-
-
Notifications
You must be signed in to change notification settings - Fork 10.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need some advice about handling 302 redirects from Ajax #932
Comments
Yes, I have the same issue. It is critical enough to consider alternatives to axios |
Browsers always follow redirects for XHRs or fetch() requests. There is no library that could prevent the redirect. What you need to do on your server-side is distinguish between XHR requests and normal browser navigation requests and send either a 403 w/ JSON and specify the URL you want to redirect to in there or send a 302 if the request is being made by a browser navigation request. You can do this a couple different ways, but I'll list some here assuming you're using Express: Check the
|
@jcready - thanks for the information. In our case, requests flow from Client > Azure Authentication Service > Our app. In the case of an expired session, the response back to the client comes from the Azure Auth service and I'm not controlling that server side config. I guess this is a tradeoff of using a PaaS solution. I think your suggestion would work if our server side app had the Auth layer in it, so we may have to move away from the PaaS solution and implement Auth directly in our app. |
Does this mean the browser will always load the html into memory, but won't always go to that link and display the html? I'm confused because when I get a 302 response from an XHR request, the browser does not go to the redirected link and display the html. |
Sorry to bring up an old issue but @jcready are you positive that axios can't control the redirects? How are other libraries like https://github.com/request/request able to do this? |
@nmaves the request library can only handle redirects when running inside node, not the browser. If you use something like browserify to use the request library inside the browser it will no longer be able to handle/respond to redirects. |
Makes sense thank you ! |
I know this is an old issue, but I wanted to point out that it is possible to handle redirects in the browser when using I'm currently using this in an app to handle redirection when trying to access protected endpoints without an active authenticated session. This example isn't perfect and may not cover every case, but this is what we're doing and it's currently working for us: fetch(url, {
redirect: "manual"
}).then((res) => {
if (res.type === "opaqueredirect") {
// redirect to login page
window.location.href = response.url;
} else {
// handle normally / pass on to next handler
}
}).catch(...); You can read a bit more on MDN: It would be nice if Axios also covered this functionality. |
@parties The problem with
see: https://developer.mozilla.org/en-US/docs/Web/API/Response/type So you have nothing if you want to find out what happened on the server side and where it wants to redirect you. |
Yes, except that the response still has |
@parties the response.url will still be the url you originally requested. See https://fetch.spec.whatwg.org/#atomic-http-redirect-handling for details. |
非常感谢,typeof error.response === 'undefined'很好用。神来之笔!!! |
@se1by You're right, thanks for the call-out. The reason I didn't catch this in my own code was because we are still able to detect and redirect (which is all we need in this application). This is all it's doing: fetch("/api/user", {
redirect: "manual"
}).then((res) => {
if (res.type === "opaqueredirect") {
window.location.href = res.url;
} else {
return res;
}
}).catch(handleFetchError); In our application any protected endpoint can send a redirect back to the client to go to the login page, and all the client needs to do is then navigate to the protected endpoint (this is what I was misunderstanding). I had been assuming that when Which brings us back to the origin of this thread: being able to handle 302 redirects coming from Axios requests. I feel that if the Thoughts? (And thank you all for the activity and responses on the old thread, friends 🙏) |
Summary: If an axios request is sent while user is logged out/not authenticated, res.redirect() doesn't work. Plus, it would redirect to the wrong url i.e. instead of the url of the page that sent the axios request, it would load the url of the request itself. followed solution from axios/axios#932 (comment) to distinguish between axios request and regular browser navigation requests. On the client side, we force reload the page since that will give us the correct login url. question: where is a better location to put `axios.interceptors`?? It sets interceptor for axios globally so it only needs to be run once. I tried putting it in `axiosConfig.js` but that didn't work. Reviewed By: rckclmbr Differential Revision: D18364572 fbshipit-source-id: e5a8e75da7d7fe0e7b7cc036e7286a34661e4b73
Summary: If an axios request is sent while user is logged out/not authenticated, res.redirect() doesn't work. Plus, it would redirect to the wrong url i.e. instead of the url of the page that sent the axios request, it would load the url of the request itself. followed solution from axios/axios#932 (comment) to distinguish between axios request and regular browser navigation requests. On the client side, we force reload the page since that will give us the correct login url. question: where is a better location to put `axios.interceptors`?? It sets interceptor for axios globally so it only needs to be run once. I tried putting it in `axiosConfig.js` but that didn't work. Reviewed By: rckclmbr Differential Revision: D18364572 fbshipit-source-id: e5a8e75da7d7fe0e7b7cc036e7286a34661e4b73
Summary
We have a single page app based on Vue.js which uses Axios to make API calls. When a user's session expires, API calls start returning a 302 redirect to the login page. Since its a single page app, sometimes users may just browse around directly in the app, therefore only making AJAX calls and not reloading the main index.html file.
When this happens, the 302's are basically swallowed and the user is not redirected and the app breaks.
To complicate matters a bit further, the login page is based on a federated login service in Azure, so it's on a different domain. This causes the browser to throw the following CORS error:
I tried to use an interceptor but the error.response object is undefined, so I cannot even tell what the HTTP status of the response was. So the best I can come up with is that when error.response is undefined to assume it was a 302 and assume I need to forward the user to the login page:
Is this the best we can do? Any further suggestions?
Context
The text was updated successfully, but these errors were encountered: