akanealw
eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
50 lines
2.0 KiB
Markdown
Executable File
50 lines
2.0 KiB
Markdown
Executable File
# Route Guard Bug: Session Expiration Not Redirecting to Login
|
|
|
|
## Issue
|
|
|
|
After clearing authentication data (cookies + localStorage) and reloading the page, the application still loads the dashboard instead of redirecting to `/login`.
|
|
|
|
## Evidence
|
|
|
|
- Test: `tests/core/authentication.spec.ts:322` - "should redirect to login when session expires"
|
|
- Error: "Expected redirect to login or session expired message. Dashboard loaded instead, indicating missing auth validation."
|
|
- Video: `test-results/core-authentication-Authen-e89dd--login-when-session-expires-firefox/video.webm`
|
|
- Screenshot: `test-results/core-authentication-Authen-e89dd--login-when-session-expires-firefox/test-failed-1.png`
|
|
|
|
## Steps to Reproduce
|
|
|
|
1. Login to application
|
|
2. Clear all cookies: `await page.context().clearCookies()`
|
|
3. Clear localStorage: `localStorage.removeItem('token'); localStorage.removeItem('authToken'); localStorage.removeItem('charon_auth_token'); sessionStorage.clear()`
|
|
4. Reload page: `await page.reload()`
|
|
5. **Expected**: Redirect to `/login`
|
|
6. **Actual**: Dashboard loads, full access granted
|
|
|
|
## Root Cause Analysis
|
|
|
|
The route guard fix in `frontend/src/components/RequireAuth.tsx` and `frontend/src/context/AuthContext.tsx` may not handle the page reload scenario properly. Possible causes:
|
|
|
|
- `RequireAuth` not re-evaluating auth state after reload
|
|
- `AuthContext.checkAuth()` restoring session from HttpOnly cookie despite no localStorage token
|
|
- Router cache or React state persisting auth status
|
|
|
|
## Impact
|
|
|
|
**CRITICAL SECURITY ISSUE**: Users can access protected routes after clearing their session.
|
|
|
|
## Assigned To
|
|
|
|
Frontend Dev
|
|
|
|
## Files to Investigate
|
|
|
|
- `frontend/src/components/RequireAuth.tsx`
|
|
- `frontend/src/context/AuthContext.tsx`
|
|
- `frontend/src/routes.tsx` (router configuration)
|
|
|
|
## Acceptance Criteria
|
|
|
|
- [ ] Test `tests/core/authentication.spec.ts:322` passes
|
|
- [ ] Manual verification: After logout + clear storage + reload, user redirected to /login
|
|
- [ ] All protected routes blocked when auth data cleared
|