Password Flow init() method logs out on refresh

[mtozlu]

@mehmet-erim
There is a bug that logs out the user on page refresh using password flow authentication.

Steps to reproduce:
1- abp new pw-flow-init-test -csf -t app -ui angular -d mongodb --preview
2- Change env.ts to password flow: https://docs.abp.io/en/abp/4.3/UI/Angular/Authorization#resource-owner-password-flow
3- Run the projects
4- Go to http://localhost:4200/account/login (this is the key to bug: navigate to this url directly by clicking this link, do not go to login page by clicking "login" button on home page)
5- Login using admin user and default password.
6- Now that you are logged in and redirected to home page: refresh the page (using F5 or CTRL+R)
7- Observe that you are logged out after page refresh is finished.

I found that this is because rememberMe cookie is not set on direct navigation to /account/login so this condition returns true and password flow strategy's init method logs you out. The code is here:

abp/npm/ng-packs/packages/core/src/lib/strategies/auth-flow.strategy.ts

Line 143 in 3c35bce

if (!getCookieValueByName('rememberMe') && localStorage.getItem(this.storageKey)) {

Alternatively you can go to login page and make a refresh so that the first entrypoint to the app is the /account/login page. Now after you login, either you refresh the page or click a link to open in new tab (meaning a new init call will be made) and you will see that it logs you out.

I would like to create a PR however i couldn't see the reason of logging the user out when initializing the strategy. I thought there may be a reason which i'm not aware of. I think even if user didn't choose 'remember me', we should not logout the user on page initialization.

[mtozlu]

I solved this by adding;
this.setRememberMe(false);
just before the if conditional mentioned above. So now rememberMe cookie is initalized with a non-empty value. If condition doesn't return true on page refresh.
I don't know if initalizing rememberMe cookie with false value will have any side effects?

Also we can use this.cookieKey instead of the 'rememberMe' string literal on line 143.

[mehmet-erim]

Hi,

We will fix the problem as soon as possible.
Thanks for the reporting.

[bnymncoskuner]

Thank you for your findings @mtozlu It directed me into the source of the problem which is rememberMe cookie not being written with path=/. This results in that the cookie is written with path /account which cannot be reached from the root path. That's why if you refresh your application at root (localhost:4200), it logs you out since it cannot read the cookie.

You can see it here

[mtozlu]

Great find and fix. I tried to find the source of problem but i couldn't. Thanks for your efforts.