fix: Prevent Vite reload from canceling logout redirect (#23375) (#23391)

When a user logs out and the session is invalidated, the server closes
WebSocket connections with close code 1008 (VIOLATED_POLICY). Vite
detects this disconnection and starts polling for reconnection, then
reloads the page - canceling any server-initiated redirect.

The fix uses a Promise-based synchronization between Vite's HMR events:

1. On vite:ws:connect, we register a close listener and store a Promise
   on the WebSocket that resolves with the close code when triggered.

2. On vite:ws:disconnect, we await this Promise to get the close code.
   Since Vite's notifyListeners awaits our async handler, this creates
   a synchronization point before Vite checks its willUnload flag.

3. When close code is 1008, we dispatch a beforeunload event to set
   Vite's internal willUnload flag, preventing the reload.

This approach works because Vite's close handler does not await the
Promise returned by onMessage/handleMessage, so our async disconnect
handler can complete (setting willUnload) before Vite's willUnload
check runs.

Fixes #20819

Co-authored-by: Marco Collovati <marco@vaadin.com>

Author: vaadin-bot

flow-server/src/main/java/com/vaadin/flow/component/page/Page.java

@@ -472,8 +472,12 @@ public void open(String url) {
      *            the name of the window.
      */
     public void open(String url, String windowName) {
+        // The vaadin-redirect-pending event might be useful to block other
+        // client side
+        // reload/redirection triggered by other components, for example Vite.
         executeJs(
-                "if ($1 == '_self') this.stopApplication(); window.open($0, $1)",
+                "window.dispatchEvent(new CustomEvent('vaadin-redirect-pending', {detail: {url: $0}})); "
+                        + "if ($1 == '_self') this.stopApplication(); window.open($0, $1)",
                 url, windowName);
     }
 

flow-server/src/main/resources/com/vaadin/flow/server/frontend/vite-devmode.ts

@@ -14,14 +14,64 @@ if (import.meta.hot) {
   };
 
   let pendingNavigationTo: string | undefined = undefined;
+  let redirectPending: boolean = false;
 
   window.addEventListener('vaadin-router-go', (routerEvent: any) => {
     pendingNavigationTo = routerEvent.detail.pathname + routerEvent.detail.search;
   });
+
+  // Listen for server-initiated redirects via Page.setLocation()
+  window.addEventListener('vaadin-redirect-pending', () => {
+    redirectPending = true;
+  });
+
+  // Register a close event listener and store a Promise on the WebSocket.
+  // The Promise resolves with the close code when our listener runs.
+  // This allows vite:ws:disconnect to await the close code even though
+  // Vite's close listener runs before ours (due to registration order).
+  hot.on('vite:ws:connect', (payload: any) => {
+    const ws = payload.webSocket;
+
+    // Create Promise with resolver scoped to this closure.
+    // Store on WebSocket so vite:ws:disconnect can access it.
+    (ws as any)._closeCodePromise = new Promise<number>((resolve) => {
+      ws.addEventListener('close', (event: any) => {
+        resolve(event.code);
+      });
+    });
+  });
+
+  // Async handler that waits for the close listener to run.
+  // Vite's close handler calls notifyListeners which awaits this handler.
+  // By awaiting the closeCodePromise, we ensure our close listener has
+  // run and we can check the close code before Vite checks willUnload.
+  hot.on('vite:ws:disconnect', async (payload: any) => {
+    const ws = payload.webSocket;
+    const closeCodePromise = (ws as any)?._closeCodePromise;
+
+    if (closeCodePromise) {
+      const closeCode = await closeCodePromise;
+
+      // Close code 1008 (VIOLATED_POLICY) indicates authenticated HTTP session invalidation
+      // that usually corresponds also to a server-initiated redirect.
+      if (closeCode === 1008) {
+        redirectPending = true;
+        // Dispatch beforeunload to set Vite's internal willUnload flag,
+        // which prevents Vite from reloading the page after reconnecting.
+        window.dispatchEvent(new Event('beforeunload'));
+      }
+    }
+  });
+
   hot.on('vite:beforeFullReload', (payload: any) => {
     if (isLiveReloadDisabled()) {
       preventViteReload(payload);
     }
+    // Prevent reload when a server-initiated redirect is pending
+    if (redirectPending) {
+      preventViteReload(payload);
+      return;
+    }
     if (pendingNavigationTo) {
       // Force reload with the new URL
       location.href = pendingNavigationTo;

flow-server/src/test/java/com/vaadin/flow/component/page/PageTest.java

@@ -297,8 +297,60 @@ public PendingJavaScriptResult executeJs(String expression,
         // self check
         Assert.assertEquals("_self", params.get(1));
 
