Since some Radzen updates I realized the application does not redirect to the login anymore when the session runs out, you just get a blank page and the dev tools say it's a 401 Unauthorized. I went through my recent commits but couldn't find anything which looks relevant to it. Also while I debug it I can't reproduce it, it only seems to happen in the deployed version.
Could you try to reproduce that? Or maybe point me in the right direction to look up my settings?
According to our records there hasn't been any change in the way authorization is done for more than 9 months (when we added .NET 5 support). You can check the security.service.ts file which Radzen generates - compare it with older versions from source control.
This method is responsible for checking the session expiration:
isAuthenticated() {
const expired = this.jwt.isTokenExpired(localStorage.getItem(TOKEN));
if (localStorage.getItem(TOKEN) && expired) {
this.logout();
}
return !expired;
}
The logout method reloads the current page which invokes the canActivate method of the security service
canActivate(roles: string[], state: RouterStateSnapshot) {
if (this.isAuthenticated()) {
if (this.isInRole(roles)) {
return true;
} else {
this.router.navigateByUrl('/unauthorized');
}
} else {
this.router.navigate([{ outlets: { popup: null } } ])
.then(() => this.router.navigate(['/login'], { queryParams: { redirectUrl: state.url } }));
return false;
}
}
Security handling is identical in deployed and development versions. The only difference is that the admin account is not available in deployed applications. You can try decreasing the session timeout during development (from Radzen's security settings).
These codeparts are exactly the same in my version, local testing a lower session timeout resulted in a redirect to the login as expected. I will retest and analyze this with our next deployment, thank you for your fast response.