Bug Report #1627579391303 - Problem redirecting when Security Enforcer is enabled in the main page of an SPA

OS info

Hi,

I need help with a rather weird situation that involves the security enforcer. We built a Single Page Application on Wappler that I’ll call “W” from now on. This application uses the PHP model.

In addition, our client has a website, over which we have no control. I’ll call our client’s website “C” from now on.

The majority of W users login to C first, using their username and password credentials in C. At a point, C shows them a page that has a button that says something like “Login to W”.

This button, redirects to something like this:

https://W_domain_address/RemoteLogin/parameter1/parameter2

The RemoteLogin parameter is routed to a Server Action / API / Workflow in W called rlogin.php with parameter1 and parameter 2, which allow W to log the user in C as a user in W.

This mechanism works well and has been used for more than a year.

The problem is that as soon as we enable the security enforcer in W’s main page, the remote login process has problems and Users are redirected instead to the page configured on the security enforcer to send users to when they are not logged in instead of logging them in and sending them to their home page in W.

We believe that the problem is in the redirect step in the server action / API / Workflow rlogin.php that that things works up to the immediately preceding step, the Security Login

The redirect step is intended to take the users to their home page.

As soon as we remove the security enforcer from the main page in W, everything works again.

In addition (and not sure if this is relevant, but just in case), if we were to type in the browser’s address bar the URL that the button in C’s page would redirect to (https://W_domain_address/RemoteLogin/parameter1/parameter2), W’s rlogin works even with the security enforcer enabled in the main page.

We have tried many approaches, like
(a) republished the entire project using Wappler’s newest libraries (3.9.9, 4.0.0, 4.01) but the result has always been the same.
(b) built a simple page with a button with the same <a tag to emulate the behaviour of the client’s wesite C, just to be sure that the problem was not there, and the result is the same.

We cannot enable the security enforcer on an SPA without breaking the remote login mechanism.

Your help is greatly appreciated!

Alex

Community Page
Last updated: