Display a redirecting page when browsers on android visit a completed web session

ref DEV-2484
ref DEV-2215

Author: louischan-oursky

.make-lint-translation-keys-expect

@@ -28,24 +28,24 @@ resources/authgear/templates/en/web/authflowv2/forgot_password.html:103:30: temp
 resources/authgear/templates/en/web/authflowv2/forgot_password.html:159:26: template translation is forbidden: `__forgot_password_alternative`
 resources/authgear/templates/en/web/authflowv2/layout.html:5:14: template translation is forbidden: `widget`
 resources/authgear/templates/en/web/authflowv2/login.html:253:37: translation key not defined: "%s-icon"
-resources/authgear/templates/en/web/authflowv2/settings_identity_list_email.html:57:44: translation key not defined: "v2.page.settings-identity-list-email.default.provider.%s"
-resources/authgear/templates/en/web/authflowv2/settings_identity_list_oauth.html:56:32: translation key not defined: "v2.page.settings-identity-oauth.default.provider.%s"
-resources/authgear/templates/en/web/authflowv2/settings_identity_list_oauth.html:107:35: translation key not defined: "v2.page.settings-identity-oauth.default.provider.%s"
-resources/authgear/templates/en/web/authflowv2/settings_identity_list_phone.html:57:44: translation key not defined: "v2.page.settings-identity-list-phone.default.provider.%s"
+resources/authgear/templates/en/web/authflowv2/settings_identity_list_email.html:58:44: translation key not defined: "v2.page.settings-identity-list-email.default.provider.%s"
+resources/authgear/templates/en/web/authflowv2/settings_identity_list_oauth.html:57:32: translation key not defined: "v2.page.settings-identity-oauth.default.provider.%s"
+resources/authgear/templates/en/web/authflowv2/settings_identity_list_oauth.html:108:35: translation key not defined: "v2.page.settings-identity-oauth.default.provider.%s"
+resources/authgear/templates/en/web/authflowv2/settings_identity_list_phone.html:58:44: translation key not defined: "v2.page.settings-identity-list-phone.default.provider.%s"
 resources/authgear/templates/en/web/authflowv2/settings_layout.html:3:14: template translation is forbidden: `widget`
-resources/authgear/templates/en/web/authflowv2/settings_mfa.html:69:44: translation key not defined: "/settings/mfa/create_oob_otp_%s"
-resources/authgear/templates/en/web/authflowv2/settings_oob_otp.html:77:31: translation key not defined: "/settings/mfa/create_oob_otp_%s"
-resources/authgear/templates/en/web/authflowv2/settings_profile.html:139:22: translation key not defined: "custom-attribute-label-%s"
-resources/authgear/templates/en/web/authflowv2/settings_profile.html:140:20: invalid translation key: "$labelKey"
-resources/authgear/templates/en/web/authflowv2/settings_profile.html:144:21: invalid translation key: "$labelKey"
-resources/authgear/templates/en/web/authflowv2/settings_profile.html:208:22: invalid translation key: "$label"
+resources/authgear/templates/en/web/authflowv2/settings_mfa.html:70:44: translation key not defined: "/settings/mfa/create_oob_otp_%s"
+resources/authgear/templates/en/web/authflowv2/settings_oob_otp.html:78:31: translation key not defined: "/settings/mfa/create_oob_otp_%s"
+resources/authgear/templates/en/web/authflowv2/settings_profile.html:140:22: translation key not defined: "custom-attribute-label-%s"
+resources/authgear/templates/en/web/authflowv2/settings_profile.html:141:20: invalid translation key: "$labelKey"
+resources/authgear/templates/en/web/authflowv2/settings_profile.html:145:21: invalid translation key: "$labelKey"
+resources/authgear/templates/en/web/authflowv2/settings_profile.html:209:22: invalid translation key: "$label"
 resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:6:18: translation key not defined: "custom-attribute-label-%s"
 resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:7:16: invalid translation key: "$labelKey"
 resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:11:17: invalid translation key: "$labelKey"
-resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:103:30: translation key not defined: "custom-attribute-enum-label-%s-%s"
-resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:104:28: invalid translation key: "$enum_label_key"
-resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:107:28: invalid translation key: "$enum_label_key"
-resources/authgear/templates/en/web/authflowv2/settings_sessions.html:46:29: translation key not defined: "__settings_session_item_description"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:104:30: translation key not defined: "custom-attribute-enum-label-%s-%s"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:105:28: invalid translation key: "$enum_label_key"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:108:28: invalid translation key: "$enum_label_key"
+resources/authgear/templates/en/web/authflowv2/settings_sessions.html:47:29: translation key not defined: "__settings_session_item_description"
 resources/authgear/templates/en/web/authflowv2/signup.html:93:26: translation key not defined: "v2.page.signup-login.continue.subtitle-%v"
 resources/authgear/templates/en/web/authflowv2/signup.html:102:26: translation key not defined: "v2.page.signup.continue.subtitle-%v"
 resources/authgear/templates/en/web/authflowv2/signup.html:276:35: translation key not defined: "%s-icon"

