From ec6e90ef5bc468fb8739b98c5f14464857db72cd Mon Sep 17 00:00:00 2001 From: Anders Olsson Date: Mon, 8 Jun 2026 15:02:55 +0200 Subject: [PATCH] feat(web): login reason banner + return-to + empty-field guard (#48) --- web/src/auth/login-page.test.tsx | 32 ++++++++++++++++++++++++++++++++ web/src/auth/login-page.tsx | 18 +++++++++++++++--- web/src/i18n/en.json | 2 +- web/src/i18n/sv.json | 2 +- 4 files changed, 49 insertions(+), 5 deletions(-) diff --git a/web/src/auth/login-page.test.tsx b/web/src/auth/login-page.test.tsx index dd1ad84..0cf8a3c 100644 --- a/web/src/auth/login-page.test.tsx +++ b/web/src/auth/login-page.test.tsx @@ -12,6 +12,7 @@ function tree() { } /> objects landing} /> + object detail} /> ); } @@ -34,3 +35,34 @@ test("invalid credentials show an inline error", async () => { expect(screen.getByText(/invalid email or password/i)).toBeInTheDocument(), ); }); + +test("shows the session-expired notice when reason=expired", async () => { + renderApp(tree(), { route: "/login?reason=expired" }); + expect(await screen.findByText(/session expired/i)).toBeInTheDocument(); +}); + +test("returns to the from path on success", async () => { + renderApp(tree(), { route: "/login?from=%2Fobjects%2F123" }); + await userEvent.type(screen.getByLabelText(/email/i), "editor@example.com"); + await userEvent.type(screen.getByLabelText(/password/i), "pw-editor-123"); + await userEvent.click(screen.getByRole("button", { name: /sign in/i })); + expect(await screen.findByText("object detail")).toBeInTheDocument(); +}); + +test("rejects an off-site from and falls back to /objects", async () => { + renderApp(tree(), { route: "/login?from=%2F%2Fevil.com" }); + await userEvent.type(screen.getByLabelText(/email/i), "editor@example.com"); + await userEvent.type(screen.getByLabelText(/password/i), "pw-editor-123"); + await userEvent.click(screen.getByRole("button", { name: /sign in/i })); + expect(await screen.findByText("objects landing")).toBeInTheDocument(); +}); + +test("disables submit until both fields are filled", async () => { + renderApp(tree(), { route: "/login" }); + const button = screen.getByRole("button", { name: /sign in/i }); + expect(button).toBeDisabled(); + await userEvent.type(screen.getByLabelText(/email/i), "a@b.se"); + expect(button).toBeDisabled(); + await userEvent.type(screen.getByLabelText(/password/i), "pw"); + expect(button).toBeEnabled(); +}); diff --git a/web/src/auth/login-page.tsx b/web/src/auth/login-page.tsx index 3de4927..1eedfeb 100644 --- a/web/src/auth/login-page.tsx +++ b/web/src/auth/login-page.tsx @@ -1,5 +1,5 @@ import { useEffect, useState, type FormEvent } from "react"; -import { useNavigate } from "react-router-dom"; +import { useNavigate, useSearchParams } from "react-router-dom"; import { useTranslation } from "react-i18next"; import { useLogin } from "../api/queries"; @@ -8,10 +8,19 @@ import { Button } from "@/components/ui/button"; import { Input } from "@/components/ui/input"; import { Label } from "@/components/ui/label"; +/** Accept only a single-leading-slash local path; reject protocol-relative + * ("//host") and absolute URLs to avoid an open redirect. */ +function safeFrom(raw: string | null): string { + if (!raw) return "/objects"; + return /^\/(?!\/)/.test(raw) ? raw : "/objects"; +} + export function LoginPage() { const { t } = useTranslation(); const { app_name } = useConfig(); const navigate = useNavigate(); + const [params] = useSearchParams(); + const sessionExpired = params.get("reason") === "expired"; const login = useLogin(); const [email, setEmail] = useState(""); const [password, setPassword] = useState(""); @@ -24,7 +33,7 @@ export function LoginPage() { event.preventDefault(); login.mutate( { email, password }, - { onSuccess: () => navigate("/objects", { replace: true }) }, + { onSuccess: () => navigate(safeFrom(params.get("from")), { replace: true }) }, ); }; @@ -38,6 +47,9 @@ export function LoginPage() {

