A valid token gets generated.
Something went wrong with the process and the authentication fails.
An error gets stuck on the screen no matter how many page refreshes so long as the token cookie exists and the user is anonymous (has ROLE_ANONYMOUS).
This is either a bug such that the error message is being displayed and should not when a token is created. In this case the functionality for keeping the token for anonymous users should be removed.
Or this is an incomplete feature that needs to be completed. If this is an incomplete feature, then the solution linked above would also need to be removed. The feature should assure that an error message does not appear when an user with ROLE_ANONYMOUS has a token. Additional work is necessary in regards to when authentication doesn't fully complete but a token exists. In this case a token is probably invalid. This needs consideration.
Treating this as a bug and not maintaining the token might be the simplest and shortest route to resolution of this issue.
This might need to be solved in or require changes in weaver-webservice-core.
Set AUTH_SERVICE_URL=https://labs.library.tamu.edu/authfix on a project, such as SAGE.
Start docker.
Attempt to login.
See error
Expected behavior
No error appears and:
There is no token for the anonymous user (when treating this as a bugfix).
There is a token for anonymous user on non-authentication (when treating this as a feature) (How does one get an anonymous token without logging in?).
There is no token for anonymous user on authentication failure (when treating this as a feature) (Does it make sense to have a token when login attempt fails?).
Describe the bug A bug where the token is created while user is anonymous was exposed and observed while resolving https://github.com/TAMULib/Weaver-UI-Core/issues/217.
A valid token gets generated. Something went wrong with the process and the authentication fails. An error gets stuck on the screen no matter how many page refreshes so long as the token cookie exists and the user is anonymous (has
ROLE_ANONYMOUS
).The immediately implemented solution has been to delete the token on login problems.
This is either a bug such that the error message is being displayed and should not when a token is created. In this case the functionality for keeping the token for anonymous users should be removed.
Or this is an incomplete feature that needs to be completed. If this is an incomplete feature, then the solution linked above would also need to be removed. The feature should assure that an error message does not appear when an user with
ROLE_ANONYMOUS
has a token. Additional work is necessary in regards to when authentication doesn't fully complete but a token exists. In this case a token is probably invalid. This needs consideration.Treating this as a bug and not maintaining the token might be the simplest and shortest route to resolution of this issue.
This might need to be solved in or require changes in weaver-webservice-core.
To Reproduce Steps to reproduce the behavior:
AUTH_SERVICE_URL=https://labs.library.tamu.edu/authfix
on a project, such as SAGE.Expected behavior No error appears and:
Additional context see: https://github.com/TAMULib/SAGE/blob/main/src/main/java/edu/tamu/sage/auth/service/AppUserCredentialsService.java#L17