Login status is not properly determined by the application

[tiberiuichim]

How to reproduce:

• open demo.plone.org in two separate tabs
• login with admin in one of the tabs
• in the other tab, navigate to another page using an internal link (nav menu)

Expected: I should be able to see the toolbar, because the actions are properly sent together with the main content, thanks to the expand=actions

I think the token props is not properly reconstructed based on succesful backend interaction.

https:/plone/volto/blob/a2f8d5997030dc8becc0c403c03f327edb5d0e36/packages/volto/src/components/manage/Toolbar/Toolbar.jsx#L373C6-L373C23

[ichim-david]

Confirming the testing of this behavior within https://volto.demo.plone.org/

[tiberiuichim]

Another one:

• Have some published pages available from the global nav menu
• With two open tabs, login, refresh them both
• Logout in one of the tabs
• In the other tab, click on one of the published public pages
• You get Unauthorised

This is because the api sends the store token, which is invalidated and properly fails in the acl_users somewhere. That's not true, the api sets the Authorization header based on the auth cookie

I think it's because the types is added to the autoexpand and the login status is not "refreshed".

When authenticated: ?expand=breadcrumbs,actions,types,navroot,navigation&expand.navigation.depth=3

When anonymous: ?expand=breadcrumbs,actions,navroot,navigation&expand.navigation.depth=3