.vettedpositions

@@ -40,10 +40,10 @@
 /pkg/auth/handler/webapp/auth_entry_point_middleware.go:31:31: requestcontext
 /pkg/auth/handler/webapp/auth_entry_point_middleware.go:32:35: requestcontext
 /pkg/auth/handler/webapp/authflow_change_password.go:96:26: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:1001:19: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:979:30: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:984:24: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:992:19: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:989:30: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:994:24: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:1002:19: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:1011:19: requestcontext
 /pkg/auth/handler/webapp/authflow_create_password.go:132:26: requestcontext
 /pkg/auth/handler/webapp/authflow_enter_oob_otp.go:156:26: requestcontext
 /pkg/auth/handler/webapp/authflow_enter_password.go:138:26: requestcontext
@@ -101,9 +101,7 @@
 /pkg/auth/handler/webapp/authflowv2/settings_change_password.go:70:30: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_delete_account.go:76:30: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_delete_account.go:78:39: requestcontext
-/pkg/auth/handler/webapp/authflowv2/settings_delete_account.go:80:34: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_delete_account_success.go:54:30: requestcontext
-/pkg/auth/handler/webapp/authflowv2/settings_delete_account_success.go:56:34: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_identity_add_email.go:73:30: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_identity_add_phone.go:81:30: requestcontext
 /pkg/auth/handler/webapp/authflowv2/settings_identity_change_primary_email.go:105:30: requestcontext
@@ -233,15 +231,15 @@
 /pkg/auth/handler/webapp/verify_identity.go:161:27: requestcontext
 /pkg/auth/handler/webapp/verify_identity_success.go:42:27: requestcontext
 /pkg/auth/handler/webapp/verify_login_link.go:92:27: requestcontext
-/pkg/auth/handler/webapp/viewmodels/base.go:213:32: requestcontext
-/pkg/auth/handler/webapp/viewmodels/base.go:228:35: requestcontext
-/pkg/auth/handler/webapp/viewmodels/base.go:230:57: requestcontext
-/pkg/auth/handler/webapp/viewmodels/base.go:282:38: requestcontext
-/pkg/auth/handler/webapp/viewmodels/base.go:288:24: requestcontext
-/pkg/auth/handler/webapp/viewmodels/base.go:300:43: requestcontext
-/pkg/auth/handler/webapp/viewmodels/base.go:376:47: requestcontext
-/pkg/auth/handler/webapp/viewmodels/base.go:381:28: requestcontext
-/pkg/auth/handler/webapp/viewmodels/base.go:394:33: requestcontext
+/pkg/auth/handler/webapp/viewmodels/base.go:217:32: requestcontext
+/pkg/auth/handler/webapp/viewmodels/base.go:232:35: requestcontext
+/pkg/auth/handler/webapp/viewmodels/base.go:234:57: requestcontext
+/pkg/auth/handler/webapp/viewmodels/base.go:286:38: requestcontext
+/pkg/auth/handler/webapp/viewmodels/base.go:292:24: requestcontext
+/pkg/auth/handler/webapp/viewmodels/base.go:304:43: requestcontext
+/pkg/auth/handler/webapp/viewmodels/base.go:381:47: requestcontext
+/pkg/auth/handler/webapp/viewmodels/base.go:386:28: requestcontext
+/pkg/auth/handler/webapp/viewmodels/base.go:399:33: requestcontext
 /pkg/auth/handler/webapp/websocket.go:45:25: requestcontext
 /pkg/auth/handler/webapp/websocket.go:56:25: requestcontext
 /pkg/auth/handler/webapp/websocket.go:80:30: requestcontext

