Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LANDING_PAGE=login leads to endless redirects if you're logged in #28231

Closed
plashenkov opened this issue Nov 26, 2023 · 12 comments · Fixed by #28636
Closed

LANDING_PAGE=login leads to endless redirects if you're logged in #28231

plashenkov opened this issue Nov 26, 2023 · 12 comments · Fixed by #28636
Labels
issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented type/bug
Milestone
1.22.0

Comments

@plashenkov
Copy link

Description

Hi!

When you use LANDING_PAGE = login, you get endless redirects of /user/login page if you're logged in. The /user/login page always makes endless redirects, whereas the home (/) page does this as well, but from time to time (probably this is session-related or something like that).

Regarding home page: it works OK usually, but if you do not use Gitea for some time (not so much, you're still logged in), it will trigger endless redirects until you open the home page again.

Additional info:

Gitea versions: 1.21.0, 1.21.1

I'm using Gitea behind Caddy with the simplest configuration:

code.plashenkov.com {
  tls my@email.com
  reverse_proxy gitea:3000
}

Gitea Version

1.21.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

I'm running Gitea from Docker: gitea/gitea:1.21.1

Database

SQLite
@yp05327
Copy link
Contributor

yp05327 commented Nov 27, 2023

I can reproduce this issue in 1.21.But I can not reproduce this in the latest version. So it seems that it was fixed.

ps: Maybe it was fixed by #27606.
You can try the latest version or wait for the official release of v1.22

@lng2020 lng2020 added the issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail label Dec 5, 2023
@plashenkov
Copy link
Author

Hey @yp05327
Thanks for your response. Do you have an exact method to reproduce the issue?
I upgraded to 1.21.2 and have not encountered this issue yet.
Is there any chance it was already fixed in 1.21.2?

@plashenkov
Copy link
Author

Oh, no, 1.21.2 still has it.
Got it just now.

@lng2020 lng2020 removed the issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail label Dec 20, 2023
@jacopo-j
Copy link

jacopo-j commented Dec 23, 2023
edited
Loading

I have just upgraded to v1.21.3 and I'm also experiencing this issue.
Some details: when I visit the root Gitea URL after a while (I'm guessing after some session token expires and needs renewal), I get redirected to /user/login and that ends up in a redirect loop. It doesn't happen if I visited Gitea recently or if I'm not logged in.

@lafriks
Copy link
Member

lafriks commented Dec 24, 2023

It should probably be a good idea to allow two landing page values one for unauthorized and one for authorized users, ex. login,explore

@wxiaoguang
Copy link
Contributor

It is a bug, and I think it is related to the auth token ( Enhanced auth token / remember me #27606 )

I guess it's also somewhat related to False alarm warning message for invalid auth token #28602

For this issue, these are the steps to reproduce:

  1. Set LANDING_PAGE=login
  2. Login with "Remember me"
  3. Delete the Gitea's login cookie "i_like_gitea" from browser cookie list
  4. Then this bug occurs.

And 1.22 is also affected.

@wxiaoguang wxiaoguang added this to the 1.22.0 milestone Dec 25, 2023
@wxiaoguang wxiaoguang added the issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented label Dec 25, 2023
@wxiaoguang
Copy link
Contributor

@KN4CK3R would you like to take a look?

@KN4CK3R
Copy link
Member

KN4CK3R commented Dec 28, 2023
edited
Loading

That behaviour is unrelated to #27606. We just have a check in /user/login if the user is already signed in. If yes, Gitea should not show the login page but redirect the user to the page configured in the config and that is /user/login. Then the cycle repeats.

gitea/routers/web/auth/auth.go

Lines 129 to 150 in 4d1277c

isSucceed, err := autoSignIn(ctx)
if err != nil {
if errors.Is(err, auth_service.ErrAuthTokenInvalidHash) {
ctx.Flash.Error(ctx.Tr("auth.remember_me.compromised"), true)
return false
}
ctx.ServerError("autoSignIn", err)
return true
}
redirectTo := ctx.FormString("redirect_to")
if len(redirectTo) > 0 {
middleware.SetRedirectToCookie(ctx.Resp, redirectTo)
} else {
redirectTo = ctx.GetSiteCookie("redirect_to")
}
if isSucceed {
middleware.DeleteRedirectToCookie(ctx.Resp)
ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
return true
}

129 checks for an existing login
148 redirects to /user/login again

I don't know how useful it is to set the login page as landing page. If you want to force a login you can set REQUIRE_SIGNIN_VIEW.

@plashenkov
Copy link
Author

I don't know how useful it is to set the login page as landing page. If you want to force a login you can set REQUIRE_SIGNIN_VIEW

For example, you don't want to show the default landing page, the login page looks like the most relevant and convenient. REQUIRE_SIGNIN_VIEW isn't what you want since it simply closes everything, all public projects, exploring, etc. You still want to allow this.

@wxiaoguang wxiaoguang mentioned this issue Dec 28, 2023
Merged
@wxiaoguang
Copy link
Contributor

-> Avoid cycle-redirecting user/login page #28636

@feng-zh
Copy link

feng-zh commented Dec 28, 2023

For the reference, this issue is introduced during change from #26105. Before the change, the signed-in user may go to home page before touch real sign-in logic.

wxiaoguang added a commit that referenced this issue Dec 30, 2023
@wxiaoguang
Avoid cycle-redirecting user/login page (#28636)
e5d8c4b 
Fix #28231, and remove some unused code. The `db.HasEngine` doesn't seem
useful because the db engine is always initialized before web route.
@wxiaoguang wxiaoguang mentioned this issue Dec 30, 2023
Merged
lunny pushed a commit that referenced this issue Dec 30, 2023
@wxiaoguang
Avoid cycle-redirecting user/login page (#28636) (#28658)
2165729 
Backport #28636

Fix #28231, and remove some unused code.
@plashenkov
Copy link
Author

Thanks guys! Good luck to you all!

fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this issue Jan 17, 2024
@wxiaoguang @fuxiaohei
Avoid cycle-redirecting user/login page (go-gitea#28636)
389100a 
Fix go-gitea#28231, and remove some unused code. The `db.HasEngine` doesn't seem
useful because the db engine is always initialized before web route.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 14, 2024
silverwind pushed a commit to silverwind/gitea that referenced this issue Feb 20, 2024
@wxiaoguang @silverwind
Avoid cycle-redirecting user/login page (go-gitea#28636)
58ccac7 
Fix go-gitea#28231, and remove some unused code. The `db.HasEngine` doesn't seem
useful because the db engine is always initialized before web route.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented type/bug
Projects
None yet
Milestone
1.22.0
Development

Successfully merging a pull request may close this issue.

Avoid cycle-redirecting user/login page wxiaoguang/gitea
8 participants
@lafriks @KN4CK3R @wxiaoguang @plashenkov @feng-zh @jacopo-j @yp05327 @lng2020