VPR-54 fix(scheduler): render Razor 403 view for dashboard auth denials

rlorenzo · rlorenzo · commit 64f6ca5d95d8 · 2026-06-08T10:09:08.000-07:00
Hangfire's dashboard middleware writes a bare 403 directly to the
response when our IDashboardAuthorizationFilter returns false, which
bypasses cookie auth's AccessDeniedPath and lands the user on the
browser's default error page. Add UseStatusCodePagesWithReExecute so
any bare 4xx/5xx status code re-runs through HomeController.Error and
the existing /Views/Home/403.cshtml view.

Applies globally — also catches stray bare 404s from any other
middleware. Status code is preserved on the response (browser still
sees 403); only the body is replaced with the rendered view.
diff --git a/web/Classes/Scheduler/HangfireExtensions.cs b/web/Classes/Scheduler/HangfireExtensions.cs
@@ -107,9 +107,9 @@ public static WebApplication UseViperHangfire(this WebApplication app)
                 return app;
             }
 
-            // The dashboard's "Back to site" link uses AppPath verbatim;
-            // we have no UsePathBase middleware so the /2/ deployment prefix
-            // (TEST/PROD) must come from config.
+            // Hangfire renders the configured AppPath as-is in the dashboard
+            // "Back to site" link. With no UsePathBase middleware, we need to
+            // supply the /2 deployment prefix from configuration ourselves.
             var dashboardAppPath = app.Configuration.GetValue<string>(DashboardAppPathKey) ?? "/Computing";
             app.MapHangfireDashboard(DashboardPath, new DashboardOptions
             {
diff --git a/web/Program.cs b/web/Program.cs
@@ -399,6 +399,11 @@ void RegisterDbContext<TContext>(string connectionStringKey) where TContext : Db
 
     }
 
+    // Re-execute bare status-code responses (403, 404, etc.) through HomeController.Error
+    // so middleware that writes raw status codes — e.g. Hangfire's dashboard middleware
+    // when our auth filter denies — gets the same Razor error view as the rest of the app.
+    app.UseStatusCodePagesWithReExecute("/Error/{0}");
+
     // In development, set up Vite proxy BEFORE rewrite rules so it can handle .ts/.js files
     if (app.Environment.IsDevelopment())
     {

Original file line number	Diff line number	Diff line change
`@@ -107,9 +107,9 @@ public static WebApplication UseViperHangfire(this WebApplication app)`
`107`	`107`	`return app;`
`108`	`108`	`}`
`109`	`109`
`110`		`- // The dashboard's "Back to site" link uses AppPath verbatim;`
`111`		`- // we have no UsePathBase middleware so the /2/ deployment prefix`
`112`		`- // (TEST/PROD) must come from config.`
	`110`	`+ // Hangfire renders the configured AppPath as-is in the dashboard`
	`111`	`+ // "Back to site" link. With no UsePathBase middleware, we need to`
	`112`	`+ // supply the /2 deployment prefix from configuration ourselves.`
`113`	`113`	`var dashboardAppPath = app.Configuration.GetValue<string>(DashboardAppPathKey) ?? "/Computing";`
`114`	`114`	`app.MapHangfireDashboard(DashboardPath, new DashboardOptions`
`115`	`115`	`{`
Original file line number	Diff line number	Diff line change
`@@ -399,6 +399,11 @@ void RegisterDbContext<TContext>(string connectionStringKey) where TContext : Db`
`399`	`399`
`400`	`400`	`}`
`401`	`401`
	`402`	`+ // Re-execute bare status-code responses (403, 404, etc.) through HomeController.Error`
	`403`	`+ // so middleware that writes raw status codes — e.g. Hangfire's dashboard middleware`
	`404`	`+ // when our auth filter denies — gets the same Razor error view as the rest of the app.`
	`405`	`+ app.UseStatusCodePagesWithReExecute("/Error/{0}");`
	`406`	`+`
`402`	`407`	`// In development, set up Vite proxy BEFORE rewrite rules so it can handle .ts/.js files`
`403`	`408`	`if (app.Environment.IsDevelopment())`
`404`	`409`	`{`