akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 15 Packages Projects Releases Wiki Activity
Files
main
Charon/docs/issues/route-guard-session-expiration-bug.md
akanealw eec8c28fb3
Some checks are pending
Go Benchmark / Performance Regression Check (push) Waiting to run
Details
Cerberus Integration / Cerberus Security Stack Integration (push) Waiting to run
Details
Upload Coverage to Codecov / Backend Codecov Upload (push) Waiting to run
Details
Upload Coverage to Codecov / Frontend Codecov Upload (push) Waiting to run
Details
CodeQL - Analyze / CodeQL analysis (go) (push) Waiting to run
Details
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Waiting to run
Details
CrowdSec Integration / CrowdSec Bouncer Integration (push) Waiting to run
Details
Docker Build, Publish & Test / build-and-push (push) Waiting to run
Details
Docker Build, Publish & Test / Security Scan PR Image (push) Blocked by required conditions
Details
Quality Checks / Auth Route Protection Contract (push) Waiting to run
Details
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Waiting to run
Details
Quality Checks / Backend (Go) (push) Waiting to run
Details
Quality Checks / Frontend (React) (push) Waiting to run
Details
Rate Limit integration / Rate Limiting Integration (push) Waiting to run
Details
Security Scan (PR) / Trivy Binary Scan (push) Waiting to run
Details
Supply Chain Verification (PR) / Verify Supply Chain (push) Waiting to run
Details
WAF integration / Coraza WAF Integration (push) Waiting to run
Details
changed perms
2026-04-22 18:19:14 +00:00

2.0 KiB
Executable File
Raw Permalink Blame History

Route Guard Bug: Session Expiration Not Redirecting to Login

Issue

After clearing authentication data (cookies + localStorage) and reloading the page, the application still loads the dashboard instead of redirecting to /login.

Evidence

  • Test: tests/core/authentication.spec.ts:322 - "should redirect to login when session expires"
  • Error: "Expected redirect to login or session expired message. Dashboard loaded instead, indicating missing auth validation."
  • Video: test-results/core-authentication-Authen-e89dd--login-when-session-expires-firefox/video.webm
  • Screenshot: test-results/core-authentication-Authen-e89dd--login-when-session-expires-firefox/test-failed-1.png

Steps to Reproduce

  1. Login to application
  2. Clear all cookies: await page.context().clearCookies()
  3. Clear localStorage: localStorage.removeItem('token'); localStorage.removeItem('authToken'); localStorage.removeItem('charon_auth_token'); sessionStorage.clear()
  4. Reload page: await page.reload()
  5. Expected: Redirect to /login
  6. Actual: Dashboard loads, full access granted

Root Cause Analysis

The route guard fix in frontend/src/components/RequireAuth.tsx and frontend/src/context/AuthContext.tsx may not handle the page reload scenario properly. Possible causes:

  • RequireAuth not re-evaluating auth state after reload
  • AuthContext.checkAuth() restoring session from HttpOnly cookie despite no localStorage token
  • Router cache or React state persisting auth status

Impact

CRITICAL SECURITY ISSUE: Users can access protected routes after clearing their session.

Assigned To

Frontend Dev

Files to Investigate

  • frontend/src/components/RequireAuth.tsx
  • frontend/src/context/AuthContext.tsx
  • frontend/src/routes.tsx (router configuration)

Acceptance Criteria

  • Test tests/core/authentication.spec.ts:322 passes
  • Manual verification: After logout + clear storage + reload, user redirected to /login
  • All protected routes blocked when auth data cleared
Reference in New Issue View Git Blame Copy Permalink