Self Checks
Dify version
web/main (uncommitted)
Cloud or Self Hosted
Self Hosted (Source)
Steps to reproduce
Discovered by peaks-loop code-sweep on 2026-07-02.
- Configure SSO for a tenant (SAML / OIDC / OAuth2 — all three providers share the bug).
- Misconfigure the SSO endpoint so it returns 5xx or triggers a CORS preflight failure (e.g. wrong
SSO_REDIRECT_URL allow-list, or simulate with DevTools "Block request URL").
- Click the SSO login button on
/signin.
- The button enters the loading state, then... stays loading forever. No toast appears. The user has no idea whether the SSO attempt failed or is still pending.
✔️ Expected Behavior
SSO login attempts that fail at the network layer (5xx, CORS, DNS failure) must surface a user-visible error toast so the user knows the login attempt failed and the button re-enables for retry. The translation key error.ssoFailed should be added to the i18n bundle.
❌ Actual Behavior
The SSO login button at web/app/signin/components/sso-auth.tsx chains getUserSSOUrl(...).then(...).finally(...) for all three protocols (SAML, OIDC, OAuth2). When the network call rejects — e.g. enterprise SSO endpoint misconfigured, CORS error, server 5xx — the rejection is silently swallowed by .finally() and the UI just stays in the loading state with no user feedback.
Proposed change:
- In
web/app/signin/components/sso-auth.tsx: add a .catch() before .then().finally() that emits a toast.error(t('error.ssoFailed')) so the user knows the login attempt failed and the button re-enables.
- In
web/i18n/en-US/login.json: add a new error.ssoFailed key (other locales will be resynced by the i18n:check workflow).
Risk: The happy path (res?.url defined → location.href = res.url) is unchanged. The finally block still resets setIsLoading(false) so the button re-enables for retry. No backend, schema, controller, or frontend changes outside the touched file.
Sister fix: PR #38336 (check-code email login errors).
Self Checks
Dify version
web/main (uncommitted)
Cloud or Self Hosted
Self Hosted (Source)
Steps to reproduce
Discovered by peaks-loop code-sweep on 2026-07-02.
SSO_REDIRECT_URLallow-list, or simulate with DevTools "Block request URL")./signin.✔️ Expected Behavior
SSO login attempts that fail at the network layer (5xx, CORS, DNS failure) must surface a user-visible error toast so the user knows the login attempt failed and the button re-enables for retry. The translation key
error.ssoFailedshould be added to the i18n bundle.❌ Actual Behavior
The SSO login button at
web/app/signin/components/sso-auth.tsxchainsgetUserSSOUrl(...).then(...).finally(...)for all three protocols (SAML, OIDC, OAuth2). When the network call rejects — e.g. enterprise SSO endpoint misconfigured, CORS error, server 5xx — the rejection is silently swallowed by.finally()and the UI just stays in the loading state with no user feedback.Proposed change:
web/app/signin/components/sso-auth.tsx: add a.catch()before.then().finally()that emits atoast.error(t('error.ssoFailed'))so the user knows the login attempt failed and the button re-enables.web/i18n/en-US/login.json: add a newerror.ssoFailedkey (other locales will be resynced by the i18n:check workflow).Risk: The happy path (
res?.urldefined →location.href = res.url) is unchanged. Thefinallyblock still resetssetIsLoading(false)so the button re-enables for retry. No backend, schema, controller, or frontend changes outside the touched file.Sister fix: PR #38336 (check-code email login errors).