-        MatcherAssert.assertThat(capture.get(), CoreMatchers
-                .startsWith("if ($1 == '_self') this.stopApplication();"));
+        MatcherAssert.assertThat(capture.get(),
+                CoreMatchers.containsString("this.stopApplication();"));
+    }
+
+    @Test
+    public void setLocation_dispatchesRedirectPendingEvent() {
+        AtomicReference<String> capture = new AtomicReference<>();
+        List<Object> params = new ArrayList<>();
+        Page page = new Page(new MockUI()) {
+            @Override
+            public PendingJavaScriptResult executeJs(String expression,
+                    Object... parameters) {
+                capture.set(expression);
+                params.addAll(Arrays.asList(parameters));
+                return Mockito.mock(PendingJavaScriptResult.class);
+            }
+        };
+
+        page.setLocation("/logout-landing");
+
+        String expression = capture.get();
+        Assert.assertTrue("Should dispatch vaadin-redirect-pending event",
+                expression.contains("vaadin-redirect-pending"));
+        Assert.assertTrue("Should call window.open",
+                expression.contains("window.open"));
+        Assert.assertEquals("URL parameter should be passed", "/logout-landing",
+                params.get(0));
+    }
+
+    @Test
+    public void open_dispatchesRedirectPendingEventBeforeRedirect() {
+        AtomicReference<String> capture = new AtomicReference<>();
+        Page page = new Page(new MockUI()) {
+            @Override
+            public PendingJavaScriptResult executeJs(String expression,
+                    Object... parameters) {
+                capture.set(expression);
+                return Mockito.mock(PendingJavaScriptResult.class);
+            }
+        };
+
+        page.open("https://example.com", "_blank");
+
+        String expression = capture.get();
+        // Verify event dispatch comes before window.open
+        int eventDispatchIndex = expression.indexOf("vaadin-redirect-pending");
+        int windowOpenIndex = expression.indexOf("window.open");
+        Assert.assertTrue("Event dispatch should be present",
+                eventDispatchIndex >= 0);
+        Assert.assertTrue("window.open should be present",
+                windowOpenIndex >= 0);
+        Assert.assertTrue(
+                "Event dispatch should come before window.open in the script",
+                eventDispatchIndex < windowOpenIndex);
     }
 
     @Test

flow-tests/test-dev-mode/src/main/java/com/vaadin/flow/uitest/ui/vitelogout/CloseViteWebsocketOnSessionExpiration.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2000-2026 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.vaadin.flow.uitest.ui.vitelogout;
+
+import jakarta.servlet.ServletContextEvent;
+import jakarta.servlet.ServletContextListener;
+import jakarta.servlet.annotation.WebListener;
+import jakarta.servlet.http.HttpSessionEvent;
+import jakarta.servlet.http.HttpSessionListener;
+
+import com.vaadin.base.devserver.viteproxy.ViteSessionTracker;
+
+/**
+ * Replicates Tomcat's behavior of closing WebSocket connections when an
+ * authenticated HTTP session is invalidated. Jetty doesn't do this by default,
+ * so this listener is needed to properly test the logout redirect fix in the
+ * test environment.
+ * <p>
+ * Implements both ServletContextListener (to initialize the ViteSessionTracker)
+ * and HttpSessionListener (to notify tracker when sessions are destroyed).
+ */
+@WebListener
+public class CloseViteWebsocketOnSessionExpiration
+        implements HttpSessionListener, ServletContextListener {
+
+    private ViteSessionTracker tracker;
+
+    @Override
+    public void contextInitialized(ServletContextEvent sce) {
+        tracker = new ViteSessionTracker();
+        sce.getServletContext().setAttribute(ViteSessionTracker.class.getName(),
+                tracker);
+    }
+
+    @Override
+    public void sessionDestroyed(HttpSessionEvent se) {
+        if (tracker != null) {
+            // Simulate Tomcat behavior
+            // Close code 1008 is VIOLATED_POLICY per WebSocket RFC
+            tracker.close(se.getSession().getId(), 1008,
+                    "This connection was established under an authenticated HTTP session that has ended");
+        }
+    }
+}

