1
votes

I applied ember-simple-auth-0.6.4.js in my ember-js application and there is one case, which is quite common. Here is the sequence of steps.

  1. User authenticates in the application (I use custom authenticator for that). So the session becomes valid.
  2. After ~20 minutes of inactivity backend session becomes invalid.
  3. User goes to a route (derived from AuthenticatedRouteMixin), and since ember session in client's app is still valid -> "session authenticated" check passes.
  4. Then the route model hook called, in which I try to load some data from backend using ajax request - and I get 401 unauthorized response, because backend session is invalid.
  5. After 401 error response client's app session is invalidated - then sessionInvalidationSucceeded() handler defined in application-route-mixin is called, where location changes: window.location.replace(Configuration.applicationRootUrl);

The problem is: If url defined in applicationRootUrl - is under authenticated route - the login page will be shown to user, but after the authentication user goes to applicationRootUrl again, but not to the page where ajax error originally happened.

My solution to this:

  • In AuthenticatedRouteMixin beforeModel() hook I store last transition:

    Configuration.beforeInvalidationTransition = transition;

  • In ApplicationRouteMixin I redefine sessionInvalidatedSucceeded hook:

    sessionInvalidationSucceeded: function() { if (Configuration.beforeInvalidationTransition) { this.get(Configuration.sessionPropertyName) .set('attemptedTransition',Configuration.beforeInvalidationTransition); } this.transitionTo(Configuration.authenticationRoute);

So if 401 error occurred, user is redirected to login page (Configuration.authenticationRoute) and route in which the error occurred - is stored to attemptedTransition, so after successful login the user will be redirected to the place where he stopped working.

Does it make sense or there is more elegant solution for this problem?

1

1 Answers

1
votes

You could actually store the last transition in the session right away without using Configuration.beforeInvalidationTransition. You could also refresh the access token before it is about to expire like the OAuth 2.0 authenticator does it (see here: https://github.com/simplabs/ember-simple-auth/blob/master/packages/ember-simple-auth-oauth2/lib/simple-auth-oauth2/authenticators/oauth2.js#L167)