Skip to content

feat(auth): Auto-redirect authenticated users on auth pages via BroadcastChannel#107390

Closed
JoshFerge wants to merge 6 commits intomasterfrom
jferg/auth-broadcast-channel-redirect
Closed

feat(auth): Auto-redirect authenticated users on auth pages via BroadcastChannel#107390
JoshFerge wants to merge 6 commits intomasterfrom
jferg/auth-broadcast-channel-redirect

Conversation

@JoshFerge
Copy link
Copy Markdown
Member

@JoshFerge JoshFerge commented Jan 31, 2026

Summary

When users have multiple tabs open on auth pages and log in on one tab, other tabs still show the login form. This PR adds BroadcastChannel-based cross-tab communication to auto-redirect authenticated users.

  • Add organizations:auth-broadcast-channel-redirect feature flag for gradual rollout
  • On login success (SPA flow), broadcast a 'login' message to other tabs
  • Auth pages listen for 'login' messages and reload (server redirects authenticated users)
  • Add visibility change fallback for SSO flows where BroadcastChannel message may be missed

This complements the CSRF token sync fix (#107389) for multi-tab scenarios.

Browser Support

BroadcastChannel is supported in Chrome 54+, Firefox 38+, Safari 15.4+, Edge 79+. Falls back gracefully (visibility change or CSRF sync) on older browsers.

Test Plan

  1. Open two tabs to /auth/login/{org}/
  2. Log in on Tab 1
  3. Tab 2 should immediately reload and redirect (BroadcastChannel)
  4. If BroadcastChannel fails, Tab 2 redirects when focused (visibility change fallback)

Files Changed

  • src/sentry/features/temporary.py - Add feature flag
  • src/sentry/web/frontend/auth_organization_login.py - Pass feature flag to template context
  • src/sentry/templates/sentry/organization-login.html - Expose config to JavaScript
  • src/sentry/templates/sentry/bases/auth.html - Add BroadcastChannel listener + visibility fallback
  • static/app/views/auth/loginForm.tsx - Broadcast login event on success

@JoshFerge
fix(auth): Sync CSRF token on form submit for multi-tab scenarios
9b120b6 
Add form submit event listener (capture phase) to sync CSRF token from
cookie to form field right before submission. Also add manual sync in
WebAuthnAssert since form.submit() doesn't fire the 'submit' event.
@github-actions github-actions Bot added Scope: Frontend Automatically applied to PRs that change frontend components Scope: Backend Automatically applied to PRs that change backend components labels Jan 31, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 31, 2026

🚨 Warning: This pull request contains Frontend and Backend changes!

It's discouraged to make changes to Sentry's Frontend and Backend in a single pull request. The Frontend and Backend are not atomically deployed. If the changes are interdependent of each other, they must be separated into two pull requests and be made forward or backwards compatible, such that the Backend or Frontend can be safely deployed independently.

Have questions? Please ask in the #discuss-dev-infra channel.

@JoshFerge
fix(auth): Handle cookie values containing '=' in CSRF token sync
7603c19 
Fix cookie parsing to use substring instead of split('=')[1] which
truncates values containing '=' characters (e.g., base64 padding).
This matches the defensive approach used in auth.html.
@JoshFerge
feat(auth): Auto-redirect authenticated users on auth pages via Broad…
ab9dbfb 
…castChannel

When users have multiple tabs open on auth pages and log in on one tab,
other tabs still show the login form. This adds BroadcastChannel-based
cross-tab communication to auto-redirect authenticated users.

Changes:
- Add `organizations:auth-broadcast-channel-redirect` feature flag
- On login success (SPA flow), broadcast a 'login' message to other tabs
- Auth pages listen for 'login' messages and reload (server redirects auth'd users)
- Add visibility change fallback for SSO flows where BroadcastChannel may miss

This complements the CSRF token sync fix for multi-tab scenarios.
@JoshFerge
refactor(auth): Remove visibility change fallback for auth redirect
af6f72d
@JoshFerge JoshFerge force-pushed the jferg/auth-broadcast-channel-redirect branch from aa0caf4 to af6f72d Compare January 31, 2026 18:22
@JoshFerge JoshFerge changed the base branch from master to jferg/csrf-token-submit-intercept January 31, 2026 18:22
@JoshFerge JoshFerge force-pushed the jferg/csrf-token-submit-intercept branch from 7603c19 to 311eee4 Compare February 2, 2026 22:04
Base automatically changed from jferg/csrf-token-submit-intercept to master February 3, 2026 14:00
@getsantry
Copy link
Copy Markdown
Contributor

getsantry Bot commented Feb 25, 2026

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

@getsantry getsantry Bot added the Stale label Feb 25, 2026
@getsantry getsantry Bot closed this Mar 6, 2026
@github-actions github-actions Bot locked and limited conversation to collaborators Mar 21, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components Scope: Frontend Automatically applied to PRs that change frontend components Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JoshFerge