Open peholmst opened 5 months ago
I suggest we fix this by changing examples to reload the page after logging in.
The reason for this is that it's not uncommon that you also want to change other things in the application when logging in, e.g. to show additional entries in the application's main menu. It's probably not worthwhile to implement all those things in a reactive way only because of the login case so it's probably better to just reload the page.
We might still want to fix the push connection so that its security context is updated when the authentication status changes but I see that as a lower priority than the easy fix of suggesting to reload the page after logging in.
Describe the bug
When push is enabled, the push connection is established when you enter the first view of the application. If the application is requiring authentication, this view is the login view. This means that the security context of the push connection is the anonymous user. After logging in, the security context of the HTTP connection(s) change, but the push connection is still anonymous. This in turn means, that if you try to subscribe to any protected Flux endpoints, you will get a 401 until you reload the browser.
You can work around this by using
window.location=
instead ofnavigate
after a successful login.Expected-behavior
The security context of the push connection should be updated accordingly after a successful login.
Reproduction
Example project: https://github.com/peholmst-sandbox/hilla-push-connection-security-bug
How to run:
user
and passworduser
HelloWorldView
. Check the console, there should be an error message there.How to reproduce from scratch:
npx @hilla/cli init --auth hilla-with-auth
)@BrowserCallable
service that returns aFlux
(it could produce strings, for instance)@RolesAllowed("USER")
@Push
annotation toApplication
HelloWorldView
) and just log the output to the consoleSystem Info
Hilla 2.5.6, macOS 14.3.1, Chrome 121.0.6167.160