Open codingllama opened 5 months ago
As @avatus put it, in much fewer words:
It's probably the same, but we should also consider what happens with distinct users for the same cluster.
Launching a deep link waits until the frontend app is ready:
Currently the readiness is signaled after WorkspacesService.prototype.restorePersistedState
resolves, which includes a call to restore the previous workspace. This is what triggers the login modal for the previous cluster and waits until that modal is closed.
The solution would be to:
this.setActiveWorkspace
out of WorkspacesService.prototype.restorePersistedState
into showStartupModalsAndNotifications
. (restorePersistedState
is called only once in the app).restorePersistedState
but before setActiveWorkspace
.
isInitialized
of WorkspacesService
should be set to true after restorePersistedState
but before setActiveWorkspace
. This affects VNet only though, not deep links. setActiveWorkspace
accept a signal.WindowsManagerIpc.SignalUserInterfaceReadiness
should return an AbortController
that aborts the signal passed to setActiveWorkspace
in showStartupModalsAndNotifications
.WindowsManager.prototype.launchDeepLink
should pass the abort controller to DeepLinksService.prototype.launchDeepLink
in the render process.
loginAndSetActiveWorkspace
. That method should abort the abort controller and show the modal for the right workspace. We cannot always abort the controller, because in the future there might be deep links that are not related to a particular workspace.Instead of passing an abort controller back and forth between processes through WindowsManagerIpc.SignalUserInterfaceReadiness
, perhaps we can create a single abort controller in AppContext
(called, idk, restoreWorkspaceAbortController
) and then pass it to both DeepLinksService
and showStartupModalsAndNotifications
.
It's probably the same, but we should also consider what happens with distinct users for the same cluster.
I believe https://github.com/gravitational/teleport/issues/45714 is now tracking this.
This issue is within the context of device trust web. A small explanation: when doing device trust web, the Web UI attempts to open a teleport:// URL. That URL has most of the information required to start a login, namely the username and the proxy address.
Let's say Connect has an expired session for "cluster1", but doesn't know about "cluster2". We are running device web authentication against "cluster2", thus opening Connect via the corresponding "teleport://" URL.
Expected behavior:
Connect is expected to ignore the expired session for "cluster1" and attempt to login directly to "cluster2", as informed by the teleport:// URL.
Current behavior:
Connect attempts to re-connect to the expired session for "cluster1" first. After that is completed or canceled, then it shows the popup to authenticate for "cluster2".
To repro, do the following:
rm -fr ~/Library/Application\ Support/Teleport\ Connect/tsh/keys/cluster1/
)open 'teleport://alpaca@cluster2:443/authenticate_web_device?id=4fbab9eb-568e-437b-ab89-ca45b843e8aa&token=YqkvcRfkZPsRHg4qiFz9UayN1zMJ97kcTwjjpiABEBQ'
)Connect opens and immediately attempts to connect to "cluster1" (zarq in the screenshot):
After canceled (ESC), it shows the popup to connect to "cluster2":
Bug details: