Web: Redirect to login upon missing session cookie by kimlisa · Pull Request #33726 · gravitational/teleport

kimlisa · 2023-10-20T01:02:55Z

fixes #20996

Why: We use non-persistent (session) cookie. When you close a browser, session cookies get cleared from the browser. Then when you re-open browser, load the teleport app, try to make a teleport api call to a protected endpoint WithAuth, it fails to authn because a cookie wasn't sent with the request.

There is three kind of dialogue shown depending on which webapp route you take.

AppLauncher component catches error (from trying to `getFqdn`)

Reproduce (chrome, but works on any browser):

login to teleport and successfully launch an app
close the browser
reopen browser and launch the app (copy and paste app URL)

Enterprise: the WaitingRoom catches error (from trying to `getUserContext`)

login to teleport
close the browser
reopen browser and go to some teleport URL

Open source: the root CatchError catches error (from trying to `getUserPreferences`)

Our component tree looks like this:

<CatchError> // our root error catcher if the childrens did not  handle it
  <Authenticated>  // <----- where we should be checking validity of cookie and session
    <AppLauncher/>
    <WaitingRoom>   // only in enterprise
        {... childrens subjected to waiting room}
    </WaitingRoom>
  </Authenticated>
</CatchError>

Prior to this PR, in the Authenticated layer we were only checking for valid session stored in local storage. But gives false positives. Now we just make the api call to the /status endpoint right away and fail earlier in the tree (instead of 15 seconds later from starting an interval timer that polls this endpoint)

All the above scenarios, the user will be redirected to the login right away. On rare occassions where the /status just fails to fetch, this is what the user will see:

gzdunek

LGTM, I left a few minor comments.

gzdunek · 2023-10-20T12:01:40Z

+      </DialogHeader>
+      <DialogContent>
+        <Alert kind="danger" children={errMsg} />
+        <Text mb={3}>Try again by refreshing the browser.</Text>


Suggested change

<Text mb={3}>Try again by refreshing the browser.</Text>

<Text mb={3}>Try again by refreshing the page.</Text>

gzdunek · 2023-10-20T13:05:09Z

+
+import history from 'teleport/services/history';
+
+export function ErrorDialogue({ errMsg }: { errMsg: string }) {


ErrorDialog?

gzdunek · 2023-10-20T13:19:01Z

+  const { attempt, setAttempt } = useAttempt('processing');
+
+  useEffect(() => {
+    const checkUserIsAuthenticated = async () => {


Suggested change

const checkUserIsAuthenticated = async () => {

const checkIfUserIsAuthenticated = async () => {

gzdunek · 2023-10-20T13:19:42Z

+        if (!session.isValid()) {
+          logger.warn('invalid session');
+          session.clear();
+          history.goToLogin(true);
+          return;
+        }


We can move it above try.

gzdunek · 2023-10-20T13:28:32Z

  }

-  return <>{children}</>;
+  return null;


WDYT of showing an <Indicator /> during loading?

gzdunek · 2023-10-20T13:32:11Z

+   * which just checks if the cookie sent from browser is valid and user
+   * session is still valid.


I'd shorten it a bit:

Suggested change

* which just checks if the cookie sent from browser is valid and user

* session is still valid.

* which checks if the cookie and the user session are still valid.

public-teleport-github-review-bot · 2023-10-23T07:32:26Z

@kimlisa See the table below for backport results.

Branch	Result
branch/v13	Create PR
branch/v14	Create PR

github-actions Bot added size/md ui labels Oct 20, 2023

github-actions Bot requested review from gzdunek and ryanclark October 20, 2023 01:03

kimlisa added backport/branch/v13 labels Oct 20, 2023

kimlisa mentioned this pull request Oct 20, 2023

Access Denied - missing session cookie #20996

Closed

gzdunek approved these changes Oct 20, 2023

View reviewed changes

ryanclark approved these changes Oct 20, 2023

View reviewed changes

kimlisa enabled auto-merge October 23, 2023 06:56

kimlisa added this pull request to the merge queue Oct 23, 2023

kimlisa added 2 commits October 23, 2023 00:05

Web: Redirect to login upon missing session cookie

8fd70d4

Address CR

84c5cee

kimlisa removed this pull request from the merge queue due to a manual request Oct 23, 2023

kimlisa force-pushed the lisa/logout-on-missing-cookie branch from 6233ed8 to 84c5cee Compare October 23, 2023 07:06

kimlisa enabled auto-merge October 23, 2023 07:08

kimlisa added this pull request to the merge queue Oct 23, 2023

Merged via the queue into master with commit 794773c Oct 23, 2023

kimlisa deleted the lisa/logout-on-missing-cookie branch October 23, 2023 07:30

This was referenced Oct 23, 2023

[v14] Web: Redirect to login upon missing session cookie #33806

Merged

[v13] Web: Redirect to login upon missing session cookie #33807

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Web: Redirect to login upon missing session cookie#33726

Web: Redirect to login upon missing session cookie#33726
kimlisa merged 2 commits intomasterfrom
lisa/logout-on-missing-cookie

kimlisa commented Oct 20, 2023 •

edited

Loading

Uh oh!

gzdunek left a comment

Uh oh!

gzdunek Oct 20, 2023

Uh oh!

gzdunek Oct 20, 2023

Uh oh!

gzdunek Oct 20, 2023

Uh oh!

gzdunek Oct 20, 2023

Uh oh!

gzdunek Oct 20, 2023

Uh oh!

gzdunek Oct 20, 2023

Uh oh!

Uh oh!

public-teleport-github-review-bot Bot commented Oct 23, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

	<Text mb={3}>Try again by refreshing the browser.</Text>
	<Text mb={3}>Try again by refreshing the page.</Text>


		import history from 'teleport/services/history';

		export function ErrorDialogue({ errMsg }: { errMsg: string }) {

	const checkUserIsAuthenticated = async () => {
	const checkIfUserIsAuthenticated = async () => {

		* which just checks if the cookie sent from browser is valid and user
		* session is still valid.

	* which just checks if the cookie sent from browser is valid and user
	* session is still valid.
	* which checks if the cookie and the user session are still valid.

Conversation

kimlisa commented Oct 20, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

AppLauncher component catches error (from trying to getFqdn)

Enterprise: the WaitingRoom catches error (from trying to getUserContext)

Open source: the root CatchError catches error (from trying to getUserPreferences)

Uh oh!

gzdunek left a comment

Choose a reason for hiding this comment

Uh oh!

gzdunek Oct 20, 2023

Choose a reason for hiding this comment

Uh oh!

gzdunek Oct 20, 2023

Choose a reason for hiding this comment

Uh oh!

gzdunek Oct 20, 2023

Choose a reason for hiding this comment

Uh oh!

gzdunek Oct 20, 2023

Choose a reason for hiding this comment

Uh oh!

gzdunek Oct 20, 2023

Choose a reason for hiding this comment

Uh oh!

gzdunek Oct 20, 2023

Choose a reason for hiding this comment

Uh oh!

Uh oh!

public-teleport-github-review-bot Bot commented Oct 23, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

kimlisa commented Oct 20, 2023 •

edited

Loading

AppLauncher component catches error (from trying to `getFqdn`)

Enterprise: the WaitingRoom catches error (from trying to `getUserContext`)

Open source: the root CatchError catches error (from trying to `getUserPreferences`)