authui/src/authflowv2/icons/material-symbols-outlined-subset.ttf

@@ -28,7 +28,7 @@ type CreateAuthenticatorPhoneOTPNode interface {
 // nolint: gocognit
 func handleAlternativeSteps(ctrl *Controller) {
 	ctrl.PostAction("choose_step", func(ctx context.Context) (err error) {
-		session, err := ctrl.InteractionSession(ctx)
+		session, err := ctrl.GetWebappSession(ctx)
 		if err != nil {
 			return err
 		}

authui/src/authflowv2/icons/material-symbols-outlined-subset.woff2

@@ -202,12 +202,16 @@ func (c *AuthflowController) HandleStartOfFlow(
 	handleWithScreen(screen)
 }
 
+func (c *AuthflowController) isExpectedWebSessionError(err error) bool {
+	return apierrors.IsKind(err, webapp.WebUIInvalidSession) || apierrors.IsKind(err, webapp.WebUISessionCompleted)
+}
+
 func (c *AuthflowController) HandleOAuthCallback(ctx context.Context, w http.ResponseWriter, r *http.Request, callbackResponse AuthflowOAuthCallbackResponse) {
 	state := callbackResponse.State
 
 	s, err := c.Sessions.Get(ctx, state.WebSessionID)
 	if err != nil {
-		if !apierrors.IsKind(err, webapp.WebUIInvalidSession) {
+		if !c.isExpectedWebSessionError(err) {
 			c.Logger.WithError(err).Errorf("failed to get web session")
 		}
 		c.renderError(ctx, w, r, err)
@@ -309,7 +313,7 @@ func (c *AuthflowController) HandleStep(ctx context.Context, w http.ResponseWrit
 
 	s, err := c.getWebSession(ctx)
 	if err != nil {
-		if !apierrors.IsKind(err, webapp.WebUIInvalidSession) {
+		if !c.isExpectedWebSessionError(err) {
 			c.Logger.WithError(err).Errorf("failed to get web session")
 		}
 		c.renderError(ctx, w, r, err)
@@ -341,7 +345,7 @@ func (c *AuthflowController) HandleWithoutFlow(ctx context.Context, w http.Respo
 	var session *webapp.Session
 	s, err := c.getWebSession(ctx)
 	if err != nil {
-		if !apierrors.IsKind(err, webapp.WebUIInvalidSession) {
+		if !c.isExpectedWebSessionError(err) {
 			c.Logger.WithError(err).Errorf("failed to get web session")
 		}
 	} else {
@@ -368,21 +372,27 @@ func (c *AuthflowController) getWebSession(ctx context.Context) (*webapp.Session
 	if s == nil {
 		return nil, webapp.ErrSessionNotFound
 	}
+	if s.IsCompleted {
+		return nil, webapp.ErrSessionCompleted
+	}
 	return s, nil
 }
 
 func (c *AuthflowController) getOrCreateWebSession(ctx context.Context, w http.ResponseWriter, r *http.Request, opts webapp.SessionOptions) (*webapp.Session, error) {
 	now := c.Clock.NowUTC()
-	s := webapp.GetSession(ctx)
-	if s != nil {
+	s, err := c.getWebSession(ctx)
+	if err == nil && s != nil {
 		return s, nil
 	}
+	if !errors.Is(err, webapp.ErrSessionNotFound) {
+		return nil, err
+	}
 
