Authentication & Routing

Protected Routes

SREDSimplify utilizes High-Order Components (HOCs) to guard routes based on authentication status and user roles. These are located in src/components/auth/.

• <ProtectedRoute>: Ensures the user has a valid JWT token. If not, redirects to /login. Wraps the entire (app) route group.
• <AdminRoute>: Checks the user's role against the ADMIN tier. Wraps the /admin/* routes. If a standard user attempts access, they are redirected.
• <GuestRoute>: Ensures the user is not logged in. Wraps routes like /login and /register. If an authenticated user visits these, they are redirected to /projects.

JWT Lifecycle

1. Upon successful login/registration, the backend returns a JWT.
2. The authStore (Zustand) saves this token to localStorage.
3. The Axios interceptor attaches the token to the Authorization header as Bearer <token> on every outbound request.
4. If the backend returns 401 Unauthorized (e.g., token expiration), Axios intercepts the response, triggers authStore.logout(), and pushes the router to /login.