Stop the auto-logout loop after redirecting to the logout page #43701
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
julien-nc
requested review from
juliusknorr,
a team,
nfebe,
szaimen and
sorbaugh
and removed request for
a team
julien-nc
changed the title
|
/compile amend |
Signed-off-by: Julien Veyssier <julien-nc@posteo.net> Signed-off-by: nextcloud-command <nextcloud-command@users.noreply.github.com>
nextcloud-command
force-pushed
the
fix/noid/logout-loop
branch
from
617ded4 to
8c47bc0
Compare
skjnldsv
approved these changes
Feb 20, 2024
|
backports? |
juliusknorr
approved these changes
Feb 20, 2024
|
/backport to stable28 |
|
/backport to stable27 |
2 tasks
2 tasks
|
/backport to stable26 |
2 tasks
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Linked with nextcloud/user_oidc#743
If redirecting to the logout page leads to a long series of redirect, the current page's scripts are still active until a new page is actually loaded. So
session-heartbeat.jswill continue redirecting again and again to the logout page.Solution: Clear the interval that triggers the redirect right after having redirected to
/logout.One problematic scenario:
When auto-logout is triggered in the frontend, it is possible that the session has already expired so the
requesttokenGET param in the logout URL is not valid anymore. In this case, we get redirected to the login page. If user_oidc is configured to provide SSO login, the login flow will immediately starts. This flow can take long enough before a new page is actually loaded sosession-heartbeat.jshas time to redirect again to/logoutwhich will start the login flow again. So we enter a weird loop in which the login flow never has time to load any page before the next redirection to/logout.@juliushaertl As far as I could see, logging in when the login page is accessed via
/login?redirect_url=/logout?requesttoken%3DfO5%252FSJDIa873djX6fis not problematic, there is no redirection to/logoutafter logging in. So I don't think there is no need for a backend fix to avoid a redirection to/logoutright after logging in.If this goes in, let's backport it to stable28, stable27 and stable26.