-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login process is reset when accessing sprites #3643
Comments
Why are SVG files served as |
The file in question is served by Wagtail with this content type, it's actually a collection of SVGs |
Question is raised in Wagtail's discussion wagtail/wagtail#11649 |
Do you perhaps have a public link to such content? I would like to have a look at what we're dealing with here... |
See https://torchbox.com/admin/login/ for the login page, and https://torchbox.com/admin/sprite-44dc8f37/ for a sprite. I would say the wagtail's way of handling this sprite is quite funky (as it's not a valid HTML document): it seems that Wagtail is using a script to store the icon in localStorage |
I have added a refinement to the middleware to deal with this gracefully, see: 551f523 |
For any person stumbling upon this: 551f523 is using |
Hi,
We use allauth and allauth.mfa along with Wagtail, and our login templates use SVG sprites.
Through the login process, more precisely just after the email/password input and before the MFA code input, the login data gets stripped from the session, because accessing the sprites causes the function
_check_dangling_login
to executerequest.session.pop("account_login")
inallauth.account.middleware
.Our SVG sprites do not pass the condition in
_should_check_dangling_login
since they're text/html and not statics.As a result, users can see the MFA input page but no matter what they enter, they're redirected to the login page because
account_login
is no longer in the session object, so the login process is reset.Would it be possible to extend the "favicon.ico, robots.txt, humans.txt" whitelist via settings?
The text was updated successfully, but these errors were encountered: