http interception promise resolves when calling controller.halt()

[kobelb]

When calling halt on an instance of the HttpInterceptController, the promise that is returned from the http.fetch resolves. This is potentially problematic for security's usage of http interception, because we wish to intercept specific 401s and redirect the user to the logout page. The old approach used Promise.halt() to accomplish this, which I thought HttpInterceptController's halt was supposed to do as well.

[elasticmachine]

Pinging @elastic/kibana-platform

[kobelb]

/cc @eliperelman

[eliperelman]

@kobelb would you happen to have any patch for this as well? We have a test for this, but I would like to find out why this isn't being caught.

kibana/src/core/public/http/http_service.test.ts

Line 372 in 142897f

await expect(http.fetch('/my/wat')).rejects.toThrow(/HTTP Intercept Halt/);

[kobelb]

The promise that is returned by http.fetch('/my/way') should never be resolving or rejecting in this situation if controller.halt() did the equivalent of Promise.halt():

kibana/src/core/public/http/http_service.test.ts

Line 372 in 142897f

await expect(http.fetch('/my/wat')).rejects.toThrow(/HTTP Intercept Halt/);

[eliperelman]

I'm confused by your statement. This should be rejecting, correct?

[kobelb]

I'm confused by your statement. This should be rejecting, correct?

Unfortunately, no... We don't want the promise to reject, we just want it to "stall out". We're changing window.location.href to the logout page, and then we don't want any subsequent handlers or the caller to be able to do anything else. Otherwise, there's a chance based on the timing of things in the browser that a subsequent statement could be run while we're waiting on the redirect.

We're essentially trying to emulate the following within the context of a http interceptor:

kibana/x-pack/legacy/plugins/security/public/services/auto_logout.js

Lines 14 to 15 in 142897f

	$window.location.href = chrome.addBasePath(`/logout?next=${encodeURIComponent(next)}&msg=SESSION_EXPIRED`);
	return Promise.halt();

Promise.halt is our own "angular service" which just never resolves or rejects:

kibana/src/legacy/ui/public/promises/promises.js

Lines 84 to 89 in 142897f

	Promise.halt = _.once(function () {
	const promise = new Promise(() => {});
	promise.then = _.constant(promise);
	promise.catch = _.constant(promise);
	return promise;
	});