We have a problem here. The “User” component configureRouter() is processed before canActivate/activate(params) callbacks. This means you don’t know the user id when building the routes table in configureRouter(…).
There is a push to dynamically add, remove, modify routes in an Aurelia application in part because that “makes sense”. If we want to have a “admin only” route, check for an admin and create the route, right? However this causes problems and sends people down long rabbit holes.
Instead, I recommend that you always define all of your routes up front. If there’s a route in your application, define it right away. There’s no reason not to. Then, use the AuthorizeStep to enable or disable access to the route based on permissions. Finally, whether using the NavModel or hard coding your routes, use templating bindings like show and if to show and hide controls for a clean and understandable user experience.