You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Setup a server with "(anon)" included in the auth principles (readers or writers).
Login to the server with a valid user/password in a freshly launched browser window.
Your credentials are now cached (in all modern browsers, the basic auth cache is NOT a "stored password" and is only cleared on browser-app restart).
Shut-down the server, change that user's password. Restart the server.
Refresh the (already open) browser window. The server receives a login request, which $:/core/modules/server/authenticators/basic.js handles, but because it has a header (with the cached & previously valid credentials), it only tests for valid username/password.
As the currently sent creds are not valid, the basic authenticator returns an HTTP error. This triggers a re-login request & the browser is then locked into a login-prompt loop (neither canceling nor entering any non-valid creds will break the loop).
Expected behavior
If "(anon)" is used as a reader or writer, all authentication attempts succeed, but ONLY valid logins receive an authenticatedUsername. The syncer then handles errors by setting
// Mark us as not logged in
self.wiki.addTiddler({title: this.titleIsLoggedIn,text: "no"});
in the error handler.
TiddlyWiki Configuration (please complete the following information):
Version [v5.1.24-prerelease]
Saving mechanism [Node.js]
Plugins installed [none]
Desktop (please complete the following information):
OS: [Windows 10]
Browser [Chrome]
Version [91.0.4472.101]
The text was updated successfully, but these errors were encountered:
Looks like an anonymous logged in user (as a reader) cannot ever log out, as the logout request is a POST (& readers are limited to GET)... hrmmm, how to work around that one....
Hrm, that complicates things, and I think this may be such a corner-case that it may introduce unwanted halo bugs.
I some-how got my Chrome browser to enter a state where it will not prompt for the basic-login credentials using the "logout"/"login" button under the server cloud. And that persists after server-restart (but would not after browser restart).
Ug. Ok...seems like basic-auth just comes with these type of browser bugs.
Describe the bug
Setup a server with "(anon)" included in the auth principles (readers or writers).
Login to the server with a valid user/password in a freshly launched browser window.
Your credentials are now cached (in all modern browsers, the basic auth cache is NOT a "stored password" and is only cleared on browser-app restart).
Shut-down the server, change that user's password. Restart the server.
Refresh the (already open) browser window. The server receives a login request, which
$:/core/modules/server/authenticators/basic.js
handles, but because it has a header (with the cached & previously valid credentials), it only tests for valid username/password.As the currently sent creds are not valid, the basic authenticator returns an HTTP error. This triggers a re-login request & the browser is then locked into a login-prompt loop (neither canceling nor entering any non-valid creds will break the loop).
Expected behavior
If "(anon)" is used as a reader or writer, all authentication attempts succeed, but ONLY valid logins receive an authenticatedUsername. The syncer then handles errors by setting
in the error handler.
TiddlyWiki Configuration (please complete the following information):
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: