New instance is created when unauthenticated user accesses instance via direct link

[acn-sbuad]

Describe the bug

If a user bookmarks an instance, and goes directly to this link to work on the form withough being logged in, a new instance is created, rather than the user having to authenticate themselves and then being returned to the existing instance.

To Reproduce

Steps to reproduce the behavior:

1. Go to https://ttd.apps.tt02.altinn.no/ttd/apps-test
2. Log on and start filling out form
3. Save url
4. Log out of altinn
5. Access url directly
6. Log on with same test user
7. See error

Expected behavior

User has to log in and is then redirected to the initial instance.

Analysis

When pasting direct url in browser e.g. http://altinn3local.no/ttd/apps-test/#/instance/512345/3b11f912-1a00-478e-bf77-df4ae6f615f2 The request found in the network log is: http://altinn3local.no/ttd/apps-test/

We need to reconsider the route to the endpoint that returns the frontend view. Changing # for display or another string fixes the problem, so we need a character that is forwarded by the browser to the server. # is not a valid character.

Alternatively, browser-routes could be used by app frontend instead.

note that redirect url in backend should be defined as

    string goToUrl = HttpUtility.UrlEncode($"{scheme}://{Request.Host}{Request.Path}");

including query parameters could also be considered here.

Browser router instead of hash-router

The issue has come from the fact that we use hash-router as the routing tool in our SPA. An option here would instead be to use browser-router which actually uses the HTML5 history API (pushState, replaceState and the popstate event) to keep your UI in sync with the URL. This would solve the issue of having the full url in backend when doing the redirect.

Some questions that do arise:

• How can we be backward compatible? Old urls that contain # no longer work
  • Redirect old urls in frontend?
• How does message-box link? Do we have any apps that run on v2 of app frontend? These would break.
• For all possible url's we would want in app frontend in the future, these url's should return the SPA from backend. Is this an issue?

Tasks

• [ ] POC possible solutions
  • [ ] browser router (or other routers that use html 5 api)
  • [ ] app-frontend is responsible for handling 401-responses
  • [ ] extend the refresh-token logic in app-frontend?
• [ ] Fix routes for app frontend
• [ ] Add additional route for HomeController in AppTemplate to also accept and forward requests towards old org/app/#/instances/{instanceOwnerPartyId}/{instanceGuid} endpoint.
• [ ] Do we need to update string template for instance url in messagebox? When can this be done?
• [ ] Regression tests

[acn-sbuad]

Analysis shows that this cannot be solved by a change in backend alone. Adding the frontend label

[TheTechArch]

My suggested solution

1. Disable authentication on backend for home controller
2. See of current frontendcode already will work (perform redirects for authentication)
3. Updated frontend to redirect user for authentication

[FinnurO]

Related to https://github.com/Altinn/app-frontend-react/issues/344