New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't logout of user account after upgrade to v3.4.3 #16949
Comments
What occurs exactly when selecting the “log out” button on the “Are you sure you want to log out?” prompt? Do you know if it worked on v3.4.1 or earlier? |
Definitely worked in v3.4.1 and before. From memory I believe it returned you to a login screen when you press ‘LOG OUT’. It now returns you to the standard view of your timelines. |
Weird. I can't think of a reason it would behave this way, and I cannot reproduce it using Firefox. Unfortunately, I do not have access to Safari to try reproducing it. |
The only thing that was different to a normal upgrade was that I was prompted to update the following:
It might be a Safari specific issue. I remember reporting a media upload/playback issue that only affected Safari a while back. The problem with this one is that partially restricting the ability of a user to logout could present a security risk on shared machines etc. |
Yes, I understand that is an issue. But I don't understand why it is happening. Can you reproduce it reliably, or does it not always happen? If you have admin access to your instance, you may try applying the following to have some more debug info: diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 5232e6cfd..4f0b08e85 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -1,9 +1,13 @@
require 'devise/strategies/authenticatable'
-Warden::Manager.after_set_user except: :fetch do |user, warden|
+Warden::Manager.after_set_user except: :fetch do |user, warden, opts|
+ Rails.logger.warn "set_user: #{user.id} (opts: #{opts.inspect})"
+
if user.session_active?(warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'])
+ Rails.logger.warn "set_user reusing session for #{user.id}"
session_id = warden.cookies.signed['_session_id'] || warden.raw_session['auth_id']
else
+ Rails.logger.warn "set_user creating new session for #{user.id}"
session_id = user.activate_session(warden.request)
end
@@ -17,6 +21,8 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
end
Warden::Manager.after_fetch do |user, warden|
+ Rails.logger.warn "after_fetch! #{user.id}"
+
if user.session_active?(warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'])
warden.cookies.signed['_session_id'] = {
value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
@@ -31,7 +37,8 @@ Warden::Manager.after_fetch do |user, warden|
end
end
-Warden::Manager.before_logout do |_, warden|
+Warden::Manager.before_logout do |user, warden|
+ Rails.logger.warn "before logout! for #{user.id}"
SessionActivation.deactivate warden.cookies.signed['_session_id']
warden.cookies.delete('_session_id')
end I'm interested in the sequence of actions occurring when logging out from Safari. |
Yep, it happens consistently on multiple user accounts, two different instances, and on both desktop and mobile versions of Safari, so can definitely be reproduced. I'm admin on two instances so happy to help 😂 |
@rodti can you apply the patch above, reload |
May or may not fix mastodon#16949
I borrowed an iPad and did not manage to reproduce the issue, so I really don't understand what may be causing the issue. It would help if you could post the logs after applying the patch in #16949 (comment) ; also, do you have anything unusual (browser extensions, etc.) on your setup? Finally, if the issue can be reliably reproduced, can you try #16972 and see if it fixes the issue? |
Hi there, apologies for my slow reply, I've been away for a few days with limited connectivity. I do have admin access on two affected instances but not entirely clear how to apply the patch you've posted in #16949 (comment) |
|
No change to functionality after applying that patch. This is what I'm seeing in the logs when I login as a user and then try to logout again:
The NoMethodError and config/initializers/devise.rb lines repeat frequently in the logs. |
This is really odd, I can't understand how it could be called with a Can you apply the following patch on top of the previous one and try again? diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 4f0b08e85..750ca3469 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -37,8 +37,8 @@ Warden::Manager.after_fetch do |user, warden|
end
end
-Warden::Manager.before_logout do |user, warden|
- Rails.logger.warn "before logout! for #{user.id}"
+Warden::Manager.before_logout do |user, warden, opts|
+ Rails.logger.warn "before logout! for #{user&.id.inspect} ; #{warden.cookies.signed['_session_id'][..4]} ; #{opts.inspect}"
SessionActivation.deactivate warden.cookies.signed['_session_id']
warden.cookies.delete('_session_id')
end |
New patch applied, same issues:
|
… ok… apply this patch and try again: diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 750ca3469..f9d608c59 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -38,6 +38,10 @@ Warden::Manager.after_fetch do |user, warden|
end
Warden::Manager.before_logout do |user, warden, opts|
+ if warden.cookies.signed['_session_id'].nil?
+ Rails.logger.warn "before logout! called with nil user??"
+ return
+ end
Rails.logger.warn "before logout! for #{user&.id.inspect} ; #{warden.cookies.signed['_session_id'][..4]} ; #{opts.inspect}"
SessionActivation.deactivate warden.cookies.signed['_session_id']
warden.cookies.delete('_session_id') |
Thanks for all your help with this, still having issues but the errors are now moving to line 43:
|
I've now tested it in Google Chrome, Internet Explorer and Firefox, all of which work as expected. On the current build of Safari on macOS Monterey, iOS 15 and iPadOS 15 I experience this issue. Really strange that it worked on your iPad though? I wonder if it could be anything specific to the upgrade, but I've followed the standard upgrade process (which I've done many times before!) on both instances. |
Can you retry with this patch? diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb
index 630b0dee5..a933d2174 100644
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -29,6 +29,7 @@ class Auth::SessionsController < Devise::SessionsController
end
def destroy
+ Rails.logger.warn "called /auth/sign_out; #{current_user&.id} ; session present? #{cookies.signed['_session_id'].present?}"
tmp_stored_location = stored_location_for(:user)
super
session.delete(:challenge_passed_at)
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index f9d608c59..fbac6b59e 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -40,11 +40,11 @@ end
Warden::Manager.before_logout do |user, warden, opts|
if warden.cookies.signed['_session_id'].nil?
