IS-11215: Auto-redirect on authentication completed with success#125
IS-11215: Auto-redirect on authentication completed with success#125aleixsuau wants to merge 3 commits intointegration/IS-5161/login-web-appfrom
Conversation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…aapiStepper. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
aleixsuau
requested review from
adnantariq-aurora,
Copilot,
luisgoncalves,
urre and
vahag-curity
and removed request for
Copilot
There was a problem hiding this comment.
Pull request overview
This PR updates the HAAPI Stepper flow to optionally auto-redirect when receiving a COMPLETED_WITH_SUCCESS step, aligning it with the stepper’s internal handling of REDIRECTION and POLLING, and adds test coverage for the new redirect behavior.
Changes:
- Added
redirectOnAuthenticationCompletedWithSuccesstoHaapiStepperConfig(defaulttrue) and routedCOMPLETED_WITH_SUCCESSthrough a dedicated handler. - Removed the unused
HaapiStepperCompletedStepUIcomponent and its export. - Updated and added tests to validate redirect vs. render behavior depending on config.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
src/login-web-app/src/haapi-stepper/feature/steps/HaapiStepperCompletedStep.tsx |
Removes the completed-step UI component (previously responsible for manual redirect). |
src/login-web-app/src/haapi-stepper/feature/stepper/step-handlers/completed-with-success-step.ts |
Adds new handler to auto-redirect (or pass step through to UI when disabled). |
src/login-web-app/src/haapi-stepper/feature/stepper/HaapiStepper.tsx |
Adds config flag + routes COMPLETED_WITH_SUCCESS to the new handler. |
src/login-web-app/src/haapi-stepper/feature/stepper/HaapiStepper.spec.tsx |
Adjusts existing tests and adds a new suite validating redirect behavior. |
src/login-web-app/src/haapi-stepper/feature/index.ts |
Removes export for the deleted completed-step UI component. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
...login-web-app/src/haapi-stepper/feature/stepper/step-handlers/completed-with-success-step.ts
Outdated
Show resolved
Hide resolved
| if (redirectHref) { | ||
| window.location.href = redirectHref; | ||
| return { nextStepData: undefined }; | ||
| } |
There was a problem hiding this comment.
When redirectOnAuthenticationCompletedWithSuccess is enabled, failing to find an authorization-response link currently falls back to rendering the completed step. This is a behavior change from the previous completed-step UI (which threw when the link was missing) and can leave consumers in an unexpected state despite the redirect config being enabled. Consider throwing an error (or otherwise surfacing a hard failure) when the link is missing and redirect is enabled, so the flow doesn't silently deviate.
| if (redirectHref) { | |
| window.location.href = redirectHref; | |
| return { nextStepData: undefined }; | |
| } | |
| if (!redirectHref) { | |
| throw new Error( | |
| 'redirectOnAuthenticationCompletedWithSuccess is enabled, but the completed-with-success step did not include an authorization-response link.' | |
| ); | |
| } | |
| window.location.href = redirectHref; | |
| return { nextStepData: undefined }; |
There was a problem hiding this comment.
@luisgoncalves, I assume the redirect link is mandatory, right?
There was a problem hiding this comment.
Yes. Unfortunately the schema doesn't require it, but since the properties (https://curity.io/docs/haapi-data-model/latest/oauth-authorization-response.html) don't include a redirect URI, it would be impossible to return to the client application if the link is not there. AFAIK the server always adds the link.
| const DEFAULT_CONFIG: Required<HaapiStepperConfig> = { | ||
| pollingInterval: 3000, | ||
| bankIdAutostart: true, | ||
| redirectOnAuthenticationCompletedWithSuccess: true, | ||
| }; | ||
|
|
||
| export interface HaapiStepperConfig { | ||
| pollingInterval: number; | ||
| bankIdAutostart: boolean; | ||
| redirectOnAuthenticationCompletedWithSuccess: boolean; | ||
| } |
There was a problem hiding this comment.
