Open apryamostanov opened 4 months ago
I spent 3 days debugging this issue, and in the end I am eliminating usage of Login View custom area. It is anyway incomplete and not useful in its current implementation - not compatible with Spring Security.
I noticed the same issue yesterday by testing an application created with Vaadin CLI (npx @vaadin/cli init login-form --auth
).
To reproduce, start the application and try to log in with the wrong credentials: you'll see two requests (POST + UIDL) before being redirected to login view with error parameter.
This is the UIDL request sent in parallel with the login POST request
{
"csrfToken": "fdfa01a3-7cf3-4bcf-b8d9-a1f906bcb6c0",
"rpc": [
{
"type": "mSync",
"node": 4,
"feature": 1,
"property": "disabled",
"value": true
},
{
"type": "event",
"node": 4,
"event": "login",
"data": {
"event.detail.username": "xxxxx",
"event.detail.password": "xxxxx"
}
}
],
"syncId": 2,
"clientId": 2
}
This is the UIDL request sent in parallel with the login POST request
This request comes from the vaadin-login-overlay
web component and it contains notification about disabled
property set to true
and then the subsequent login
event. So in this regard the web component works as expected.
I couldn't reproduce the original issue with a cancelled request. An example project would be appreciated.
Hi @web-padawan , reg. original issue - let me rephrase it fully. The root cause is that fields in Custom Login Area are not in same Login Form, so events are needed to sync them with backend. These events interfere with POST. My suggestion - it needs to be documented in the Component documentation.
Thank you, now I understand the problem. Yes, this definitely needs to be documented. I will create a PR to docs.
Thank you @web-padawan . I still feel there is an issue as described by @mcollovati : https://github.com/vaadin/flow-components/issues/6098#issuecomment-1980190986 Basically UIDL interferes with form post. Can it be avoided?
My concern is about having the UIDL request even if the form "action" attribute is set. But perhaps this is by design
Description of the bug
In Vaadin 24.2, Custom Form area was added into Login component (https://vaadin.com/docs/latest/components/login#custom-form-area). If I put text area inside it (e.g. OTP field), when I press Login button - focus is changed and sync event is fired resulting in XHR. At same time Login form submit is processed. XHR interferes with login process and cancels resource fetch from service worker. This is not visible locally/on fast connections as XHR is processed fast. But on slower connections it results in failure to login. You can simulate this by enabling throttling in Chrome.
Expected behavior
Login form with TextField in Custom Area should work consistently and there should not be cancelled requests.
Minimal reproducible example
TBD
Versions