Invalid auth token does not log user out #1757
Labels
No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: vikunja/vikunja#1757
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
If I restart the API server (in docker) all current JWTs are invalidated, but they're not expired yet so the frontend doesn't logout. I have to manually logout in order to get back to the login screen and get a new token.
This is evidenced by a bunch of 401 errors on API calls and nothing loading (similar to #317)
It would be nice if there was a re-auth required popup or something, or at least an auto redirect to the login screen.
Partial Fix
If I add
ctx.dispatch('logout')
after auth.js:187 it will force a logout at least by the next page refreshOther thoughts
I've been looking around at how this could be implemented but the best idea I've had is to add something to each HTTP...catch block. Not sure if that's the best.
First of all, you should configure a jwt secret to prevent token invalidation after restarting the container. If you don't do that, Vikunja will generate a new random secret at startup which is what invalidates the previously issued tokens.
There is a check which logs the user out if the token expired, but not when renewing failed. I've added your suggestion in
51bbad9794
since it sounded like a good idea. Now the user will be logged out if the token could not be renewed. If you manually reload the page after the jwt secret changed, this will still yield an error but will properly log out the user. I still think the best way to prevent these error messages is to prevent the token from expiring by renewing it, but for that you should configure a jwt secret server side.Could you check the newest version from my commit above to see if the error persists? A release should be ready shortly.
Ah, I missed that config option!
It looks like the random secret is generated in after-install.sh, I'm assuming I should use this command to generate what I pass as config?
Thanks for your response and I'll be able to test that commit soon.
No, the random secret is set directly in the config at https://kolaente.dev/vikunja/api/src/branch/master/pkg/config/config.go#L209 -
after-install.sh
is only executed once (after installing) for debian and rpm packages.You can pass it whatever you like. A good secret follows the usual password rules and has at least 32 characters.
pwgen
works great to generate one.Good to know, thank you! Setting the VIKUNJA_SERVICE_JWTSECRET env in my docker-compose.yml has fixed the root issue of invalidating all the JWTs on restart.
Your patch is also working, I was successfully logged out after refreshing. You don't need to rush out a a new release for me though, I currently have a custom build running anyways and already pulled it in :)
I did still see some 401 errors when causing other API calls (like changing pages), but that isn't as annoying if refreshing fixes things.
I thought so :upside_down: I think the root issue here has been introduced since the last release anyway so the last release should still not have that issue (that is, as long as you have a jwt secret configured)
The other api calls are coming from loading the lists overview for the menu on the left and whatever you currently have open. I think this is fine since the token is most likely invalidated after the tab hasn't been active for a long time which means Vikunja would notice this only after a page reload (or re-focus) in which case it will log the user out. Also to really fix this we'd need to check after every request which would get annoying quite quickly, as you already figured out.
I'm closing this issue since it seems to be resolved, feel free to reopen if you have any issues.
Using current unstable (and I think it was the same in stable), this seems to be broken. The error message pops up, but I am not logged out properly :/
It looks like this only happens when a list with a background has recently been visited and it tries to load the list background after logging out.
I've fixed this particular error in
4c560f1a03
but there might be more like it in the future. Please report back if you find any.