-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Sessions and authentication #6034
Comments
I've seen something like this recently when deleting/recreating databases. Deleting the auth info from local storage fixes it so that definitely points to an issue with either the changes in ember-simple-auth (most likely) or changes in how we handle invalid sessions. I'll have a play and see if I can find anything that may be causing the behaviour in ESA. |
I think it may have to do with the oauth-prefilter instance initializer. That was the only reasonable way I could think to implement that behavior when I upgraded it, but I think it may cause issues on setup if the blog's database is deleted. I will also look into this. |
Hitting the export button is the easiest reproduction case atm I think |
The login/signup error: When Ember is loaded, Ember Simple Auth calls the oauth2 authenticator's restore method in order to verify that the user is still logged in. The issue stems from the fact that the restore method only pings the server if the regular access_token is expired. In the steps above, they are all done rather quickly, which results in the token not being expired, at least on the client side. What may need to happen to fix this (and this is just a quick idea), is to better handle 401 unauthorized errors on the client. Or, the authenticator needs to actually ping the server each time (regardless of whether or not the refresh_token is expired) and go from there. Will spend some time seeing if one or the other works better. As to the second issue: The export function differs from the rest of the api calls in that it is a url appended to an iframe. I haven't had much time to research it, but I made sure I fixed that one when I did the upgrade, so it must have broken sometime after that. Because it is appended to the iframe, the access token is passed as a query parameter. The pipeline refactor may have caused this, as that's the only change I think that's happened to the db api, but then again I haven't had a ton of time to research this. |
The issue here is that your access token is still around in local storage from the previous install so when loading ghost again it thinks you're logged in so tries to load normally but the server returns a 401 as your access_token no longer exists. One workaround is to always redirect to Do we return different messages from the server if an access_token has expired vs the access_token not existing? If there's a difference then we can handle the various cases appropriately in the client. The above also highlights that our error processing has gone awry somewhere - rather than just showing the 500 page we should also be showing an alert indicating that you are no longer logged in. We should also offer some way of easily getting back to the login screen (essentially quick-access to the "log out" flow - removing the local storage credentials will auto-redirect to the signin screen).
This is an odd one, I'm not sure why that would happen. @cobbspur Does this happen every time you delete the database and try to setup up again or only in combination with other steps? |
I can try to replicate locally. What is your node and npm version? |
from #6043 same as Incognito mode,forever loading spinner
|
Okay so this seems to be my mistake. Other than the export issue which is its own separate issue now. Locally without realising it, I have been using an old shortcut 127.0.0.1:2368/ghost but this is mapped to localhost in my hosts file. Using localhost:2368/ghost I do not experience any of these problems. |
Ah okay, I thought it was strange that I couldn't reproduce exactly. You have managed to highlight a number of areas where our handling of authorisation has regressed however so I'm adding tests for those and working on fixes 😄 Are we good to close this issue in favour of the separate export and redirect/re-auth modal issues that I'll be opening? |
Yeah I believe so, the export one has already been raised |
Issue Summary
I have had difficulties recently setting up ghost/logging in to ghost/creating exports which I think are all inter-related hence raising them in one issue initially.
One issue is setting up a new blog after deleting database results in errors.
The second issue seems to be that if I log out I cannot log back in again - access is denied. Using the password reset can sometimes enable me to log-in but the issue recurs.
The third issue is that the export tool in labs does not work - access in denied (this has been split out to #6040)
Steps to Reproduce
The easiest issue to reproduce is to log into your blog and go to the labs page /ghost/settings/labs and click the export button.
You will see an error in your console.
The other issues appear to be related at least partly to sessions already being in progress which will hopefully become clearer as you read through the steps to reproduce but because of the first steps are:
npm start
wait for database to be createdRepeat these steps and try to create a blog in both normal browsing mode and incognito mode. Here is what I see.
Non-incognito mode -
npm start
redirects to /ghost/setup and I see a 500 error :I get the following error in console: ERROR: Access denied.
Incognito mode - correctly redirected to /ghost/setup/one
I can then try to fill out the form but on submission of step 2 I get the forever loading spinner:
![screen shot 2015-11-02 at 17 38 57](https://cloud.githubusercontent.com/assets/4405395/10889494/45ddf47c-818a-11e5-9a1e-6f19ecb5cb3d.png)
Error this time is: ERROR: Access denied.
If I refresh the page I am taken to the sign-in page but attempting to log in results in the same error.
Technical details
Tested on OS X Yosemite and windows7 x64 ultimate
The text was updated successfully, but these errors were encountered: