feat[auth]: handle new blocked users and trial expiry in token flow

[braddf]

Pull Request

Description

Adds proper client-side routing for blocked users and trial-expired users.

Problem: users that are either blocked at login or a refresh token returns a 400 Unauthorized response need to be redirected and shown an appropriate page, likewise with Trial users whose trials have expired.

Changes:

• get_token.ts — returns structured JSON errors (access_denied, trial_expired) instead of redirecting. Also checks the trial_ends_at claim from the session on every token fetch, so trial expiry is enforced at the app level rather than relying solely on Auth0 error messages
• utils.ts — handles the new error types client-side, redirecting to /auth/denied or /expired via Router.push. Sentry captures unexpected JSON parse failures on the token response
• [...auth0].ts — appends prompt=login when redirecting to login after logout, preventing Auth0 SSO from silently re-authenticating a blocked user before they can enter credentials
• denied.tsx — branches on error_description content: email verification case gets the existing "Nearly there" flow; everything else (blocked, future revoked scopes) gets a generic "Access denied" screen with a sign-out link
• expired.tsx — fixes sign-out loop by routing through prompt=login

Helps with https://github.com/openclimatefix/client-private/issues/200

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce.
Please also list any relevant details for your test configuration

• Locally with new dev Auth0 action, logging in with various accounts with different roles and trial statuses.

Checklist:

• My code follows OCF's coding style guidelines
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I have checked my code and corrected any misspellings

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nowcasting-app	Ready	Preview, Comment	May 28, 2026 2:18pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
quartz-app	Ignored		May 28, 2026 2:18pm

[peterdudfield]

What is children being used for?

[braddf]

This just allows us to inject child components into the Header when needed, e.g. for this PR having a Sign Out on the Blocked/Access Denied screen (in case a user logs in with the wrong email address to let them still sign out from that page)

[peterdudfield]

Is it possible to write any unit tests for this? Maybe mocking Auth0 is too hard?

[braddf]

For unit tests yeah definitely too much, but we could try to add a Cypress test for this actually 👍 I'll add to that issue

[zakwatts]

Would be useful to notify us if someone who is blocked or trail expired trys to login

[zakwatts]

Although perhaps that is better done via an Auth0 workflow

[braddf]

Yeah for sure, let's catch this on the Auth0 side and send a Slack message so it's visible/actionable cross-team 👍