search

vaadin / hilla

Build better business applications, faster. No more juggling REST endpoints or deciphering GraphQL queries. Hilla seamlessly connects Spring Boot and React to accelerate application development.
https://hilla.dev
Apache License 2.0
879 stars 57 forks source link

Security context of push connection not updated after login #2063

Open peholmst opened 5 months ago

peholmst commented 5 months ago

Describe the bug

When push is enabled, the push connection is established when you enter the first view of the application. If the application is requiring authentication, this view is the login view. This means that the security context of the push connection is the anonymous user. After logging in, the security context of the HTTP connection(s) change, but the push connection is still anonymous. This in turn means, that if you try to subscribe to any protected Flux endpoints, you will get a 401 until you reload the browser.

You can work around this by using window.location= instead of navigate after a successful login.

Expected-behavior

The security context of the push connection should be updated accordingly after a successful login.

Reproduction

Example project: https://github.com/peholmst-sandbox/hilla-push-connection-security-bug

How to run:

  1. Start the application
  2. Login using username user and password user
  3. You should now be in the HelloWorldView. Check the console, there should be an error message there.
  4. Reload the page
  5. Check the console again. You should now se the strings "Hello", "World", "from", "Flux!" and no error.

How to reproduce from scratch:

  1. Create a new Hilla project with authentication (npx @hilla/cli init --auth hilla-with-auth)
  2. Add a method to a @BrowserCallable service that returns a Flux (it could produce strings, for instance)
  3. Annotate this method with @RolesAllowed("USER")
  4. Enable push by adding the @Push annotation to Application
  5. Subscribe to the Flux endpoint in a React view (for example HelloWorldView) and just log the output to the console
  6. See the instructions for running the example project

System Info

Hilla 2.5.6, macOS 14.3.1, Chrome 121.0.6167.160

Legioth commented 5 months ago

I suggest we fix this by changing examples to reload the page after logging in.

The reason for this is that it's not uncommon that you also want to change other things in the application when logging in, e.g. to show additional entries in the application's main menu. It's probably not worthwhile to implement all those things in a reactive way only because of the login case so it's probably better to just reload the page.

We might still want to fix the push connection so that its security context is updated when the authentication status changes but I see that as a lower priority than the easy fix of suggesting to reload the page after logging in.