2025-03-13 Frontend Working Group Meeting Notes: Handling Auth Edge Cases, Robots.txt

 Date, time, location

• Date:Mar 13, 2025 at 15:00 UTC (timezone converter)

• Location: https://meet.google.com/wxe-myxy-uei

 Discussion topic(s)

• @Adam Stankiewicz [discuss] MFE Authentication testing · Issue #949 · edx/edx-arch-experiments

  • Should MFEs more gracefully handle authentication edge case scenarios?

    • Example scenarios:

      • Opening an MFE in 2 tabs as an authenticated user. Log out of the 2nd tab, and return to the original tab.

        • Should the original tab reflect the now-logged out state in its UI?

      • Opening an MFE in 2 tabs as an authenticated user. Log out of the 2nd tab, log back in as a different authenticated user, and return to the original tab.

        • Should the original tab reflect the updated authenticated user in its UI?

    • Example handling of 2nd scenario from GitHub:

      • Open

        

         

    • Next steps

      • @Adam Stankiewicz to move current disco from edx issue into frontend-platform GitHub issue.

        • 2U may try to support exposing some sort of lifecycle from @edx/frontend-platform, but will likely not drive much more further UX discovery

      • Additional examples of web apps handling these and similar scenarios “in the wild” (e.g.. GitHub) should be observed & documented.

        • Will help inform technical/design requirements.

      • Work with UI/UX WG to ensure a consistent, graceful UX pattern.

        • Ideally, avoids full-page refreshes.

           

• @Adolfo Brandes robots.txt and other static files: entirely up to the deployment mechanism or configurable via webpack build options?

  • fix: blocked web crawlers for account MFE by sundasnoreen12 · Pull Request #1208 · openedx/frontend-app-account

  • How do we prevent MFEs from search engine indexing?

    • Current strategies

      • meta tag

        • Requires merging to fork/master

      • robots.txt

        • Only available via deployment strategy vs. included in MFEs.

        • Deployment strategy

          • Tutor and 2U/edX.org build+deploy processes

    • Should this be community configurable?

      • E.g., expose conditional <meta> in public/index.html.

    • Opt-in instead of opt-out.

    • Next steps:

      • We do NOT want robots.txt in upstream repos; deploy-time only.

      • We DO want robots meta to be configurable.

        • Ideally, avoid build-time configuration.

        • Could use Helmet to dynamically inject at runtime based on config.

           

🎥Recording

• Video: https://drive.google.com/file/d/17LXyl-qsciLjQGbziO3fA0anEv4zTv-O/view?usp=drive_link

• Chat: https://drive.google.com/file/d/1b-5Fg_zvz5X8BMGs5bALkLTQjwaSfmqQ/view?usp=drive_link

• Transcript: https://drive.google.com/file/d/1FnkXnFLCxj26rDHJBNNw2ybO1fLXnftQ9UTug1C6Kdw/view?usp=drive_link

 Participants

Adam Stankiewicz, Adolfo Brandes, Brian Smith, Juan Carlos Iasenza

🤖 Summary

🧩 Media Query Tokens and Header PR

• Brian is investigating whether the new header changes can be made non-breaking, like the footer.

• The issue involves media query tokens and ensuring backwards compatibility.

• Tentative finding: the token being replaced might not have been used, meaning the issue may be a non-issue.

🔄 Segment Identify & Auth Session Mismatch

• Adam presented an issue around Segment identify calls not firing when a user logs out in one tab and logs back in as another in another tab.

• Currently, session change detection requires a full page reload, which limits tracking accuracy and can create UX problems.

• They discussed GitHub's approach: it detects user change and prompts for login refresh without a full reload.

• Proposed improvements:

  • Add a hook in frontend-platform to detect session/user changes.

  • Update the authenticated user on login refresh.

  • Add logic in MFEs to re-call Segment identify and handle UX accordingly.

⚙️ React Query and Error Handling Edge Cases

• In some enterprise MFs, background fetches (via React Query) after logout return 401 errors.

• These are silently caught, replacing data with fallback states (e.g., null), leading to UI issues like "undefined UUID" errors.

• Solutions:

  • Avoid replacing cached data on error.

  • Possibly notify users via UI (e.g., toast) if data becomes invalid.

  • Plan for better handling with React 18.

🔐 Security/UX Balance

• Discussion about accessing private user data after session change: UX must balance seamless transitions vs. data security.

• There’s a desire for platform-level consistency, possibly baked into frontend-base in the future.

📄 robots.txt and Meta Tag Configuration

• Raised by Adolfo based on a previous maintenance meeting.

• Problem: No standardized way to add robots.txt or meta tags to prevent unwanted indexing of MFEs.

• Agreement:

  • Don't merge robots.txt files upstream—this should be a deployment-time config.

  • For meta tags, look into Webpack-based variables or runtime injection (e.g., via React Helmet).

  • Need to investigate whether empty meta tags cause issues and how to handle them conditionally.

  • Tutor or similar tools should manage this at deploy time.

✅ Action Items & Next Steps

• Adam to document the Segment/auth tracking issue in a frontend-platform issue.

• Team to do more discovery around UX patterns for session changes in apps like GitHub, Confluence.

• Explore configurability options for robots.txt and meta tags, possibly as part of the Webpack process or via runtime tooling.