I believe I've set this up correctly by following the How To's, but the behavior is not as expected. I've a functioning Security Provider which handles my logins/logouts. It uses my local DB.
For pages that require a login for access, I set up an API called "chksec" and call it directly from each page requiring g_identity to not be empty:
Today, I logged in and noticed I was successfully redirected to a restricted page, but my "sign in" button in my navbar was still showing. It changes to "logout" when g_identity is not empty. I then checked dev tools in my browser to find that I had no g_identity number assigned.
Recapping the steps: my login API worked, which includes Security Login as part of its steps. It returned success because my login page redirected me using the success event. But g_identity did not get assigned a number (should have been "1"), and my Security Restrict did not redirect me from the restricted page.
I'm still fairly new to building in Wappler so it's well within my learning curve to have misunderstood something here. I am also editing pages behind the Security Restrict API call, and reloading those pages, along with non-restricted pages, countless times per day. I'd like to feel confident in using this authorization system before pushing this to the public internet. Any ideas how I could further try to diagnose/troubleshoot this behavior?
Just logged in again and the same behavior. There is a session cookie hanging around however. Is this allowing access to the restricted pages? You can see the "Sign in" is still reflecting that there's no g_identity set.
The issue may be that I'm relying on g_identity to be set for the show/hide of items in my navbar, but the Security Restrict may also allow a session cookie from the "remember me" check box during login.
Security Restrict seems like a black box to me right now since I'm not familiar with it at all.
Check your active target matches the environment you are working on... ie, if you have Remote/Production selected and are working Locally/Development there will be issues with changes that you have made to Security Provider not acting as you may expect. If you are working Locally then be sure it is set to Local... And vice versa. If all is good then ignore this.
I have caught myself opening files when the target is set to my remote deployment. But I have manually deleted my session info from the browser. This has not changed the odd behavior however. I can still login, get to my restricted page via redirect, and not have a g_identity set.
I can make one observation regarding the security restrict setup. Permissions under the Restrict Properties for Security Restrict chksec is empty. For the Security Restrict to work correctly, the Permissions property needs to be setup.
Permissions can be defined under 'Users and Permissions` in the siteSecurity (Security Provider).
Using memory session store doesn't persist session, so every time you change a server action (which results in NodeJS restart) the session is lost. Use Redis in project settings
Edit: Show the Security Login step... We'll dissect your app
(maybe not me, because I don't have a lot of time)
