vikunja
/
vikunja
6
43
Fork 71
Code Issues 150 Pull Requests 18 Packages Releases 32 Activity

Cannot visit more than one shared link #1806

New Issue
Closed
opened 2021-07-09 16:26:07 +00:00 by andreymal · 6 comments
andreymal commented 2021-07-09 16:26:07 +00:00
Contributor
Copy Link

Steps to reproduce:

  1. Get two different shared links on same Vikunja instance
  2. Visit first link
  3. Then visit second link

Instead of opening, the fronend hangs on "Authenticating…" and does nothing because of this return (state.auth contains information about the previous shared link).

(A quick fix would be automatic logout when opening different shared link, but I guess this has deeper roots because shared links reuse the same authentication mechanism as regular users. As a consequence, if a registered user visits a shared link, the user is automatically logged out because jwt is being replaced by the shared link — this is a bad UX. I suspect that the authentication mechanism needs to be reworked, but I have no idea how to do it best, so I just leave this note here.)

Steps to reproduce: 1. Get two different shared links on same Vikunja instance 2. Visit first link 3. Then visit second link Instead of opening, the fronend hangs on "Authenticating…" and does nothing because of [this return](https://kolaente.dev/vikunja/frontend/src/commit/f0498fd767a9df1c1f89e21b2a2606377f455a0d/src/views/sharing/LinkSharingAuth.vue#L64-L65) (state.auth contains information about the previous shared link). (A quick fix would be automatic logout when opening different shared link, but I guess this has deeper roots because shared links reuse the same authentication mechanism as regular users. As a consequence, if a registered user visits a shared link, the user is automatically logged out because jwt is being replaced by the shared link — this is a bad UX. I suspect that the authentication mechanism needs to be reworked, but I have no idea how to do it best, so I just leave this note here.)
konrad commented 2021-07-09 17:03:46 +00:00
Owner
Copy Link

Ideally you would be able to visit multiple links simultaniously without them overriding each other. As you pointed out, that's not that easy to fix because all api connections assume an authentication token stored in local storage which is shared per domain and not per tab. To fix this, it would need to only store the auth token in memory, but only for link shares and then pass it along. Would require quite some refactoring of the way the api connection is currently implemented.

Ideally you would be able to visit multiple links simultaniously without them overriding each other. As you pointed out, that's not that easy to fix because all api connections assume an authentication token stored in local storage which is shared per domain and not per tab. To fix this, it would need to only store the auth token in memory, but only for link shares and then pass it along. Would require quite some refactoring of the way the api connection is currently implemented.
konrad added the
kind/bug
kind/feature
 labels 2021-07-09 17:04:00 +00:00
konrad commented 2021-07-09 18:12:34 +00:00
Owner
Copy Link

Turns out, this is a lot less hard than I thought.

I've implemented a change in a787f6ffc7 which saves auth tokens from link shares in memory only, enabling to view multiple link shares in the same browser without them interfering each other (or a logged in user in the same browser).
I'm closing this issue as it is resolved, feel free to reopen if you have any other problems with it.

Turns out, this is a lot less hard than I thought. I've implemented a change in a787f6ffc79d6234f58868b3815c33b73d7d9952 which saves auth tokens from link shares in memory only, enabling to view multiple link shares in the same browser without them interfering each other (or a logged in user in the same browser). I'm closing this issue as it is resolved, feel free to reopen if you have any other problems with it.
andreymal commented 2021-07-09 19:34:34 +00:00
Author
Contributor
Copy Link

@konrad it seems I caught a race: the user/token and shares/.../auth requests are sent at almost same time, and the authorization result depends on which response comes last

@konrad it seems I caught a race: the `user/token` and `shares/.../auth` requests are sent at almost same time, and the authorization result depends on which response comes last
konrad commented 2021-07-10 10:32:36 +00:00
Owner
Copy Link

I've added a timout for renewing the token in 20fd25e280 which should fix that.

I've added a timout for renewing the token in 20fd25e2809b332680270faccd4bd15ef95a2145 which should fix that.
andreymal commented 2021-07-10 10:46:30 +00:00
Author
Contributor
Copy Link

Now it works 👍
Seems the logout button is no longer needed? Removing it will make shared pages look a bit nicer

Now it works 👍 Seems the logout button is no longer needed? Removing it will make shared pages look a bit nicer
konrad commented 2021-07-10 11:13:35 +00:00
Owner
Copy Link

Yeah I think that makes sense (f0e093b3d6)

Yeah I think that makes sense (f0e093b3d6a1ddb293715bd1bc90becc11b3a67e)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
renovate/tiptap
renovate/dev-dependencies
renovate/dompurify-3.x
renovate/camel-case-5.x
renovate/go-1.x
renovate/lowlight-3.x
renovate/golang.org-x-sync-0.x
renovate/major-dev-dependencies
renovate/github.com-wneessen-go-mail-0.x
renovate/golangci-golangci-lint-1.x
feature/better-filter-syntax
fix/tiptap-task-list
renovate/flexsearch-0.x
feature/zod-schema
renovate/github.com-typesense-typesense-go-1.x
renovate/github.com-golang-jwt-jwt-v4-5.x
automatic-year-range-for-go-header-template
feature/hide-forbidden-related-tasks
renovate/golang-1.x
release/0.20
release/0.17
release/0.16
release/0.15
release/0.14
release/0.13
v0.23.0
v0.22.1
v0.22.0
v0.21.0
v0.20.4
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.2
v0.19.1
v0.19.0
v0.18.1
v0.18.0
v0.17.1
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.1
v0.13
v0.12
v0.11
v0.10
v0.9
v0.8
v0.7
v0.6
v0.5
v0.4
v0.3
v0.2
v0.1
Labels
Clear labels   
dependencies

   
duplicate

This issue or pull request already exists

  
help wanted

Need some help

  
invalid

Something is wrong

  
kind/bug

Something is not working

  
kind/feature

New feature

  
needs reproduction

   
question

More information is needed

  
security

   
wontfix

This won't be fixed

No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/vikunja#1806
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?