Randomly kicking me out! (Going from Settings to Boards)

[2Belette]

Describe the bug When browsing to boards or going back and forward from Settings to Boards, I am disconnected and need to login again. No fix time, it happens randomly

To Reproduce Steps to reproduce the behavior:

1. Go to Settings
2. Clicking back & forward to Boards

Expected behavior I would expect to have a fix time before timing out. Even better a simple option on Settings to select 30/60min/2h/4h

Screenshots

Please complete the following information:

• OS: Linux Hyperbola 0.3
• Browser Iceweasel (based on Firefox)
• Version 52.9.20200112 (64-bit)

Additional context Seems a bug as it is reproducible easily when browsing quickly between Settings & Boards

[kiswa]

Yeah, that's a bug. Seems like a request is getting lost along the way, and a new API token is needed to be used, but the UI hasn't received the token yet.

If it takes you back to the last page you were trying to get to (Settings or Boards) then it's definitely the case.

[2Belette]

I confirm to you ! it is the case, I have just done multiple tests and to give you more inputs, it is definitely an issue (only) when hitting Boards button: even if I am already on Boards and click on Boards again I am kicked out !

[kiswa]

Thanks for the additional input!

[lawrencesystems]

Is there a simple code fix we can apply to make this work until the 1.02 version is available?

[kiswa]

@flipsidecreations Unfortunately, no. I still haven't had time to get it fixed (new job) but will try to get it done soon.

[marner2]

The problem seems to be a race condition with the api/refresh call. If I step through the code with a debugger, it works just fine.

[marner2]

I "fixed" it by doing this to disable token refreshing in the updateBoards call (line 154 of board.components.ts):

  updateBoards(): void {
    // this.boardService.refreshToken(() => {
      this.boardService.getBoards().subscribe((response: ApiResponse) => {
        this.boards = [];

        if (response.data.length > 1) {
          this.updateBoardsList(response.data[1]);
          return;
        }

        this.loading = false;
      });
    // });
  }

Of course, you will have to remember to click "remember me" or else you will be logging in every half hour.

I think a "real" fix is going to involve only calling the refresh method once per unit of time rather than in a position where it could be called every few requests. OR you could store multiple tokens and keep the old ones around for a few minutes after they have been refreshed.

[kiswa]

I'm leaning toward the second option you mentioned, just need to get some time to work on TaskBoard again.

[2Belette]

The issue is solved on 1.0.2 for moving from Boards <-> Settings but is still present from Dashboard <-> Boards | Settings Edit : it does happen from Settings to Boards as well

@kiswa highlighting you as I don't know if you get notification on closed issues

[kiswa]

Well crap. Also, Dashboard? That shouldn't be a thing in 1.0.2... I may have released code I did not mean to.

[2Belette]

Yep I was surprised to see Dashboards ! Definitely got the kick-out issue again and very reproductible

[marner2]

I worked around the problem by commenting out lines 70 and 71 in BaseController.php (73 is probably ok to comment out as well). This prevents it from regenerating the token on every request.

  public function secureRoute($request, $response, $securityLevel) {
...
...
    $user = R::load('user', Auth::GetUserId($request));
    if ((int)$user->security_level > $securityLevel) {
      $this->apiJson->addAlert('error', $this->strings->api_accessRestricted);

      return 403;
    }

    //$payload = Auth::getJwtPayload($request->getHeader('Authorization')[0]);
    //$user->active_token = Auth::createJwt($user->id, $payload->mul);

    R::store($user);

    $this->setStrings($user->userOptionId);
    $this->apiJson->addData($user->active_token);

    return $status;
  }

[2Belette]

@marner2 thanks for the workaround, no security risk to do that ? I meant if someone who not using the token could potentially send data to the server

[marner2]

@2Belette All that is doing is refreshing the token on each request that calls secureRoute. The worst that it might do is cause your token to invalidate after it expires, although I haven't been able to find the code that actually checks the expiration time from the token. Ideally you would wait until the token expires and then use it as a one-time refresh token at that point to invalidate the others. This would still break if there were multiple requests being made concurrently (second one fired off before it gets the refreshed token from the first one), but not every single concurrent request like it does now.

[kiswa]

@marner2 The expiration testing is part of the JWT library in use. I forget the exact call, but when the JWT is validated, that includes expiration.

[2Belette]

@marner2 I can't see this function anymore on my BaseController.php from v1.0.2, do I miss something?

[2Belette]

Any idea for this workaround to work before 1.0.3 ?

[marner2]

@2Belette Sorry I wasn't able to respond sooner. It should be there, the function is secureRoute and it exists in BaseController.php on the current master (commit: df66f9e).

[2Belette]

@marner2 many thanks, I think my eyes were not opened last time ! I found them in a minute. Now it is at least a little bit usable, but the order and column lost bugs make it very complicated to use still

[2Belette]

@marner2 is the "Remember me" buttons works for you ? Even if I applied your workaround which make at least make me use TaskBoard before 1.0.3 I am kick-out every half hour which is too short as I am using all day long, clicking on Remember me doesn't change anything, is it for you ? As another workaround is there a simple way to increase this timeout period ? Many thanks

[marner2]

@2Belette here is the function that defines this time period: (https://github.com/kiswa/TaskBoard/blob/master/src/api/controllers/Auth.php#L220-L226)

  public static function createJwt($userId, $mult = 1) {
    return JWT::encode(array(
      'exp' => time() + (60 * 30) * $mult, // 30 minutes * $mult
      'uid' => (int)$userId,
      'mul' => $mult
    ), Auth::getJwtKey());
  }

Here is the spot that should depend on whether rememberme is pressed: https://github.com/kiswa/TaskBoard/blob/master/src/api/controllers/Auth.php#L134

    $jwt = self::createJwt($user->id, ($data->remember ? 200 : 1));

You should be able to change either one, or debug why you're not getting that remember part of the token set.

[2Belette]

@marner2 thanks! I have increase the timeout value thanks to you !

For the "Remember Me", that's strange, is it working on your side ?

[galloppinggryphon]

Happening to me too -- any updates on this? Kind of a show stopper...

[dtantsur]

Not sure if it's the same problem, but I get kicked out nearly immediately, sometimes in the middle of drawing the dashboard. I did not even get to changing the default password..

[2Belette]

hi @kiswa , wondering if the project is abandoned ? I haven't seen any update since ~> 4 months

[kiswa]

It is not abandoned @2Belette, but I've had a lot going on the last several months. Hopefully I'll be able to get back into active development on TaskBoard before too much longer.

[geneb]

I changed the $mult to 1000. Fingers crossed that'll be enough. ;)