flow-tests/test-dev-mode/src/main/java/com/vaadin/flow/uitest/ui/vitelogout/LoginView.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2000-2026 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.vaadin.flow.uitest.ui.vitelogout;
+
+import com.vaadin.flow.component.html.Div;
+import com.vaadin.flow.component.html.NativeButton;
+import com.vaadin.flow.dom.Element;
+import com.vaadin.flow.router.Route;
+
+/**
+ * Login view for testing Vite logout redirect behavior.
+ * <p>
+ * Contains a native HTML form that posts to the login route, which is
+ * intercepted by {@link MockAuthenticationFilter}.
+ */
+@Route("com.vaadin.flow.uitest.ui.vitelogout.LoginView")
+public class LoginView extends Div {
+
+    public LoginView() {
+        Element form = new Element("form");
+        form.setAttribute("action",
+                "/view/com.vaadin.flow.uitest.ui.vitelogout.LoginView");
+        form.setAttribute("method", "POST");
+
+        NativeButton submit = new NativeButton("Login");
+        submit.setId("login-button");
+        submit.getElement().setAttribute("type", "submit");
+
+        getElement().appendChild(form);
+        form.appendChild(submit.getElement());
+    }
+}

flow-tests/test-dev-mode/src/main/java/com/vaadin/flow/uitest/ui/vitelogout/LogoutTestView.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2000-2026 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.vaadin.flow.uitest.ui.vitelogout;
+
+import com.vaadin.flow.component.UI;
+import com.vaadin.flow.component.html.Div;
+import com.vaadin.flow.component.html.NativeButton;
+import com.vaadin.flow.component.html.Span;
+import com.vaadin.flow.router.Route;
+import com.vaadin.flow.server.VaadinSession;
+
+/**
+ * View for testing Vite logout redirect behavior.
+ * <p>
+ * Contains a logout button that sets the location to the session-ended route
+ * and invalidates the session. The test verifies that Vite's page reload
+ * doesn't cancel the server-initiated redirect when the session is invalidated.
+ */
+@Route("com.vaadin.flow.uitest.ui.vitelogout.LogoutTestView")
+public class LogoutTestView extends Div {
+
+    public LogoutTestView() {
+        Span marker = new Span("Logout Test View");
+        marker.setId("logout-test-marker");
+
+        NativeButton logoutButton = new NativeButton("Logout", e -> {
+            UI.getCurrent().getPage().setLocation(
+                    "/view/com.vaadin.flow.uitest.ui.vitelogout.SessionEndedView");
+            VaadinSession.getCurrent().getSession().invalidate();
+        });
+        logoutButton.setId("logout-button");
+
+        add(marker, logoutButton);
+    }
+}

flow-tests/test-dev-mode/src/main/java/com/vaadin/flow/uitest/ui/vitelogout/MockAuthenticationFilter.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright 2000-2026 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.vaadin.flow.uitest.ui.vitelogout;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.annotation.WebFilter;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequestWrapper;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpSession;
+
+import java.io.IOException;
+import java.security.Principal;
+
+/**
+ * Mock authentication filter for testing Vite logout redirect behavior.
+ * <p>
+ * Intercepts login POST requests, sets an authenticated session attribute, and
+ * wraps subsequent requests with a principal when authenticated.
+ */
+@WebFilter(urlPatterns = { "/view/*" })
+public class MockAuthenticationFilter implements Filter {
+
+    public static final String AUTHENTICATED_ATTR = "mock.authenticated";
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response,
+            FilterChain chain) throws IOException, ServletException {
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        HttpSession session = httpRequest.getSession();
+        String path = httpRequest.getRequestURI();
+
+        // On POST to login route, mark as authenticated and redirect
+        if (path.endsWith(".LoginView")
+                && "POST".equals(httpRequest.getMethod())) {
+            session.setAttribute(AUTHENTICATED_ATTR, true);
+            httpResponse.sendRedirect(
+                    "/view/com.vaadin.flow.uitest.ui.vitelogout.LogoutTestView");
+            return;
+        }
+
+        // If authenticated, wrap request with principal
+        if (Boolean.TRUE.equals(session.getAttribute(AUTHENTICATED_ATTR))) {
+            chain.doFilter(new AuthenticatedRequestWrapper(httpRequest),
+                    response);
+        } else {
+            chain.doFilter(request, response);
+        }
+    }
+
+    private static class AuthenticatedRequestWrapper
+            extends HttpServletRequestWrapper {
+
+        AuthenticatedRequestWrapper(HttpServletRequest request) {
+            super(request);
+        }
+
+        @Override
+        public Principal getUserPrincipal() {
+            return () -> "testuser";
+        }
+    }
+}