Skip to content

fix: SSO login redirects back to login page after successful auth (v2)#13446

Open
liuxiaoyusky wants to merge 1 commit intoinfiniflow:mainfrom
liuxiaoyusky:fix/sso-login-redirect-v2
Open

fix: SSO login redirects back to login page after successful auth (v2)#13446
liuxiaoyusky wants to merge 1 commit intoinfiniflow:mainfrom
liuxiaoyusky:fix/sso-login-redirect-v2

Conversation

@liuxiaoyusky
Copy link
Contributor

@liuxiaoyusky liuxiaoyusky commented Mar 6, 2026

Summary

Clean re-submission of #13371 with only the SSO fix (13 lines, 2 files).

Root Causes:

  1. Backend: _load_user() fails JWT verification when frontend sends Authorization: Bearer <token> — the Bearer prefix is included in the signature check, causing mismatch.

  2. Frontend: Child components render and fire API requests before auth state is confirmed, triggering 401 → localStorage clear → redirect loop.

Fix:

  • Backend: Strip "Bearer " prefix before JWT deserialization (api/apps/__init__.py)
  • Frontend: Add auth guard in NextLayout using useAuth() to block rendering until login status confirmed (web/src/layouts/next.tsx)

Changes

 api/apps/__init__.py     |  3 +++
 web/src/layouts/next.tsx | 10 ++++++++++
 2 files changed, 13 insertions(+)

Risk Analysis

Risk Impact Mitigation
Breaking username/password login Medium Tested locally, standard login still works
Breaking embedded page auth (?jwt_auth=) Low Route loader still runs before auth guard
Breaking other SSO providers Low Same JWT validation path, just prefix handling

Test Plan

  • Backend: curl with both Authorization: <token> and Authorization: Bearer <token> returns code=0
  • E2E: Feishu SSO login → lands on home page without redirect loop
  • Verify normal username/password login still works
  • Verify embedded page auth (?jwt_auth=) still works
  • Test with other SSO providers (Google, GitHub, etc.) if available

Why v2?

PR #13371 was closed due to:

  • Too many unrelated changes (7184 additions)
  • Included unrelated development work from fork

This PR contains only the SSO fix, making it review-friendly.

Made with ❤️ and proper git hygiene

@liuxiaoyusky
fix: SSO login redirects back to login page after successful auth
d122256 
Two independent root causes:

1. Backend `_load_user()` fails JWT verification when frontend sends
   `Authorization: Bearer <token>` — the Bearer prefix is included in
   the signature check, causing a mismatch. Fix: strip "Bearer " prefix
   before JWT deserialization.

2. After route loader stores the token and redirects (removing ?auth=
   from URL), child components render immediately and fire API requests
   before auth state is confirmed. The empty/stale Authorization header
   triggers 401, which the Axios interceptor handles by clearing
   localStorage and redirecting to /login. Fix: add auth guard in
   NextLayout using useAuth() to block rendering until login status is
   confirmed.

Made-with: Cursor
@dosubot dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Mar 6, 2026
@yingfeng yingfeng requested a review from cike8899 March 9, 2026 04:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cike8899 cike8899 Awaiting requested review from cike8899

Assignees

No one assigned

Labels

size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@liuxiaoyusky