Description
There is quite the design flaw with the new auth via middleware that checks continuesly if it can log you in.
If the session is gone suddenly (I can also reproduce it by deleting the session content in the cookie), it will try to log you in based on e.g.
// Load the authenticators. Session should be first.
$service->loadAuthenticator('Authentication.Session');
$service->loadAuthenticator('Authentication.Form', [
'fields' => $fields,
'loginUrl' => Router::url([
'prefix' => false,
'plugin' => false,
'controller' => 'Account',
'action' => 'login',
]),
]);
$service->loadAuthenticator('Authentication.Cookie', [
'rememberMeField' => 'remember_me',
'fields' => [
'username' => 'email',
'password' => 'password',
],
'loginUrl' => Router::url([
'prefix' => false,
'plugin' => false,
'controller' => 'Account',
'action' => 'login',
]),
]);
$service->loadAuthenticator('Tools.LoginLink', [
'loginUrl' => Router::url([
'prefix' => false,
'plugin' => false,
'controller' => 'Account',
'action' => 'login',
]),
]);NOW: It will log you in, so it returns the logged in user, but the session is not filled yet, and the request continues.
So the page and templates expect for those "protected" actions that the session can be asked for user id, role etc using getOrFail().
But since this is not persisted back into session, the cookie or login link user auth is still "transient".
This creates 5xx in the application.
Only after another F5 refresh the page is back in its original state.
How do you solve this?
Do you have a way to trigger a login persist here, or do we redirect away?
My feeling is that this should redirect to the login page which then would log you in and redirect back.
This way it should have the page loaded again properly.