Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session Storage Conflict Causes Authentication Failure When Switching Users with Different Organizations #48

Open
gtrrz-victor opened this issue Feb 7, 2025 · 0 comments
Open

Session Storage Conflict Causes Authentication Failure When Switching Users with Different Organizations #48

gtrrz-victor opened this issue Feb 7, 2025 · 0 comments

Comments

@gtrrz-victor
Copy link

gtrrz-victor commented Feb 7, 2025
edited
Loading

When switching between users associated with different organizations, the workos_organization_id stored in sessionStorage causes a conflict, preventing the new user from logging in successfully. Specifically, the workos_organization_id from the previous user's session is incorrectly included in the authentication request for the new user, resulting in a 400 error.

Steps to Reproduce:

  1. Log in as User A, who is associated with Org1 and Org2.
  2. Switch between Org1 and Org2 during the session. Observe that workos_organization_id is stored in sessionStorage.
  3. Log out of User A.
  4. Log in as User B, who is associated with Org3.
  5. Observe that the authentication request to https://{WORKOS_API_HOSTNAME}/user_management/authenticate fails with a 400 error.
  6. Inspect the request payload and note that the organization_id corresponds to the previous user's organization (Org1 or Org2).
  7. Manually delete the workos_organization_id item from sessionStorage.
  8. Attempt to log in as User B again. Observe that the login succeeds.

Expected Behavior:

When logging in as a new user, the workos_organization_id from the previous user's session should not interfere with the new user's authentication process.

The authentication request for User B should not include the organization_id of User A.

Actual Behavior:

The workos_organization_id from the previous user's session persists in sessionStorage and is incorrectly included in the authentication request for the new user.

This results in a 400 error, preventing User B from logging in.

Workaround:

Manually delete the workos_organization_id item from sessionStorage before logging in as a new user.

Additional Context:

This issue occurs consistently when switching between users with different organizations.

The workos_organization_id appears to be used for token refresh functionality, but it is not being cleared or updated correctly when a new user logs in.

Environment: Observed in the 0.9.0 version of the library.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gtrrz-victor