[bug]: Redirect to login when user is not logged in

[JesusIasenzaniro16]

Good day all, In the version of venia 12.1 if you are not logged in and you try to browse writing manually the path It will redirect you to the login page , the redirection happens also if you log out. But in the 12.3, It allows you to browse without being logged in,

Steps to reproduce the behavior:

1. Go to home page without signing in
2. Go to a category writing the path manually
3. See the error

You will be able to browse in the page without the need of signing in

In the previous version of venia (12.1), the component that was doing the redirection is in the folder middleware, and inside of it there is a file called auth.js or restrictedAuthPage.js I'll leave and example of my code:

import { BrowserPersistence } from '@magento/peregrine/lib/util'; const storage = new BrowserPersistence(); const unAuthPath = [ 'sign-in', 'forgot-password', 'create-account-be-customer', 'create-account-non-customer', 'customer/account/createPassword', 'our-story', 'terms-sale', 'legal-note', 'cookies-policy', 'credits' ];

const unAuthPathForbidden = [ '/sign-in', '/forgot-password', '/create-account-be-customer', '/create-account-non-customer', '/customer/account/createPassword' ];

const restrictedAuthPage = store => next => action => { const currentPath = window.location.pathname;

let storeConfigRequiredLogin = storage.getItem('is_required_login');

if (!storeConfigRequiredLogin) {
    return next(action);
}

const signin_token = storage.getItem('signin_token');

if (signin_token == undefined) {
    let found = false;
    unAuthPath.forEach(function(value) {
        if (currentPath.indexOf(value) > -1) {
            found = true;
        }
    });

    if (!found) {
        history.pushState({}, '', '/sign-in');
        history.go(0);
    }
} else {
    if (unAuthPathForbidden.includes(currentPath)) {
        history.pushState({}, '', '/');
        history.go(0);
    }
}

return next(action);

};

export default restrictedAuthPage;

In the version of venia (12.3), this component is very different it doesn't seen to be implementing a functionality to redirect, instead is doing a functionality for the time a session should have before log out the user.

An example of this: import BrowserPersistence from '../../util/simplePersistence'; import userActions, { signOut } from '../actions/user';

const timeouts = new Map(); const intervals = new Map(); const storage = new BrowserPersistence(); const SET_TOKEN = userActions.setToken.toString(); const CLEAR_TOKEN = userActions.clearToken.toString(); const GET_DETAILS = userActions.getDetails.request.toString();

const isSigningIn = type => type === SET_TOKEN || type === GET_DETAILS; const isSigningOut = type => type === CLEAR_TOKEN;

const scheduleSignOut = store => next => action => { const { dispatch } = store;

if (isSigningIn(action.type)) {
    // `BrowserPersistence.getItem()` only returns the value
    // but we need the full item with timestamp and ttl
    const item = storage.getRawItem('signin_token');

    // exit if there's nothing in storage
    if (!item) return next(action);

    const { timeStored, ttl, value } = JSON.parse(item);
    const parsedValue = JSON.parse(value);
    const preciseTTL = ttl * 1000;
    const elapsed = Date.now() - timeStored;
    const expiry = Math.max(preciseTTL - elapsed, 0);

    // establish a sign-out routine
    const callback = () => {
        dispatch(signOut()).then(() => {
            timeouts.delete(parsedValue);
            intervals.delete(parsedValue);

            // refresh the page, important for checkout
            history.go(0);
        });
    };

    // set a timeout that runs once when the token expires
    if (!timeouts.has(parsedValue)) {
        const timeoutId = setTimeout(callback, expiry);

        timeouts.set(parsedValue, timeoutId);
    }
    if (!intervals.has(parsedValue)) {
        const intervalId = setInterval(() => {
            const hasExpired = Date.now() - timeStored > preciseTTL;

            if (hasExpired) callback();
        }, 1000);

        intervals.set(parsedValue, intervalId);
    }
} else if (isSigningOut(action.type)) {
    for (const timeoutId of timeouts) {
        clearTimeout(timeoutId);
    }

    for (const intervalId of intervals) {
        clearInterval(intervalId);
    }

    timeouts.clear();
    intervals.clear();
}

return next(action);

};

export default scheduleSignOut;

• Device: PC

• Browser: Chrome

• Browser Version: 100.0.4896.127

• Magento Version : 2.4.3

• [x] venia-concept

• [x] venia-ui

• [ ] pwa-buildpack

• [x] peregrine

• [ ] pwa-devdocs

• [ ] upward-js

• [ ] upward-spec

• [ ] create-pwa

[m2-assistant[bot]]

Hi @JesusIasenzaniro16. Thank you for your report. To speed up processing of this issue, make sure that you provided sufficient information.

Add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[anthoula]

@magento export issue to JIRA project PWA as Bug

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.magento.com/browse/PWA-2823 is successfully created for this GitHub issue.

[anthoula]

@JesusIasenzaniro16 Is this scenario for users that do not have category permissions, and they access the category page? If not, can you provide more details on the user pre-conditions where this behavior occurs?

[JesusIasenzaniro16]

Hello @anthoula, yes, if the user is not logged in, the web shouldn't let the user browse through the page and if they try it, the user should be redirect to the sign in page, for example in this image I am not logged in:

[anthoula]

@JesusIasenzaniro16 Thanks for the info. To confirm, does this user have restricted category permissions set, and therefore, should not be able to browse the restricted category?

[JesusIasenzaniro16]

Hello @anthoula, I think we are not using that restricted category, because we want to all the new user to register before they can browse through the page

[agaraban]

Hello @anthoula, I think we are not using that restricted category, because we want to all the new user to register before they can browse through the page

Hello, you will have to use category restrictions, I leave you the link of the documentation: https://docs.magento.com/user-guide/catalog/category-permissions.html

[JesusIasenzaniro16]

Hello @agaraban, thanks for the reply

we can't use the solution of using category permissions because we are using the magento open source not the Adobe Commerce, the option in the admin is not available for us.

In the version 12.1 of venia we implemented a solution using the code I share before, but since the version 12.3 it stopped working, maybe the component we use before is not been used at all, so what can I do to make the redirection work again? I have to move the component to another specific folder or create another functionality using the new features of venia?

[Tarun50745]

Issue confirmed, Followed steps as mentioned in description able to reproduce issue. User is able to browse category and product screens even if logged out.

[glo42707]

@adobe export issue to JIRA project PWA as Bug

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/PWA-3167 is successfully created for this GitHub issue.

[glo80771]

Hi @JesusIasenzaniro16 , As per testing the redirection issue with 12.1, we are not able to see the restriction for the logged-out users and also we are not able to see any code difference in the auth.js file. Hence this seems to be the default behavior of PWA. Please confirm whether we are missing any information.

[glo82145]

As we have not received any update on this, hence we are closing it. Please feel free to reopen in case of any update.