🏠 Overview 🧩 Components 🧩 No-Access Route Guard

No-Access Route Guard

Component Detail

Service Layer low complexity Shared Component mobile
0
Dependencies
1
Dependents
2
Entities
0
Integrations

Description

GoRouter redirect callback that intercepts navigation for users whose role is flagged as mobile-blocked. Acts as a terminal route handler, redirecting to the no-access screen and preventing navigation to any other route until the user logs out.

Feature: No-Access Screen for Restricted Roles

no-access-route-guard

Summaries

The No-Access Route Guard is a critical security control that protects the business from unauthorized access by users whose roles are restricted to administrative or desktop-only workflows. By intercepting all mobile navigation attempts for blocked roles, it ensures that sensitive business operations are never accidentally exposed through the mobile channel — reducing compliance risk and preventing potential data exposure. It also preserves a clean logout path, ensuring users are never trapped in a broken state, which directly supports a positive user experience and reduces support costs from frustrated users contacting help desks.

This component carries low development complexity and can be delivered quickly as a standalone routing layer. Its primary dependency is the shared authentication state that exposes role information, so it must be scheduled after the auth state and role-based access control foundation are in place. Testing requirements include route interception coverage for all navigation paths, including edge cases such as deep links and back-navigation, plus verification that logout is never blocked. Deployment risk is low, but any changes to the role system or GoRouter configuration must be coordinated to avoid breaking the guard's interception logic.

The No-Access Route Guard implements a GoRouter redirect callback, hooking into the `redirect` lifecycle method to evaluate the current `AuthState` on every navigation event. The `isBlocked` helper reads the user's role from the shared auth state and returns true when that role appears in the blocked roles list sourced from the No-Access Configuration Repository. When blocked, all routes redirect to the no-access screen, with a special exception carved out for the logout route to prevent user lockout. Because it is marked shared, this guard should be registered once at the router root rather than per-route.

Maintenance is minimal — the only evolution risk is if GoRouter changes its redirect API contract or if the auth state shape changes.

Responsibilities

  • Intercept all route changes for authenticated users
  • Redirect to the no-access route when the user role is globally blocked
  • Allow logout navigation even from the blocked state
  • Integrate with the shared role-based access control state

Interfaces

redirect(BuildContext context, GoRouterState state): String?
isBlocked(AuthState authState): bool

Relationships

Dependents (1)

Components that depend on this component

service Access Denial Service

Related Data Entities (2)

Data entities managed by this component

User 13 fields core User Role 13 fields core

API Contract

View full contract →
REST /api/v1/route-guard 2 endpoints
POST /api/v1/route-guard/check Evaluate whether the current auth state should be blocked and what redirect to apply
GET /api/v1/route-guard/redirect Get the redirect destination for a blocked auth state without posting full state