search

SAP / spartacus

Spartacus is a lean, Angular-based JavaScript storefront for SAP Commerce Cloud that communicates exclusively through the Commerce REST API.
Apache License 2.0
738 stars 383 forks source link

Login Session is not base site specific when using CDC #18031

Open janwidmer opened 11 months ago

janwidmer commented 11 months ago

Describe the bug When the user is logging in, the call to the authorization server (or to CDC in case when CDC is used) is made. After that Call, the received toke is written to the local storage entry spartacus⚿⚿auth and to a behaviour subject stored in the application.

For our customer, we have the case, that a different base site with separated users is running on a sub path of the domain:

https://www.example.com => base site B2C https://www.example.com/b2b => base site B2B

With the current version of spartacus, the following problem occurs:

  1. User A loggs in into the B2C Site on https://www.example.com
  2. User A switches to the B2B Site on https://www.example.com/b2b (Full reload)
  3. Spartacus starts and syncs the local storage via authStatePersistencyService
  4. Spartacus finds an existing auth token and thinks, the user is already logged in
  5. NO call to the authorization server is made, because spartacus thinks, the user is already logged in.
  6. The B2C user is therefore (visually) logged in, even though the user does not exist in the B2B base site's customers

Tell us the version of Spartacus

To Reproduce Steps to reproduce the behavior:

  1. Setup a spartacus instance with two base sites according above description
  2. Follow above steps

Expected behavior The local Storage Entry is scoped to the active base site (same as it is done for the local storage cart entry) or the local storage entry can be configured via config to be able to set it via dynamic confi initializer

Desktop (please complete the following information):

Smartphone (please complete the following information):

Platonn commented 11 months ago

SAP Commerce already has an optional feature for isolating users in between different basesites. You need to enable this feature in backend for a certain CMS basesite, when creating it. See docs: - https://help.sap.com/docs/SAP_COMMERCE_CLOUD_PUBLIC_CLOUD/20125f0eca6340dba918bda360e3cdfa/9f2c404f118c439087cc0e1d88e16712.html?q=isolation

Then CMS /basesites returns isolated:true for a certain basesite and then Spartacus' AuthMultisiteIsolationService kicks in.

Platonn commented 11 months ago

Closing, as not-an-issue. But please let me know in case I missed something and you believe there still exist an issue.

janwidmer commented 11 months ago

@Platonn are you sure, this also works with CDC as Login Provider? Because from what I can see, the call to CDC for login is made without and addition to the user id. And from the code, I don't see a place, where the AuthMultisiteIsolationService is used from within CDC code..

We are NOT using the default spartacus login / registration forms, as they where not implemented to use for CDC, when we did the initial project..

Platonn commented 11 months ago

Thank you for helping me understand the problem is with User Isolation + CDC. Reopening

janwidmer commented 11 months ago

Thanks. I renamed the ticket to make it more clear.