HaapiStepper's config prop accepts Partial<HaapiStepperConfig> and defaults are provided via DEFAULT_CONFIG, but HaapiStepperConfig itself has all fields required. Adding a new required field (redirectOnAuthenticationCompletedWithSuccess) can be a breaking type change for downstream consumers that annotate config objects as HaapiStepperConfig. Consider making this flag optional (and relying on DEFAULT_CONFIG), or adjusting the config type(s) so the public type matches how consumers are expected to provide config.
There was a problem hiding this comment.
I don't have anything to add about Copilot's comment, if that's why you tagged me.
However, I disagree with adding this config option, because YAGNI. Can you detail why you added it?
In the LWA, not redirecting back automatically means adding a new user interaction when it isn't necessary. I don't think we have a use case for that, and we don't do this in "full page" flows. No need to increase the API surface here.
OTOH, in a scenario where the stepper is used as a "library" (which you usually mention), automatically redirecting may be undesirable, no? In that case, the stepper is running in the client SPA code, so changing the window location could mean reloading the SPA and losing context...? An alternative to this would be that the stepper config takes a "flow ended callback", so that the consumer can do whatever it wants when the flow ends - but I didn't think this through.
Perhaps we don't need to worry about this last case, but I still think we can avoid the setting for now.
…step.ts Agent-Logs-Url: https://github.com/curityio/ui-kit/sessions/0edfd471-eaa5-4544-bcfa-4af503534b25 Co-authored-by: aleixsuau <25689432+aleixsuau@users.noreply.github.com>
There was a problem hiding this comment.
Why did this change if package.json didn't change?
| if (redirectHref) { | ||
| window.location.href = redirectHref; | ||
| return { nextStepData: undefined }; | ||
| } |
There was a problem hiding this comment.
Yes. Unfortunately the schema doesn't require it, but since the properties (https://curity.io/docs/haapi-data-model/latest/oauth-authorization-response.html) don't include a redirect URI, it would be impossible to return to the client application if the link is not there. AFAIK the server always adds the link.
| const DEFAULT_CONFIG: Required<HaapiStepperConfig> = { | ||
| pollingInterval: 3000, | ||
| bankIdAutostart: true, | ||
| redirectOnAuthenticationCompletedWithSuccess: true, | ||
| }; | ||
|
|
||
| export interface HaapiStepperConfig { | ||
| pollingInterval: number; | ||
| bankIdAutostart: boolean; | ||
| redirectOnAuthenticationCompletedWithSuccess: boolean; | ||
| } |
There was a problem hiding this comment.
I don't have anything to add about Copilot's comment, if that's why you tagged me.
However, I disagree with adding this config option, because YAGNI. Can you detail why you added it?
In the LWA, not redirecting back automatically means adding a new user interaction when it isn't necessary. I don't think we have a use case for that, and we don't do this in "full page" flows. No need to increase the API surface here.
OTOH, in a scenario where the stepper is used as a "library" (which you usually mention), automatically redirecting may be undesirable, no? In that case, the stepper is running in the client SPA code, so changing the window location could mean reloading the SPA and losing context...? An alternative to this would be that the stepper config takes a "flow ended callback", so that the consumer can do whatever it wants when the flow ends - but I didn't think this through.
Perhaps we don't need to worry about this last case, but I still think we can avoid the setting for now.
|
|
||
| case HAAPI_STEPS.COMPLETED_WITH_SUCCESS: | ||
| return handleCompletedWithSuccessStep(nextStepResponse, config); | ||
|
|
There was a problem hiding this comment.
What about COMPLETED_WITH_ERROR below? IINM an OAuth error authorization response also means "flow ended" and should also redirect to the client application.
Summary
HaapiStepperCompletedStepUIcomponentredirectOnAuthenticationCompletedWithSuccessconfig flag toHaapiStepperConfig(default:true)authorization-responselink URL onCOMPLETED_WITH_SUCCESS, consistent with howREDIRECTIONandPOLLINGsteps are handled internallystep-handlers/completed-with-success-step.tsJira
IS-11215
Test plan
redirectOnAuthenticationCompletedWithSuccess: falserenders the completed step