Rails.logger.warn "before logout! called with nil user??"
- return
+ else
+ Rails.logger.warn "before logout! for #{user&.id.inspect} ; #{warden.cookies.signed['_session_id'][..4]} ; #{opts.inspect}"
+ SessionActivation.deactivate warden.cookies.signed['_session_id']
+ warden.cookies.delete('_session_id')
end
- Rails.logger.warn "before logout! for #{user&.id.inspect} ; #{warden.cookies.signed['_session_id'][..4]} ; #{opts.inspect}"
- SessionActivation.deactivate warden.cookies.signed['_session_id']
- warden.cookies.delete('_session_id')
end
module Devise
diff --git a/config/initializers/suppress_csrf_warnings.rb b/config/initializers/suppress_csrf_warnings.rb
index b86adc6f1..bfde38ff5 100644
--- a/config/initializers/suppress_csrf_warnings.rb
+++ b/config/initializers/suppress_csrf_warnings.rb
@@ -1,5 +1,5 @@
# frozen_string_literal: true
Rails.application.reloader.to_prepare do
- ActionController::Base.log_warning_on_csrf_failure = false
+ ActionController::Base.log_warning_on_csrf_failure = true
end Also, is there any error in the browser's debug console when logging out? |
I've created an account on mastodon.online which works as expected, both in simple and advanced web interfaces, so this seems to be limited to the two instances I've upgraded to v3.4.3. |
Last patch has changed the error again!
|
Does reloading the page before clicking the logout link help? What's the output when logging out from another browser? When logging out from the settings page? |
Hi, I had same issue. It happened on safari of iPhone and MacOS. For my instance, the problem looks come from frontend, rather than backend. When I click this button, The layer just close itself, and nothing happened. I try to use tools to watch the network traffic, Then I notice there's no any request was sent when I click that button. And safari console has no error. I am not familiar with react so I could not find the way to debug it. For my environment, I use self-build docker version and same code base with 3.4.3. |
Ok I'm pretty confused for several reasons:
|
@rodti could you reply to the questions I asked in this comment? #16949 (comment) Patch 1: diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb
index 0184bfb52..b9fe1ed7b 100644
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -148,6 +148,7 @@ class Auth::SessionsController < Devise::SessionsController
clear_attempt_from_session
user.update_sign_in!(request, new_sign_in: true)
+ remember_me(user)
sign_in(user)
flash.delete(:notice)
@@ -170,4 +171,17 @@ class Auth::SessionsController < Devise::SessionsController
user_agent: request.user_agent
)
end
+
+ def remember_me(user)
+ session_id = cookies.signed['_session_id']
+ session_id = user.activate_session(request) unless user.session_active?(session_id)
+
+ cookies.signed['_session_id'] = {
+ value: session_id,
+ expires: 1.year.from_now,
+ httponly: true,
+ secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+ same_site: :lax,
+ }
+ end
end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 5232e6cfd..a7cb065f8 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -1,21 +1,5 @@
require 'devise/strategies/authenticatable'
-Warden::Manager.after_set_user except: :fetch do |user, warden|
- if user.session_active?(warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'])
- session_id = warden.cookies.signed['_session_id'] || warden.raw_session['auth_id']
- else
- session_id = user.activate_session(warden.request)
- end
-
- warden.cookies.signed['_session_id'] = {
- value: session_id,
- expires: 1.year.from_now,
- httponly: true,
- secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
- same_site: :lax,
- }
-end
-
Warden::Manager.after_fetch do |user, warden|
if user.session_active?(warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'])
warden.cookies.signed['_session_id'] = { Patch 2: diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index f9d608c59..a4612bf8a 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -111,6 +111,10 @@ module Devise
end
end
+ def clean_up_csrf?
+ false
+ end
+
private
def session_cookie |
Reloading the page before clicking logout doesn't make any difference. Will have a look again at other browsers later on. |
When you say 'not in 3.4.3' I take it they're going to be included in a later release? Is it worth me adding those changes to see if it fixes my issues? |
It is going to be included in a later release, at least the next major one, if not in a minor release before that. You can cherry-pick the changes from #16574, it will most definitely fix your issues. I'm still curious to know whether the changes in #16949 (comment) fix anything for you without the front-end changes, due to your weird logs, though. |
First patch gives this error:
I've tried both patches and neither fix the issue. I made sure to revert previous changes first as per your instruction. |
ah, yes, the patch doesn't apply cleanly on v3.4.3, sorry. Nevermind then, I thin the front-end change is the proper fix. I'm still confused at your weird logs though. |
I've applied those changes and they don't fix the issue! I'll double check they've all been applied correctly. I restarted the web service afterwards. |
Did you run |
Ah! No I didn't, and now it works. Sorry for that, multitasking badly here. Thanks for all your help! |
I have same problem. |
Yeah, the problem has been confirmed, and is fixed by #16574. You can cherry-pick this change, or wait for a new version. |
Fixed in 3.4.4 |
Expected behaviour
Follow standard logout process in interface, user is logged out.
Actual behaviour
Follow standard logout process in interface, user is not logged out.
Steps to reproduce the problem
Specifications
v3.4.3
This occurs on macOS 12.0.1 with Safari 15.1 (17612.2.9.1.20)
It doesn't seem to be an issue on Chrome.
The user account can still be logged out from the Preferences page.
It has been proven to be an issue on two separate instances with identical configuration.
The text was updated successfully, but these errors were encountered: