fix(ui): redirect authenticated users from login page to dashboard

[marekdano]

🐛 Bug-fix PR

Closes: #3430

📌 Summary

Fixed issue where authenticated users could still access the login page instead of being redirected to the dashboard.

🔁 Reproduction Steps

1. Log in to the application with valid credential
2. Visit /admin/login by typing in to address bar
3. User can view the login page again

🐞 Root Cause

When a logged-in user navigated to /admin/login by typing it directly in the address bar, they would see the login form again instead of being redirected to the dashboard. This created a confusing user experience.

💡 Fix Description

Added authentication check in the admin_login_page endpoint to detect already-authenticated users and redirect them to the dashboard.

Changes

1. Core Fix (mcpgateway/admin.py)

Modified admin_login_page() function (line ~3681):

• Added JWT token validation check before rendering login page
• Checks for jwt_token or access_token cookies
• Verifies token validity using verify_jwt_token_cached()
• Redirects authenticated users to /admin dashboard (303 redirect)
• Falls through to show login form if token is invalid/expired

2. Unit Tests (tests/unit/mcpgateway/test_admin.py)

Added two test cases to TestAdminLoginPage class:

test_admin_login_page_redirects_authenticated_user

• Mocks valid JWT token in request cookies
• Verifies redirect to dashboard (status 303)
• Confirms location header points to /app/admin

test_admin_login_page_shows_form_for_invalid_token

• Mocks invalid/expired JWT token
• Verifies login form is displayed (no redirect)
• Confirms CSRF token is set in response

3. E2E Test (tests/playwright/test_auth.py)

Added test_logged_in_user_redirected_from_login_page to TestAuthentication class:

• Performs full login flow with valid credentials
• Verifies JWT cookie is set
• Navigates to /admin/login while authenticated
• Asserts redirect to dashboard occurs
• Confirms login form is not visible
• Verifies admin interface elements are displayed

Behavior

Before:

• Logged-in user visits /admin/login → sees login form

After:

• Logged-in user visits /admin/login → redirected to /admin dashboard
• User with invalid/expired token → sees login form (unchanged)
• Unauthenticated user → sees login form (unchanged)

🧪 Verification

Check	Command	Status
Lint suite	make lint	✅
Unit tests	make test	✅
Coverage ≥ 80 %	make coverage	✅
Manual regression no longer fails	steps / screenshots

📐 MCP Compliance (if relevant)

• Matches current MCP spec
• No breaking change to MCP clients

✅ Checklist

• Code formatted (make black isort pre-commit)
• No secrets/credentials committed

[Lang-Akshay]

Thanks for the PR @marekdano . Great work. Please address the following findings.

Findings Summary

#	File	Line	Severity	CWE	Description
1	mcpgateway/admin.py	3731–3733	Low	CWE-754	Bare except Exception: pass silently swallows all exceptions from JWT verification, including unexpected failures (key-loading errors, cryptographic faults). Masks operational issues.
2	mcpgateway/admin.py	3724	Low	CWE-287	Accepting tokens from two cookie names (jwt_token and access_token) widens the attack surface. If one cookie has weaker SameSite/Secure/Path attributes, it may be injectable via a different origin.
3	mcpgateway/admin.py	3729–3730	Informational	CWE-613	When a token is invalid/expired, the code falls through without clearing the stale cookie. The browser continues sending the bad token on every subsequent request.
4	tests/unit/mcpgateway/test_admin.py	13660	⚠️ Medium	CWE-1164	The assertion assert "secure cookies enabled" in (context.get("secure_cookie_warning") or "").lower() was deleted from test_admin_login_page_secure_cookie_warning_in_development. The test now grabs the context dict but never validates its content, eliminating coverage for the security warning feature.
5	tests/unit/mcpgateway/test_admin.py	13625–13657	Low	CWE-1164	Pre-existing tests test_admin_login_page_email_auth_enabled and test_admin_login_page_secure_cookie_warning_in_development do not set request.cookies = {}. With MagicMock(spec=Request), request.cookies.get("jwt_token") returns a truthy MagicMock, unintentionally triggering the new JWT-check code path. Tests pass only because the MagicMock isn't a valid JWT and the exception is swallowed.

