Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gitlab oauth token is not refreshed, logging out user after two hours #7352

Open
LHSnow opened this issue Dec 19, 2024 · 0 comments
Open

Gitlab oauth token is not refreshed, logging out user after two hours #7352

LHSnow opened this issue Dec 19, 2024 · 0 comments
Labels
area: extensions/backends/gitlab pinned type: bug code to address defects in shipped code

Comments

@LHSnow
Copy link

LHSnow commented Dec 19, 2024

Describe the bug

Users are logged out without warning, probably caused by the login oauth token expiring and not being properly refreshed, as required since gitlab 15. It is no longer possible to have non-expiring tokens in gitlab.

To Reproduce

  1. Login using PKCE/gitlab backend (see config below)
  2. Wait for two hours (the standard expiration time of gitlab oauth tokens)
  3. Scheduled calls to the gitlab user endpoint now starts returning 401 errors

Expected behavior

The scheduled call to user should refresh the oauth token and keep the user signed in.

Request logs

still working request:

GET /api/v4/user HTTP/2
Host: <redacted>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Referer: <redacted>
Authorization: Bearer 9d752b972ce8c8cd1edaf668d2af7bb5a37010fb5dee58308f978f4a0f151987
Origin: <redacted>
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
If-None-Match: W/"692f5c5cee24de6dc8fdfe5a9c4a51c6"
Priority: u=4
Cache-Control: max-age=0

still ok response:

HTTP/2 200 
server: nginx
date: Thu, 19 Dec 2024 12:06:25 GMT
content-type: application/json
access-control-allow-methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
access-control-allow-origin: *
access-control-expose-headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page, X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size, X-Request-Id, ETag
access-control-max-age: 7200
cache-control: max-age=0, private, must-revalidate
etag: W/"4752a3456d96fe4f2ad80a03fa61df63"
vary: Accept-Encoding, Origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-gitlab-meta: {"correlation_id":"01JFFCZQMCVYHV6STWWV8JYVDV","version":"1"}
x-request-id: 01JFFCZQMCVYHV6STWWV8JYVDV
x-runtime: 0.036890
strict-transport-security: max-age=63072000
referrer-policy: strict-origin-when-cross-origin
content-encoding: gzip
X-Firefox-Spdy: h2

minutes later, another request to /user:

GET /api/v4/user HTTP/2
Host: <redacted>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Referer: <redacted>
Authorization: Bearer 9d752b972ce8c8cd1edaf668d2af7bb5a37010fb5dee58308f978f4a0f151987
Origin: <redacted>
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
If-None-Match: W/"4752a3456d96fe4f2ad80a03fa61df63"
Priority: u=4
Cache-Control: max-age=0

which results in a 401

HTTP/2 401 
server: nginx
date: Thu, 19 Dec 2024 12:11:25 GMT
content-type: application/json
content-length: 118
access-control-allow-methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
access-control-allow-origin: *
access-control-expose-headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page, X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size, X-Request-Id, ETag
access-control-max-age: 7200
cache-control: no-cache
vary: Origin
www-authenticate: Bearer realm="Protected by OAuth 2.0", error="invalid_token", error_description="Token is expired. You can either do re-authorization or token refresh."
x-gitlab-meta: {"correlation_id":"01JFFD8WP4PK59WTRJDV7WWET4","version":"1"}
x-request-id: 01JFFD8WP4PK59WTRJDV7WWET4
x-runtime: 0.038033
strict-transport-security: max-age=63072000
X-Firefox-Spdy: h2

{"error":"invalid_token","error_description":"Token is expired. You can either do re-authorization or token refresh."}

Applicable Versions:

  • Decap CMS version: 3.3.3
  • Git provider: Gitlab
  • OS: debian bookworm
  • Browser version: 128.5.2esr (64-bit)

CMS configuration

backend:
  name: gitlab 
  repo: <redacted>
  auth_type: pkce 
  app_id: 50e280b...
  api_root: https://<redacted>/api/v4
  base_url: https://<redacted>
  auth_endpoint: oauth/authorize
  branch: master

Additional context

The toast error message saying the user has been logged out is visible only briefly, and if the user is away from their computer they might completely miss it. Error messages such as this should stay visible. Once the user is logged out, the error message for any server interaction changes to the non-descriptive API_ERROR.
@LHSnow LHSnow added the type: bug code to address defects in shipped code label Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: extensions/backends/gitlab pinned type: bug code to address defects in shipped code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LHSnow @martinjagodic