Update GQL client and auth middleware to handle invalid tokens and invalidate session

[jordanarldt]

What/Why?

• Update withAuth middleware to redirect protected routes to /login page when user is unauthorized
• Add customer access token validation on protected routes
• Minor updates to end-user error messages on unauthorized GQL requests to stop returning raw GQL error and use our translated error message instead.
• Add onError event to GraphQL client
• Use the onError callback to invalidate user session when GQL returns an invalid or missing token error

Testing

Screen.Recording.2025-05-02.at.5.54.09.PM.mov

Migration

1. Copy all changes from the /core/client directory and the /packages/client directory
2. Copy logic from withAuth middleware to handle the ?invalidate-session query param
3. Copy translation values
4. Copy all changes from the /core/app/[locale]/(default)/account/ directory server actions
5. Copy all changes from the /core/app/[locale]/(default)/checkout/route.ts file

[changeset-bot]

🦋 Changeset detected

Latest commit: 8e7a907

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@bigcommerce/catalyst-client	Patch
@bigcommerce/catalyst-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
catalyst-canary	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 7, 2025 3:14pm

4 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
catalyst	⬜️ Ignored (Inspect)			May 7, 2025 3:14pm
catalyst-au	⬜️ Ignored (Inspect)	Visit Preview		May 7, 2025 3:14pm
catalyst-soul	⬜️ Ignored (Inspect)	Visit Preview		May 7, 2025 3:14pm
catalyst-uk	⬜️ Ignored (Inspect)	Visit Preview		May 7, 2025 3:14pm

[jordanarldt]

We only redirect on GET requests to avoid breaking any server actions.

[jordanarldt]

Using next/navigation here for a few reasons:

1. For some reason importing ~/i18n/routing breaks this file and the build starts failing. (Module not found error)
2. We don't need locale info for the session invalidation redirect, as it's just redirecting to the same route with the ?invalidate-session query param.

[jorgemoya]

Is there a reason why this is optional?

[jordanarldt]

@jorgemoya Yep, it's optional so that we don't have to update every single client.fetch in Catalyst to get this behavior. It's optional, but defaults to true, so if we want to override the behavior somewhere, we can.

[jorgemoya]

Yeah I guess my question was more in the sense of why would we want to override it but having the optional override shouldn't hurt.

[jorgemoya]

Is this an existing pattern or something we built for this use case?

[jordanarldt]

It's built for this use-case. As @chanceaclark was saying, we need the auth failure handling to be part of the DAL, which will require having this onError handler built into the client. 👍

[github-actions]

⚡️🏠 Lighthouse report

Lighthouse ran against https://catalyst-canary-et08lsoyd-bigcommerce-platform.vercel.app

🖥️ Desktop

We ran Lighthouse against the changes on a desktop and produced this report. Here's the summary:

Category	Score
🟢 Performance	98
🟢 Accessibility	92
🟠 Best practices	78
🟢 SEO	91

📱 Mobile

We ran Lighthouse against the changes on a mobile and produced this report. Here's the summary:

Category	Score
🟠 Performance	88
🟢 Accessibility	92
🟠 Best practices	78
🟢 SEO	92