Previously, all users could issue codes, so it was safe to redirect users to /codes/issue post-login or post-auth-refresh. However, now it's possible to have users that don't have such permissions. Post-login, they are immediately shown an Authorized page.

Design proposal

Create a new route in login like GET /login/post-authenticate. All post-login actions (from server-side and client-side) always redirect to this route. The logic handler for this route inspects the rbac permissions and decides the "best" place to redirect the authenticated user.

I don't think it's feasible to do this with a helper because most of the authentication is actually client-side javascript.

/cc @whaught
/assign