403 error page when the session expires, but a "remember me" token still exists

[krzys-h]

It seems that the app does not correctly handle "remember me" tokens, and returns a generic 403 error page when a login using a remember me token is automatically attempted during page load (or at least that's what I assume happens, based on a quick glance at the code).

Note: The "Remember me" checkbox doesn't seem to exist on the login page anymore, and is always enabled.

This is related to a comment I made here: https://github.com/nextcloud/limit_login_to_ip/issues/28#issuecomment-1904128859

Reproduction steps: Note: I left all session expiration settings at nextcloud defaults.

1. Login to your nextcloud instance from a whitelisted IP
2. Switch to using a non-whitelisted IP
3. Try to access the instance - notice how the session is still available
4. Wait for a longer while for the session to expire. I did not manage to reproduce the effect by removing any combination of the cookies, the session has to expire on the backend. For quick testing, I'm removing sessions from redis manually, this may be different depending on session storage backend used: redis-cli --scan --pattern "PHPREDIS_SESSION:*" | xargs redis-cli unlink
5. Attempt to access the instance again - the remember me token will be used to renew the session, triggering the preLogin hook

Expected behavior: Either the session is allowed to continue like it is for a while after switching IPs, or the session is terminated and the "Login is not allowed from this IP" error appears

Actual behavior: A generic 403 error from the browser appears, leaving the user confused as to what is going on.

[ENTPRESTIGIOUS]

I have the 403 error page also.