fix: redirect lost after Pangolin auth session timeout (#3001)#3200
Open
Adityakk9031 wants to merge 1 commit into
Open
fix: redirect lost after Pangolin auth session timeout (#3001)#3200Adityakk9031 wants to merge 1 commit into
Adityakk9031 wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a user's Pangolin session expires (org maxSessionLengthHours policy) and they visit a protected resource, they are correctly redirected to /auth/resource/{guid}?redirect=https://myservice.mydomain.com. However, after re-authenticating, they stay on pangolin.mydomain.com instead of being sent to myservice.mydomain.com.
It only works correctly if the user manually logs out first.
Root Cause
In src/app/auth/resource/[resourceGuid]/page.tsx, redirectUrl is correctly computed from the ?redirect query param. But when the org policy check fails (maxSessionLength.compliant = false), the page renders without passing redirectUrl. That component had a hardcoded button sending the user to the Pangolin dashboard — the redirect was permanently lost.
Fix
page.tsx — constructs resourceAuthPageUrl (the resource auth page with the ?redirect param preserved) and passes it as redirectAfterAuth to
OrgPolicyRequired.tsx — detects maxSessionLength policy failure and renders a dedicated "Session Expired" card with a "Re-authenticate" button that calls POST /auth/logout then navigates back to the resource auth page. Without a session, the page shows the login form and after login correctly redirects to the original resource
en-US.json — adds sessionExpired, sessionExpiredReauthRequired, and reauthenticate translation keys
Fixed Flow
Session expired → visit myservice.mydomain.com
→ /auth/resource/{guid}?redirect=https://myservice.mydomain.com
→ "Session Expired" card shown
→ click "Re-authenticate"
→ logout + navigate back to /auth/resource/{guid}?redirect=https://myservice.mydomain.com
→ login form shown (no session now)
→ login → redirected to https://myservice.mydomain.com ✓
Files Changed
src/app/auth/resource/[resourceGuid]/page.tsx
src/components/OrgPolicyRequired.tsx
messages/en-US.json
Fixes
Closes #3001