Skip to content

fix(web-runtime): keep session on transient network errors during context init#13941

Closed
dj4oC wants to merge 1 commit into
masterfrom
fix/web/12980-preserve-session-on-network-error
Closed

fix(web-runtime): keep session on transient network errors during context init#13941
dj4oC wants to merge 1 commit into
masterfrom
fix/web/12980-preserve-session-on-network-error

Conversation

@dj4oC

@dj4oC dj4oC commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Description

On page reload the authenticated context is re-established in AuthService.initializeContext() by calling userManager.updateContext(), which fetches user data over HTTP (graph.users.getMe(), capabilities, roles). Both the page-reload token-restore path and the addUserLoaded event handler wrapped that call in a blanket catch that treated any thrown error identically to a genuine authentication rejection: it called handleAuthError()removeUser('authError') → redirect to accessDenied.

Root cause: the catch blocks did not distinguish a transient network/connectivity failure (e.g. a fast page refresh cancelling in-flight requests, a short offline period, a timeout) from a real auth rejection (401 / invalid or expired token). A temporary connectivity blip therefore forced a full logout and showed the "trouble connecting to the login service" page.

Fix: a small isNetworkError() classifier is introduced. Connectivity failures (axios ERR_NETWORK / ECONNABORTED with no HTTP response, or a fetch TypeError such as Safari's "Load failed") now preserve the existing session and let the regular auth flow recover on the next navigation / token refresh. Errors that carry an HTTP response (e.g. 401) still go through the unchanged handleAuthError() logout flow. The change is applied to the two catch blocks named in the issue analysis (reload path + addUserLoaded).

Related Issue

Motivation and Context

Users were being logged out on transient connectivity issues and bounced to the access-denied page, losing their active session — reported as a real, reproducible problem (e.g. quick reloads in Safari). Only genuine auth rejections should end the session.

How Has This Been Tested?

  • test environment: repository unit test suite (Vitest) + vue-tsc --noEmit type check + ESLint/Prettier, run locally in this branch.
  • packages/web-runtime/tests/unit/services/auth/authService.spec.ts26/26 passing. New coverage:
    • isNetworkError table test across all branches (axios ERR_NETWORK/ECONNABORTED, fetch TypeError variants, an error carrying an HTTP response, an ERR_NETWORK that nonetheless carries a response, an unrelated TypeError, unknown code, null, string).
    • reload path: network error → handleAuthError not called; 401handleAuthError called.
    • addUserLoaded handler: network error preserves the session; 401 triggers logout.
  • pnpm check:types → passes. eslint + prettier --check on the changed files → clean.
  • New-code coverage: the classifier and both modified catch branches are exercised by the added tests (well above the 85% target). Not run: Playwright e2e (needs a full running oCIS stack, not available in this environment).

Screenshots (if appropriate):

n/a — no UI change.

Open tasks:

  • Maintainer review. Scoping notes below.

Notes for reviewers

  • Scope kept minimal (by design): on a network error the session is preserved but the context is left for the regular flow to re-establish on the next navigation/token-refresh; no new user-facing "offline/retry" UI state was added. The issue analysis mentioned surfacing a retryable offline state — that is intentionally left out here to keep the diff small and focused on the acceptance criteria (do not force logout on a network error). Happy to add an explicit offline indicator in a follow-up if wanted.
  • Classifier is conservative: anything not positively recognised as a connectivity failure falls through to the existing handleAuthError behaviour, so unknown/real errors are no worse off than today.
  • Repo consolidation: owncloud/web's README notes development is moving into owncloud/ocis. This fix is filed here because the issue and the affected code live here; a maintainer may want to port it to ocis as well.
  • Documentation: changelog entry added (changelog/unreleased/bugfix-preserve-session-on-network-error). No admin/end-user docs change (behaviour is strictly less disruptive than before). REUSE per-file headers are not used on TS sources in this repo, so none were added. No OTel tooling in this package.
  • Risk: low — logic is additive and gated behind the new classifier; existing logout paths for auth rejections are unchanged.

🤖 Automated by Claude Code


Generated by Claude Code

…text init

On page reload the authenticated context is re-established by fetching user data
over HTTP. Previously any error thrown from updateContext() - including transient
connectivity failures (ERR_NETWORK, request timeouts, fetch TypeErrors) - was
treated like an expired/invalid token, forcing a logout and redirect to the
access-denied page. This adds an isNetworkError() classifier so connectivity
failures preserve the existing session, while genuine auth rejections (carrying an
HTTP response such as 401) still trigger the existing logout flow. Applies to both
the page-reload token-restore path and the addUserLoaded handler.

Closes: #12980

Signed-off-by: dj4oC <noreply@github.com>
@kw-security

kw-security commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

dj4oC commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

The failing e2e / e2e-tests-keycloak check is unrelated to this change — it's a Keycloak→oCIS group-sync flake:

✘ tests/e2e/specs/keycloak/groups.spec.ts:8 › groups management › keycloak group sync with oCIS
  Error: group with key 'keycloak sales' not found   (failed on attempt + retry #1)
1 failed | 6 passed

This diff only changes error handling inside a catch in AuthService.initializeContext (suppressing logout on transient network errors); it cannot cause a Keycloak-provisioned group to be missing. The failure is external-IdP group provisioning/sync, and the other 6 tests in the shard — including auth-dependent flows (spaces management, admin settings, the kindergarten sharing journey) — all passed, which they wouldn't if context init were broken. No new console.error calls were introduced either.

No code change needed here; the e2e job should pass on a re-run once the group sync provisions in time.

🤖 Automated by Claude Code


Generated by Claude Code

@DeepDiver1975

Copy link
Copy Markdown
Member

web repo is dead - target your prs towards owncloud/ocis

dj4oC added a commit to owncloud/ocis that referenced this pull request Jul 9, 2026
The web frontend (now maintained in this monorepo under web/) re-establishes the
authenticated context on page reload by calling updateContext(), which fetches user
data over HTTP. Previously any error thrown there - including transient connectivity
failures (ERR_NETWORK, timeouts, fetch TypeErrors) - was treated like an expired or
invalid token, forcing a logout and redirect to the access-denied page. This adds an
isNetworkError() classifier so connectivity failures preserve the existing session,
while genuine auth rejections (carrying an HTTP response such as 401) still trigger
the existing logout flow. Applies to the page-reload token-restore path and the
addUserLoaded handler.

Ports the fix for owncloud/web#12980 (originally owncloud/web#13941; owncloud/web is
deprecated and development moved into this repo).

Signed-off-by: dj4oC <noreply@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[OCISDEV-290] Network errors with OIDC authentication cause unintended user logout

3 participants