Confirming understanding of login behavior after refresh

[MetaSeth]

Hi! I just want to make sure I’ve understood the issue correctly, as described in this issue I opened.

From what I see, the main problem is that after a refresh login (e.g. when the page is reloaded and there's a valid token in storage), the application checks whether the user is authenticated before granting access to protected routes. If not, it calls the logIn() function, which redirects the user to the IdP login form.

However, there seems to be a race condition between the token being hydrated (e.g. restored from storage and validated) and the authentication guard that determines if the user is logged in. As a result, the guard might wrongly consider the user unauthenticated and trigger a redirect, even though a valid session exists.

I would have expected that the loginInProgress flag would reflect this state and prevent unnecessary redirects, but it seems like it doesn’t cover this case.

Since I’m not very experienced in contributing to open source repos, I wanted to double-check whether my interpretation is valid before going any further.

Thanks again for your time and for maintaining this library!

[soofstad]

Hi @MetaSeth
Thank you for reporing this. Will do some checks to verify and try to replicate the behavior you are describing :)

[MetaSeth]

Thank you, don't hesitate if you need more informations to replicate the behavior.