Suggestions :

1. Finding 1 — Narrow the exception handler to catch only expected types (HTTPException, jwt.PyJWTError) instead of blanket Exception. This preserves intent while allowing unexpected errors to propagate and be logged. Effort: trivial. Ref: CWE-754, OWASP Error Handling.
2. Finding 2 — Either gate access_token acceptance behind a feature flag (e.g., SSO flow), document that both cookies MUST share identical Secure/HttpOnly/SameSite attributes, or simplify to only read jwt_token (the cookie the gateway itself sets). Effort: low.
3. Finding 3 — Consider clearing the stale cookie on verification failure via response.delete_cookie(). Effort: low (requires minor flow restructuring).
4. Finding 4 — ⚠️ Restore the deleted assertion. Add request.cookies = {} to the test to prevent the new JWT-check path from interfering, then re-add: assert "secure cookies enabled" in context["secure_cookie_warning"].lower(). Effort: trivial. This is the highest-priority fix.
5. Finding 5 — Add explicit request.cookies = {} to all pre-existing tests that don't intend to test the JWT cookie path. Effort: trivial.

---

Deny-Path Test Coverage

Deny-path scenario	Covered?	Notes
No cookie present → show login form	Implicit	Works via existing test, but request.cookies should be explicitly set to {}
Valid JWT → redirect to dashboard	✅ Yes	test_admin_login_page_redirects_authenticated_user() (tests/unit/mcpgateway/test_admin.py:13663)
Invalid/expired JWT → show login form	✅ Yes	test_admin_login_page_shows_form_for_invalid_token() (tests/unit/mcpgateway/test_admin.py:13686)
verify_jwt_token_cached() (mcpgateway/utils/verify_credentials.py:229) returns falsy/None → show login form	❌ No	The if payload: branch (mcpgateway/admin.py:3729) has no test for None/{} return
access_token cookie with valid JWT → redirect	❌ No	Only jwt_token tested; the or request.cookies.get("access_token") branch (mcpgateway/admin.py:3724) has zero coverage
access_token cookie with invalid JWT → show login form	❌ No	Same gap as above (mcpgateway/admin.py:3724)

[crivetimihai]

Thanks @marekdano — good UX improvement for #3430. Checking JWT/access_token cookies before rendering the login page is the right approach. LGTM.

[gcgoncalves]

Code looks good. Tested and works as expected.

[crivetimihai]

Reviewed and rebased onto latest main (clean, no conflicts).

Feature review: The login page redirect logic is correct and well-designed — validates JWT cookies server-side via verify_jwt_token_cached, redirects authenticated users to the dashboard (303), and falls through to the login form for invalid/expired tokens. No security or performance concerns.

Review fixes applied (commit 281b734):

• Fixed stray @pytest.mark.asyncio decorator that was separated from test_admin_login_handler_missing_fields by the new test insertions
• Added missing password_reset_enabled mock to access_token and None-payload test variants for consistency with the jwt_token variant
• Added HTTPException test case — verify_jwt_token_cached raises HTTPException (not jwt.PyJWTError) for expired/invalid tokens, so this covers the primary real-world error path
• Simplified Playwright test: removed unnecessary try/except around not_to_be_visible() and redundant wait_for_timeout(1000)
• Applied black/isort formatting

Solved

[crivetimihai]

Fixed the Playwright test failure (test_logged_in_user_redirected_from_login_page):

The LoginPage.email_input locator (input[name="email"]) matched multiple elements on the admin dashboard (create-user and invite-user forms), causing a Playwright strict mode violation. Replaced with is_on_login_page() URL check, which is more reliable and semantically correct.

Commit: c2405f6