fleet
fleet copied to clipboard
force_password_reset : true should immediately redirect to a password reset
Right now if the server returns force_password_reset: true
, the user can still attempt to use the UI, even though the server will return a 403 error for every single request.
The server should immediately prompt with the password reset card.
@groob the issue is that we're not making the request to get the user once they're logged in, so they can move around the app even though the server state for the user might indicate they have to reset their password. If/when the page is reloaded the user get's booted back to login and is required to reset their password.
If this isn't the ideal flow, do you have an idea of how you'd like to implement this feature?
Good question. Maybe we could subscribe to a websocket, or http2 push?
I don't mind this behavior too much personally. But I wanted to bring it up so we can make a decision wether this is expected behavior or something we should fix? @marpaia @terracatta
From @terracatta on #834:
If force a user to reset their password, their app experiences breaks in odd ways until they refresh the page.
Steps to reproduce:
- Login as an admin
- Visit /admin/users
- Select "Require Password Reset" on your own user card
- Click on "Query" in the main navigation
Expected Result: I am redirected to the login page with a message that says "Please reset your password"
Actual result: The new query page partially loads and an error that says "username and password do not match" (see screenshot below)
As an aside: weird behavior happens when choosing "Logout as well" (you are not logged out)
I think we should start by making a 403 in an API call cause a redirect to the login page.
There's still the issue of the fact that a lot of data is held in memory, and so some navigation can occur without any API calls taking place.