New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Only call rotate token if we have a session expiry cookie #84169
Conversation
This PR must be merged before a backport PR will be created. |
This PR must be merged before a backport PR will be created. |
1 similar comment
This PR must be merged before a backport PR will be created. |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-84169-to-v10.3.x origin/v10.3.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x 4272483c54a55d807788c163963b70071343eba4 When the conflicts are resolved, stage and commit the changes:
If you have the GitHub CLI installed: # Push the branch to GitHub:
git push --set-upstream origin backport-84169-to-v10.3.x
# Create the PR body template
PR_BODY=$(gh pr view 84169 --json body --template 'Backport 4272483c54a55d807788c163963b70071343eba4 from #84169{{ "\n\n---\n\n" }}{{ index . "body" }}')
# Create the PR on GitHub
echo "${PR_BODY}" | gh pr create --title "[v10.3.x] Auth: Only call rotate token if we have a session expiry cookie" --body-file - --label "type/bug" --label "area/frontend" --label "add to changelog" --label "backport" --base v10.3.x --milestone 10.3.x --web Or, if you don't have the GitHub CLI installed (we recommend you install it!): # Push the branch to GitHub:
git push --set-upstream origin backport-84169-to-v10.3.x
# Create a pull request where the `base` branch is `v10.3.x` and the `compare`/`head` branch is `backport-84169-to-v10.3.x`.
# Remove the local backport branch
git switch main
git branch -D backport-84169-to-v10.3.x |
Only call rotate token if we have a session expiry cookie (cherry picked from commit 4272483)
What is this feature?
When getting a 401 response we always tried to rotate token. This works correctly as long as a user has a sessions cookie. But there are cases when a user don't have one (anonymous and auth proxy). When the server respond with a 401 this is causing a infinite reload loop for that page.
To solve this we only call rotate token if we have a session expiry cookie and in all other cases we call
GET /api/login/ping
to determine if user is authenticated.For 10.3.x and below this can be mitigated by disabling the feature toggle. But in 10.4.x the toggle is removed and this is the default behaviour.
Why do we need this feature?
To solve issue with infinite page reload loop for users without a sessions.
Which issue(s) does this PR fix?:
Fixes #
Special notes for your reviewer:
Please check that: