear where that magic happens!
The nav-bar component calls this.auth.loginWithRedirect();
But where is the access token saved?
The external-api component calls this.api.ping$() but where is the access token sent in the headers?
The api-server get handler confirms “Your access token was successfully validated”, but this is skeleton code surely? No validation actually took place?
That seems obvious however - are there any hidden interceptors that injected the access token into headers and is there the equivalent of middleware somewhere that would have rejected the get request if the access-token was not valid?
If there are no interceptors, I guess my original solution is valid and not over complex after all!
Am I missing the validation “magic” in the sample app?