after log out from the app, links still log in on lichess.org

[ornicar]

Bug report from email.

When logging out from the app, re-sign in of both password and 2FA can be bypassed by simply pressing on any link (from within the app) that takes you to the lichess website, instantly signing into the account rendering both password and 2FA pointless.

To reproduce, log out, then press on any link (from within the app) that says ‘More on lichess.org’. To test this out search players, for example ‘Alexsur81’, then press on link. It will instantly sign-in to account. Even after signing out and closing app then restarting app, pressing on that link will bypass secure login, rendering it pointless.

[veloce]

I can reproduce. I think that's because the internal browser the app uses to display lichess.org pages retain the authentication.

[veloce]

Don't know what's going on exactly server side, this is how the app would authenticate in this internal browser:

https://github.com/lichess-org/lichobile/blob/master/src/utils/browse.ts#L10

[veloce]

I found the reason. Before the server would automatically open an authenticated page using the token. Now it asks the user to login with a button, so it creates a session for the browser. See: