ViewConfig has no effect for authentication properties

[mshabarov]

Describe the bug

Suppose I want to protect my Hilla views with loginRequired and rolesAllowed using ViewConfig API:

export const config: ViewConfig = {
    loginRequired: true
};

and

export const config: ViewConfig = {
    loginRequired: true,
    rolesAllowed: ['ROLE_USER'],
};

and setting the following routes in routes.tsx:

let routing = protectRoutes([
    {
        element: <Layout />,
        handle: { title: 'Main' },
        children: [
            { path: '/', element: <Public />, handle: { title: 'Public' } },
            { path: '/about', element: <About />, handle: { title: 'Welcome' } },
            { path: '/hilla', element: <Hilla />, handle: { title: 'Hilla' } }
        ],
    },
    { path: '/login', element: <Login />, handle: { title: 'Login' } }
]) as RouteObject[];

This has no effect unfortunately: if I log in under another user with another role, the view is accessible, and if I change to loginRequired: false, Hilla redirects me to /login.

If I remove ViewConfig from Hilla views, the behaviour is the same: the application just requires me to login.

Expected-behavior

Hilla should take role into account and not require me to log in if I set loginRequired: false.

Reproduction

Can be reproduced with the branch vaadin/flow-hilla-hybrid-example#30.

System Info

Vaadin 24.4.0.alpha17.

[Legioth]

export const config is a feature of the FS router. If you don't use it but instead configure routes manually, then you should put access control in handle in the route configuration rather than in export const config

[mshabarov]

I noticed it when I tested #2250, where FS router is used.
But yeah, good to know that it's not applicable for manual routes.

[platosha]

Closing as won't fix. ViewConfig by design does not apply to manually declared routes.