Skip to content

UID-209: Password reset process - ensure proper response for missing user credentials. #493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Dmytro-Melnyshyn merged 1 commit into from
Dec 31, 2025
Merged

UID-209: Password reset process - ensure proper response for missing user credentials. #493

Dmytro-Melnyshyn merged 1 commit into from
Dec 31, 2025

Conversation

@Dmytro-Melnyshyn
Copy link
Contributor

@Dmytro-Melnyshyn Dmytro-Melnyshyn commented Dec 30, 2025
edited
Loading

Purpose

Password reset process:

  1. Do not show a modal window with an error when the authn/credentials-existence request fails (throwErrors: false).
  2. When a user doesn't have credentials, create them instead of showing an error.

Description

The authn/credentials-existence fails when a user doesn't have roles assigned. Instead of executing the if(!res.credentialsExist) condition, which creates credentials, the error is passed to the catch block. The solution is to return { credentialsExist: false } when an error occurs, so that if (!res.credentialsExist) works.

Issues

https://folio-org.atlassian.net/browse/UID-209

Screencasts

2025-12-30_17h06_37.mp4

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 30, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
C Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@Dmytro-Melnyshyn Dmytro-Melnyshyn requested a review from a team December 30, 2025 15:09
@Dmitriy-Litvinenko Dmitriy-Litvinenko requested a review from a team December 30, 2025 15:48
zburke
zburke approved these changes Dec 30, 2025
View reviewed changes
Copy link
Member

@zburke zburke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fine, but it's misleading. The problem is not that existing code chokes on an error response, although that's the fix that is implemented here. The problem is that mod-login-keycloak has implemented /authn/credentials-existence incorrectly. When this request fails to find a user, the correct response is a 200 with a body of

{ credentialsExist: false }

as the documentation states both for mod-login and mod-login-keycloak. Instead, the actual response is a 404 with a body of

{
    "errors": [
        {
            "message": "Keycloak user doesn't exist with the given 'user_id' attribute: ...",
            "type": "NotFoundException",
            "code": "not_found_error",
            "parameters": []
        }
    ],
    "total_records": 1
}

Personally, I'd prefer to see the actual bug fixed in mod-login-keycloak rather than accommodating its incorrect behavior here in the UI. That said, I understand the value of a bird in-hand and will not object to merging this.

CC: @OleksiiKuzminov, @craigmcnally

src/settings/Passwd.js
Comment on lines -98 to +108
.then(() => mutator.isLocalPasswordSet.GET({ params: { userId } }))
.then(async () => {
try {
const response = await mutator.isLocalPasswordSet.GET({ params: { userId } });
return response;
} catch (e) {
return {
credentialsExist: false,
};
}
})
Copy link
Member

@zburke zburke Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of mixing a promise chain and async/await, it would be better to convert the whole thing to async/await.

Copy link
Contributor Author

@Dmytro-Melnyshyn Dmytro-Melnyshyn Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is a CSP, I didn't want to make too many changes.

@Dmytro-Melnyshyn Dmytro-Melnyshyn merged commit 576daff into master Dec 31, 2025
13 of 14 checks passed
@Dmytro-Melnyshyn Dmytro-Melnyshyn deleted the UID-209 branch December 31, 2025 07:40
@Dmytro-Melnyshyn
Copy link
Contributor Author

Dmytro-Melnyshyn commented Dec 31, 2025

@zburke You're absolutely right that the root cause is returning a 404 instead of the 200 response with { credentialsExist: false }. I agree that fixing it at the source would be ideal. However, since we don't have a timeline on when the BE team will address this bug, I think it's worth handling this gracefully on the UI side in the meantime. Thanks for the review.

zburke pushed a commit that referenced this pull request Dec 31, 2025
@Dmytro-Melnyshyn @zburke
UID-209: Password reset process - ensure proper response for missing …
6c773dc 
…user credentials. (#493)

(cherry picked from commit 576daff)
@craigmcnally
Copy link

craigmcnally commented Jan 5, 2026

{
"errors": [
{
"message": "Keycloak user doesn't exist with the given 'user_id' attribute: ...",
"type": "NotFoundException",
"code": "not_found_error",
"parameters": []
}
],
"total_records": 1
}

I've created https://folio-org.atlassian.net/browse/MODLOGINKC-60 to fix this in mod-login-keycloak.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zburke zburke zburke approved these changes

@Dmitriy-Litvinenko Dmitriy-Litvinenko Dmitriy-Litvinenko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Dmytro-Melnyshyn @craigmcnally @zburke @Dmitriy-Litvinenko