Summary
Doing an API call with a session that is expired returns a 302 to https://workday.flock.community/oauth2/authorization/google.
However, the frontend doesn't handle this nicely. The API call fetch actually follows the redirection trail, causing it to be redirected to google eventually. This, is of course not allowed because of CORS issues leaving an error in the console:
workdays:1 Access to fetch at 'https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=<app-id>.apps.googleusercontent.com&scope=openid%20profile%20email&state=G3s9wV0eKEVG137vljXdKEXfrAtjGnBCn71NTaKId6k%3D&redirect_uri=https://workday.flock.community/login/oauth2/code/google&nonce=HznoQuDgX4RY1Dw_GHH99grAP114A4G2dJ_n-L4n8uI' (redirected from 'https://workday.flock.community/api/workdays') from origin 'https://workday.flock.community' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
From a user perspective you have no clue however what is going on, at least not when submitting workdays (hours), as the form just remains in tact.
What did you expect?
I'd expected to get at least some feedback that submitting workdays has failed. Ideally, you want the ability to log in again, but also 'save' the data that you have filled in to the form. One way of doing so would be to the the re-login flow in a new tab / window.
What happened
Nothing, no navigation back to the workdays overview. No error message saying 'Whoops, someone let the bird out its cage' or something more tangible.
Reproduction path:
- Navigate to https://workday.flock.community/workdays
- Add a workday
- Wait until session is expired (or maybe restart workday app (not sure if sessions are in-memory or in db)
- Submit workday
- Don't see an error on screen
- Check dev tools and see problems with submitting workday, and the CORS issue as posted above.
Summary
Doing an API call with a session that is expired returns a 302 to
https://workday.flock.community/oauth2/authorization/google.However, the frontend doesn't handle this nicely. The API call
fetchactually follows the redirection trail, causing it to be redirected to google eventually. This, is of course not allowed because of CORS issues leaving an error in the console:From a user perspective you have no clue however what is going on, at least not when submitting workdays (hours), as the form just remains in tact.
What did you expect?
I'd expected to get at least some feedback that submitting workdays has failed. Ideally, you want the ability to log in again, but also 'save' the data that you have filled in to the form. One way of doing so would be to the the re-login flow in a new tab / window.
What happened
Nothing, no navigation back to the workdays overview. No error message saying 'Whoops, someone let the bird out its cage' or something more tangible.
Reproduction path: