Properly integrate MAX CAS login with Angular app #2
Description
There is a long-living branch named "max-cas" in GSA/srt-api and GSA/srt-ui. At this point in time, the login works by:
- There is some non-angular JavaScript embedded on the Angular home page template that redirects the user to the CAS login page with the redirect URL of a REST API endpoint /casLogin.
- The REST API endpoint will get the auth token from MAX CAS as part of the request URL
- REST API validates the token and repackages a new token with a JWT and some other info and sends the user to the web app again
- Other non-angular JavaScript embedded on the Angular home page template reads the URL and saves the JWT and other data into the html5 localStorage then redirects the user back to the Angular login page
- The Angular login page detects the JWT in localStorage and authenticates the user.
We should at least consider changing this flow so that page flow is:
Angular home page -> CAS login -> Angular page -> logged in home screen
In other words, it feels like the web browser shouldn't be loading pages from the REST API directly.