{app_name}

+ {sessionExpired && ( +

{t("auth.sessionExpired")}

+ )}
)} - diff --git a/web/src/i18n/en.json b/web/src/i18n/en.json index a8a70bf..02a74a1 100644 --- a/web/src/i18n/en.json +++ b/web/src/i18n/en.json @@ -1,7 +1,7 @@ { "common": { "yes": "Yes", "no": "No", "close": "Close", "loading": "Loading", "filter": "Filter…", "noMatches": "No matches", "language": "Language", "skipToContent": "Skip to content" }, "nav": { "objects": "Objects", "vocabularies": "Vocabularies", "authorities": "Authorities", "fields": "Fields", "search": "Search", "collapseSidebar": "Collapse sidebar", "expandSidebar": "Expand sidebar" }, - "auth": { "email": "Email", "password": "Password", "signIn": "Sign in", "signOut": "Sign out", "invalid": "Invalid email or password", "networkError": "Could not reach the server" }, + "auth": { "email": "Email", "password": "Password", "signIn": "Sign in", "signOut": "Sign out", "invalid": "Invalid email or password", "networkError": "Could not reach the server", "sessionExpired": "Your session expired — please sign in again.", "signingOut": "Signing out…" }, "objects": { "title": "Objects", "empty": "No objects yet", "loadError": "Could not load objects", "notFound": "Object not found", "prev": "Previous", "next": "Next", "of": "of", "new": "New object", "filter": "Filter objects…", "pageSize": "Per page", "columns": { "number": "Object №", "name": "Name", "visibility": "Visibility", "location": "Location", "count": "#", "updated": "Updated" }, "unknownRef": "(unknown)" }, "fieldsLabels": { "objectNumber": "Object number", "objectName": "Name", "count": "Number of objects", "briefDescription": "Brief description", "currentLocation": "Current location", "currentOwner": "Current owner", "recorder": "Recorder", "recordingDate": "Recording date", "visibility": "Visibility" }, "visibility": { "draft": "Draft", "internal": "Internal", "public": "Public" }, diff --git a/web/src/i18n/sv.json b/web/src/i18n/sv.json index 59d9c0c..f0ffe52 100644 --- a/web/src/i18n/sv.json +++ b/web/src/i18n/sv.json @@ -1,7 +1,7 @@ { "common": { "yes": "Ja", "no": "Nej", "close": "Stäng", "loading": "Laddar", "filter": "Filtrera…", "noMatches": "Inga träffar", "language": "Språk", "skipToContent": "Hoppa till innehåll" }, "nav": { "objects": "Föremål", "vocabularies": "Vokabulär", "authorities": "Auktoriteter", "fields": "Fält", "search": "Sök", "collapseSidebar": "Fäll ihop sidofältet", "expandSidebar": "Fäll ut sidofältet" }, - "auth": { "email": "E-post", "password": "Lösenord", "signIn": "Logga in", "signOut": "Logga ut", "invalid": "Fel e-post eller lösenord", "networkError": "Kunde inte nå servern" }, + "auth": { "email": "E-post", "password": "Lösenord", "signIn": "Logga in", "signOut": "Logga ut", "invalid": "Fel e-post eller lösenord", "networkError": "Kunde inte nå servern", "sessionExpired": "Din session har gått ut — logga in igen.", "signingOut": "Loggar ut…" }, "objects": { "title": "Föremål", "empty": "Inga föremål ännu", "loadError": "Kunde inte ladda föremål", "notFound": "Föremålet hittades inte", "prev": "Föregående", "next": "Nästa", "of": "av", "new": "Nytt föremål", "filter": "Filtrera föremål…", "pageSize": "Per sida", "columns": { "number": "Föremålsnr", "name": "Namn", "visibility": "Synlighet", "location": "Plats", "count": "Antal", "updated": "Uppdaterad" }, "unknownRef": "(okänd)" }, "fieldsLabels": { "objectNumber": "Föremålsnummer", "objectName": "Namn", "count": "Antal föremål", "briefDescription": "Kort beskrivning", "currentLocation": "Nuvarande plats", "currentOwner": "Nuvarande ägare", "recorder": "Registrerad av", "recordingDate": "Registreringsdatum", "visibility": "Synlighet" }, "visibility": { "draft": "Utkast", "internal": "Intern", "public": "Publik" },