gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:11:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(web): Hotfix #19 — AuthProvider 401 unconditional redirect (GitHub #13)

Browse Source 
Refresh-after-login wiped the in-memory apiKey and the next API
call returned a bare 401 (no WWW-Authenticate header). The
pre-Hotfix-19 401 handler in AuthProvider only redirected when
cause was a non-'invalid_token' OIDC session-expiry category;
bare 401s fell through to an in-place AuthGate state flip that
unmounted BrowserRouter under an in-flight <Link>, triggering a
react-router-dom invariant that surfaced via ErrorBoundary as
"Something went wrong."

Fix: always hard-navigate to /login on 401 regardless of cause.
Preserve cause-aware UX by forwarding cause to /login?session_expired=
only when present; emit plain /login redirect for bare 401s.

Closes #13.
This commit is contained in:
shankar0123
2026-05-15 17:31:47 +00:00
parent 5a1dbce6d5
commit 67dbd18fda
3 changed files with 170 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+23
View File
@@ -46,6 +46,29 @@
manually. Production deploys: this guard is irrelevant
(`CERTCTL_DEMO_MODE_ACK` should not be set in production).
### Fixed
- **GitHub #13 / Hotfix #19 — GUI "Something went wrong" after browser
refresh on a real (non-demo) install.** Refresh-after-login wipes the
in-memory `apiKey` (deliberate — the GUI never persists it to
localStorage as a security posture). The next API call returns a
bare 401 with no `WWW-Authenticate` header. Pre-Hotfix-19 the
AuthProvider 401 handler only hard-navigated to `/login` when `cause`
was a recognised OIDC session-expiry category (`idle_timeout` /
`absolute_timeout` / `back_channel_revoked`); bare 401s
(`cause === ''`) and `invalid_token` causes fell through to an
in-place `AuthGate` state flip that unmounted `BrowserRouter` under
an in-flight `<Link>`, triggering a `react-router-dom` invariant
that surfaced via `ErrorBoundary` as the "Something went wrong"
screen. **Fix:** every 401 now hard-navigates to `/login` regardless
of cause; the cause-aware UX is preserved by forwarding
`?session_expired=<cause>` only when cause is non-empty (bare 401s
redirect to plain `/login`). Three-line change in
`web/src/components/AuthProvider.tsx`; 4 regression tests added to
`AuthProvider.test.tsx` (empty cause from `/targets`, `invalid_token`
cause, `idle_timeout` cause, already-on-`/login` no-op guard).
Closes #13.
### Security
- **Alg-downgrade defense relaxed for Keycloak-shape IdPs (v2.1.0 pre-tag fix).**