 	o := opts
 	o.UpdatedAt = now
 
 	s = webapp.NewSession(o)
-	err := c.Sessions.Create(ctx, s)
+	err = c.Sessions.Create(ctx, s)
 	if err != nil {
 		return nil, err
 	}
@@ -1129,16 +1139,17 @@ func (c *AuthflowController) finishSession(
 	case authflow.FlowTypeSignupLogin:
 		fallthrough
 	case authflow.FlowTypeReauth:
-		// Forget the session.
-		err := c.Sessions.Delete(ctx, s.ID)
+		// Mark the current session as completed,
+		// so that user will see a completed screen if trying to back to the previous steps
+		s.IsCompleted = true
+		err = c.Sessions.Update(ctx, s)
 		if err != nil {
 			return err
 		}
 		// Marked signed up in cookie after authorization.
 		// When user visit auth ui root "/", redirect user to "/login" if
 		// cookie exists
 		result.Cookies = append(result.Cookies, c.Cookies.ValueCookie(c.SignedUpCookie.Def, "true"))
-		result.Cookies = append(result.Cookies, c.Cookies.ClearCookie(c.SessionCookie.Def))
 		// Reset visitor ID.
 		result.Cookies = append(result.Cookies, c.Cookies.ClearCookie(webapp.VisitorIDCookieDef))
 	default:

pkg/auth/handler/webapp/alternatives.go

@@ -123,7 +123,7 @@ func (h *AuthflowV2SelectAccountHandler) ServeHTTP(w http.ResponseWriter, r *htt
 	ctrl.BeforeHandle(func(ctx context.Context) error {
 
 		// Ensure webapp session exist
-		ws, err := ctrl.InteractionSession(ctx)
+		ws, err := ctrl.GetWebappSession(ctx)
 		if err != nil {
 			return err
 		}

pkg/auth/handler/webapp/authflow_controller.go

@@ -69,7 +69,7 @@ func (h *AuthflowV2SettingsChangePasswordHandler) ServeHTTP(w http.ResponseWrite
 	}
 	defer ctrl.ServeWithoutDBTx(r.Context())
 
-	ctrl.Get(func(ctx context.Context) error {
+	ctrl.GetWithSettingsActionWebSession(r, func(ctx context.Context, _ *webapp.Session) error {
 		data, err := h.GetData(r, w)
 		if err != nil {
 			return err
@@ -80,7 +80,7 @@ func (h *AuthflowV2SettingsChangePasswordHandler) ServeHTTP(w http.ResponseWrite
 		return nil
 	})
 
-	ctrl.PostAction("", func(ctx context.Context) error {
+	ctrl.PostActionWithSettingsActionWebSession("", r, func(ctx context.Context, webappSession *webapp.Session) error {
 		err := AuthflowV2SettingsChangePasswordSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
 		if err != nil {
 			return err
@@ -96,29 +96,29 @@ func (h *AuthflowV2SettingsChangePasswordHandler) ServeHTTP(w http.ResponseWrite
 		}
 
 		s := session.GetSession(ctx)
-		webappSession := webapp.GetSession(ctx)
-		var oAuthSessionID string
-		redirectURI := SettingsV2RouteSettings
-		if webappSession != nil {
-			oAuthSessionID = webappSession.OAuthSessionID
-			redirectURI = webappSession.RedirectURI
-		}
 
 		input := &accountmanagement.ChangePrimaryPasswordInput{
-			OAuthSessionID: oAuthSessionID,
-			RedirectURI:    redirectURI,
-			OldPassword:    oldPassword,
-			NewPassword:    newPassword,
+			OldPassword: oldPassword,
+			NewPassword: newPassword,
 		}
 
