openshift
OCPBUGS-59353: Fix authentication redirect loop on repeated 401 responses
Add detection and handling for redirect loops that can occur when the console repeatedly receives 401 responses from the Kubernetes API. Track consecutive 401s using sessionStorage and redirect to an error page after 3 failed authentication attempts to prevent infinite loops.
The redirect counter is reset on any successful Kubernetes API request, ensuring normal authentication flows are not affected.
🤖 Generated with Claude Code
@TheRealJon: This pull request references Jira Issue OCPBUGS-59353, which is invalid:
- expected the bug to target the "4.21.0" version, but no target version was set
Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
In response to this:
Add detection and handling for redirect loops that can occur when the console repeatedly receives 401 responses from the Kubernetes API. Track consecutive 401s using sessionStorage and redirect to an error page after 3 failed authentication attempts to prevent infinite loops.
The redirect counter is reset on any successful Kubernetes API request, ensuring normal authentication flows are not affected.
🤖 Generated with Claude Code
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
Walkthrough
This PR refactors authentication error handling by renaming shouldLogout to isK8sURL for clearer intent, implements redirect loop detection for 401 responses in the auth service with session-based counter tracking, and integrates counter management calls into the co-fetch module's response validation flow.
Changes
| Cohort / File(s) | Summary |
|---|---|
Test updates frontend/public/__tests__/co-fetch.spec.ts |
Updated test cases to reference renamed isK8sURL function instead of shouldLogout, with functionally equivalent behavior checks preserved. |
Co-fetch module refactoring frontend/public/co-fetch.ts |
Renamed shouldLogout to isK8sURL for K8s URL detection. Added authSvc.resetRedirectCount() call for successful responses and replaced logout flow with authSvc.handle401(next) for 401 responses on identified K8s requests. |
Auth service enhancement frontend/public/module/auth.js |
Added redirect loop detection with AUTH_REDIRECT_COUNT_KEY and MAX_AUTH_REDIRECTS constants. Introduced helper functions (getAuthRedirectCount, incrementAuthRedirectCount, resetAuthRedirectCount) for session-based redirect counter management. Added public methods handle401(next) and resetRedirectCount() to track and prevent infinite 401 redirects by redirecting to error page when threshold exceeded. |
Estimated code review effort
🎯 3 (Moderate) | ⏱️ ~20–30 minutes
- Redirect loop detection logic: Verify counter initialization, increment/reset flow, and MAX_AUTH_REDIRECTS threshold behavior
- Integration between co-fetch and auth service: Ensure
handle401andresetRedirectCountcalls are properly sequenced for K8s vs. proxied requests - Session storage mechanism: Validate that
sessionStorageusage for redirect counter is appropriate and keys don't conflict with other session state - Error page redirect conditions: Confirm logic preventing already-on-error-page redirects works as intended
✨ Finishing touches
- [ ] 📝 Generate docstrings
🧪 Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: rhamilto, TheRealJon
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~frontend/OWNERS~~ [TheRealJon,rhamilto]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
@TheRealJon: This pull request references Jira Issue OCPBUGS-59353, which is valid. The bug has been moved to the POST state.
3 validation(s) were run on this bug
- bug is open, matching expected state (open)
- bug target version (4.22.0) matches configured target version for branch (4.22.0)
- bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
Requesting review from QA contact: /cc @wewang58
In response to this:
/jira refresh
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@TheRealJon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/e2e-gcp-console | a8f50e07722c84ceb324a02217782bd20fc1d1ba | link | true | /test e2e-gcp-console |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.