fix: cannot login to authentication protected view (#10634)

The [Vaadin security helper](https://github.com/vaadin/spring/blob/master/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurityConfigurerAdapter.java) now has a request cache by default, which means that if a user tries to access an authentication protected view, the request will be saved and has it as a `redirectUrl` in the response. The logic in the `login()` helper didn't take this request cache into account.
vaadin · Apr 14, 2021 · c7d6959 · c7d6959
1 parent 2ab1023
commit c7d6959
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 17 deletions.
diff --git a/flow-client/src/main/resources/META-INF/resources/frontend/Authentication.ts b/flow-client/src/main/resources/META-INF/resources/frontend/Authentication.ts
@@ -12,6 +12,9 @@ export interface LoginResult {
 export interface LoginOptions {
   loginProcessingUrl?: string;
   failureUrl?: string;
+  /**
+   * @deprecated The `defaultSuccessUrl` is not used anymore.
+   */
   defaultSuccessUrl?: string;
 }
 
@@ -37,23 +40,22 @@ export async function login(username: string, password: string, options?: LoginO
     const response = await fetch(loginProcessingUrl, { method: 'POST', body: data, headers });
 
     const failureUrl = options && options.failureUrl ? options.failureUrl : '/login?error';
-    const defaultSuccessUrl = options && options.defaultSuccessUrl ? options.defaultSuccessUrl : '/';
     // this assumes the default Spring Security form login configuration (handler URL and responses)
-    if (response.ok && response.redirected && response.url.endsWith(failureUrl)) {
-      result = {
-        error: true,
-        errorTitle: 'Incorrect username or password.',
-        errorMessage: 'Check that you have entered the correct username and password and try again.'
-      };
-    } else if (response.ok && response.redirected && response.url.endsWith(defaultSuccessUrl)) {
-      const vaadinCsrfToken = await updateCsrfTokensBasedOnResponse(response);
-      if (vaadinCsrfToken) {
+    if (response.ok && response.redirected) {
+      if (response.url.endsWith(failureUrl)) {
         result = {
-          error: false,
-          errorTitle: '',
-          errorMessage: '',
-          token: vaadinCsrfToken
+          error: true,
+          errorTitle: 'Incorrect username or password.',
+          errorMessage: 'Check that you have entered the correct username and password and try again.'
         };
+      } else {
+        const vaadinCsrfToken = await updateCsrfTokensBasedOnResponse(response);
+        if (vaadinCsrfToken) {
+          result = {
+            error: false,
+            token: vaadinCsrfToken
+          };
+        }
       }
     }
   } catch (e) {

diff --git a/flow-client/src/test/frontend/AuthenticationTests.ts b/flow-client/src/test/frontend/AuthenticationTests.ts
@@ -71,13 +71,11 @@ describe('Authentication', () => {
     it('should return a CSRF token on valid credentials', async () => {
       fetchMock.post('/login', {
         body: happyCaseResponseText,
-        redirectUrl: '/'
+        redirectUrl: '//localhost:8080/'
       }, { headers });
       const result = await login('valid-username', 'valid-password');
       const expectedResult = {
         error: false,
-        errorTitle: '',
-        errorMessage: '',
         token: vaadinCsrfToken
       };
 
@@ -105,6 +103,39 @@ describe('Authentication', () => {
       expect(fetchMock.calls()).to.have.lengthOf(1);
       expect(result).to.deep.equal(expectedResult);
     })
+
+    it('should return an error when response is missing CSRF token', async () => {
+      fetchMock.post('/login', 'I am mock response without CSRF token', { headers });
+      const result = await login('valid-username', 'valid-password');
+      const expectedResult = {
+        error: true,
+        errorTitle: 'Error',
+        errorMessage: 'Something went wrong when trying to login.'
+      };
+
+      expect(fetchMock.calls()).to.have.lengthOf(1);
+      expect(result).to.deep.equal(expectedResult);
+    })
+
+    it('should redirect based on request cache after login', async () => {
+      // An unthenticated request attempt would be captured by the default
+      // request cache, so after login, it should redirect the user to that 
+      // request
+      fetchMock.post('/login', {
+        body: happyCaseResponseText,
+        // mock the unthenticated attempt, which would be 
+        // saved by the default request cache
+        redirectUrl: '//localhost:8080/protected-view'
+      }, { headers });
+      const result = await login('valid-username', 'valid-password');
+      const expectedResult = {
+        error: false,
+        token: vaadinCsrfToken
+      };
+
+      expect(fetchMock.calls()).to.have.lengthOf(1);
+      expect(result).to.deep.equal(expectedResult);
+    })
   });
 
   describe("logout", () => {