-		changePasswordOutput, err := h.AccountManagementService.ChangePrimaryPassword(ctx, s, input)
+		err = h.AccountManagementService.ChangePrimaryPassword(ctx, s, input)
 		if err != nil {
 			return err
 		}
 
+		if ctrl.IsInSettingsAction(s, webappSession) {
+			settingsActionResult, err := ctrl.FinishSettingsActionWithResult(ctx, s, webappSession)
+			if err != nil {
+				return err
+			}
+			settingsActionResult.WriteResponse(w, r)
+			return nil
+		}
+
 		result := webapp.Result{
-			RedirectURI:      changePasswordOutput.RedirectURI,
 			NavigationAction: webapp.NavigationActionRedirect,
+			RedirectURI:      SettingsV2RouteSettings,
 		}
 		result.WriteResponse(w, r)
 		return nil

pkg/auth/handler/webapp/authflowv2/select_account.go

@@ -77,9 +77,8 @@ func (h *AuthflowV2SettingsDeleteAccountHandler) ServeHTTP(w http.ResponseWriter
 
 	currentSession := session.GetSession(r.Context())
 	redirectURI := "/settings/delete_account/success"
-	webSession := webapp.GetSession(r.Context())
 
-	ctrl.Get(func(ctx context.Context) error {
+	ctrl.GetWithSettingsActionWebSession(r, func(ctx context.Context, _ *webapp.Session) error {
 		var data map[string]interface{}
 		err := h.Database.WithTx(ctx, func(ctx context.Context) error {
 			data, err = h.GetData(ctx, r, w)
@@ -93,8 +92,7 @@ func (h *AuthflowV2SettingsDeleteAccountHandler) ServeHTTP(w http.ResponseWriter
 
 		return nil
 	})
-
-	ctrl.PostAction("delete", func(ctx context.Context) error {
+	ctrl.PostActionWithSettingsActionWebSession("delete", r, func(ctx context.Context, webappSession *webapp.Session) error {
 		confirmation := r.Form.Get("delete")
 		isConfirmed := confirmation == "DELETE"
 		if !isConfirmed {
@@ -108,10 +106,10 @@ func (h *AuthflowV2SettingsDeleteAccountHandler) ServeHTTP(w http.ResponseWriter
 			return err
 		}
 
-		if ctrl.IsInSettingsAction(currentSession, webSession) {
+		if ctrl.IsInSettingsAction(currentSession, webappSession) {
 			// delete account triggered by sdk via settings action
 			// handle settings action result here
-			err = ctrl.FinishSettingsAction(ctx, currentSession, webSession)
+			err = ctrl.FinishSettingsAction(ctx, currentSession, webappSession)
 			if err != nil {
 				return err
 			}

pkg/auth/handler/webapp/authflowv2/settings_change_password.go

@@ -53,9 +53,7 @@ func (h *AuthflowV2SettingsDeleteAccountSuccessHandler) ServeHTTP(w http.Respons
 	}
 	defer ctrl.ServeWithoutDBTx(r.Context())
 
-	webSession := webapp.GetSession(r.Context())
-
-	ctrl.Get(func(ctx context.Context) error {
+	ctrl.GetWithSettingsActionWebSession(r, func(ctx context.Context, _ *webapp.Session) error {
 		data, err := h.GetData(r, w)
 		if err != nil {
 			return nil
@@ -64,9 +62,9 @@ func (h *AuthflowV2SettingsDeleteAccountSuccessHandler) ServeHTTP(w http.Respons
 		return nil
 	})
 
-	ctrl.PostAction("", func(ctx context.Context) error {
+	ctrl.PostActionWithSettingsActionWebSession("", r, func(ctx context.Context, webSession *webapp.Session) error {
 		redirectURI := "/login"
-		settingsActionResult, ok, err := ctrl.GetSettingsActionResult(ctx, webSession)
+		settingsActionResult, ok, err := ctrl.CreateSettingsActionResult(ctx, webSession)
 		if err != nil {
 			return err
 		}