Comments (12)
Hello,
I am encountering a similar issue to the one reported here. I frequently work with multiple tabs open in the latest version of Chrome, and often when I try to refresh one of the tabs, I am automatically logged out, particularly when I move a tab to a new window. In addition to this, after closing and reopening Directus a few hours later, I am presented with an "Unexpected Error [INVALID_TOKEN] Invalid token" message, as illustrated in the attached screenshot. Despite multiple refresh attempts, the problem persists. The temporary solution I have found is to clear the browser cache, which then redirects me back to the login page.
Is there a temporary workaround or a proposed fix while waiting for further updates? Are others experiencing the same issues, and is there a permanent solution to address these problems? Thank you for your attention and hard work in addressing these issues.
from directus.
This bug seems to be isolated to Chrome based browsers. And once you're pulling the tab out into a new window these can be considered 2 browsers (and looks like they may no longer share a cookie storage) this should not be an issue for 2 tabs withing the same browser/window.
from directus.
I've been triaging this a bit, and too me it looks like it is indeed a race condition.
In the AuthenticationService.refresh
method I see two requests arriving nearly simultaneously, as far as I can tell caused by both tabs receiving a focus-in event at the same time, when one is pulled out. They both have the same refresh token and arrive at the same point time, one updates the database with a new token, then the other request checks for a matching token in the DB, which has been updated in the meantime and fails.
I don't think this is related to it being in different windows and not sharing cookies.
from directus.
They both have the same refresh token and arrive at the same point time, one updates the database with a new token, then the other request checks for a matching token in the DB, which has been updated in the meantime and fails.
I don't think this is related to it being in different windows and not sharing cookies.
Im seeing the same however both windows end up with different cookies (one updated, and failed so not updated). Both windows ending up with different cookies for the same session would lose the ability for one tab to refresh the cookie and the other to pick it up, like they do as tabs on the same window, requiring them to have their own individual sessions.
There are some things we could do to avoid the race condition itself however if these windows dont share a cookie storage that is a deeper problem and will keep causing one window to invalidate the other while they are sharing a session, on any refresh down the line not just this race condition.
from directus.
There are some things we could do to avoid the race condition itself however if these windows dont share a cookie storage that is a deeper problem and will keep causing one window to invalidate the other while they are sharing a session, on any refresh down the line not just this race condition.
This is not what I'm seeing on my machine. See the attached video. I've got two Chrome windows open, first triggering a token refresh in one window, then in the second window. The refresh in the second window uses the cookie that was set in the first window. Or am I missing something here?
Screen.Recording.2024-05-03.at.12.36.22.mov
from directus.
The refresh in the second window uses the cookie that was set in the first window.
If so then the second refresh shouldnt be failing as it would be a valid token. I am having some trouble reproducing the issue today so will need some more research.
from directus.
Something along these lines is happening to us pretty regularly. It does seem to be related to multiple tabs, though I can't understand why.
from directus.
The same thing happens to me when I'm working on a collection and sometimes get redirected to the login page when I save the collection, but I don't get any specific error message indicating a problem.
from directus.
The same thing happens to me when I'm working on a collection and sometimes get redirected to the login page when I save the collection, but I don't get any specific error message indicating a problem.
That actually sounds like an unrelated problem, if it specifically happens when saving a collection. You might want to leave the network tab of you developer tools open to see if there is any specific, failing request. And if it is unrelated open a separate issue.
from directus.
Hello,
I am encountering a similar issue to the one reported here. I frequently work with multiple tabs open in the latest version of Chrome, and often when I try to refresh one of the tabs, I am automatically logged out, particularly when I move a tab to a new window. In addition to this, after closing and reopening Directus a few hours later, I am presented with an "Unexpected Error [INVALID_TOKEN] Invalid token" message, as illustrated in the attached screenshot. Despite multiple refresh attempts, the problem persists. The temporary solution I have found is to clear the browser cache, which then redirects me back to the login page.
Is there a temporary workaround or a proposed fix while waiting for further updates? Are others experiencing the same issues, and is there a permanent solution to address these problems? Thank you for your attention and hard work in addressing these issues.
is this specifically related to 10.11.0 for you? i am experiencing a new issue that has the related invalid token error, but nothing to do with tabs or windows. it only took the first launch of the day (from a shutdown) for me to encounter this. i'm theorizing it could be a regression from #22353
from directus.
i'm theorizing it could be a regression from #22353
Thats not a regression but rather a security fix surfacing a deeper issue which was obscured by insecure handling of the session token. Not that that detail matters if you're running into the issue, clear your cookies and be careful with multiple tabs is the current workaround and we're working on a permanent fix.
from directus.
is this specifically related to 10.11.0 for you? i am experiencing a new issue that has the related invalid token error, but nothing to do with tabs or windows. it only took the first launch of the day (from a shutdown) for me to encounter this. i'm theorizing it could be a regression from #22353
Thank you for sharing your experience. Regarding the invalid token issue, I can confirm that I started encountering this on version 10.11.0. As for the race condition, it has been a problem since version 10.10.7. I'm considering a downgrade to version 10.10.5 as a temporary measure to see if that resolves the race condition issue without introducing other problems. Have you, or anyone else, experienced any improvements or other issues with earlier versions like 10.10.5?
Thats not a regression but rather a security fix surfacing a deeper issue which was obscured by insecure handling of the session token. Not that that detail matters if you're running into the issue, clear your cookies and be careful with multiple tabs is the current workaround and we're working on a permanent fix.
Thank you for the clarification and the update on the security fix. I appreciate the insights and understand now that the issue with invalid tokens is not a regression but part of a security improvement. I will follow the suggested workaround of clearing cookies and being cautious with multiple tabs. Looking forward to the permanent fix. Thanks again for the swift response and for addressing these issues actively.
from directus.
Related Issues (20)
- `system-display-template` is not reactive
- Session Mode Missing Doc Explanation HOT 13
- Bookmark Page - Redirecting to main content HOT 1
- VListGroup not expanding on click
- GraphQL Schema is missing! HOT 1
- `collection_func.count` is not working HOT 8
- triggered to filter the data and then insert it ? HOT 1
- s3 config doc need a simple fix HOT 1
- platform is failing HOT 2
- I can't create items using the REST API HOT 1
- Allow Unverified Users to Log In and Resend Verification Email HOT 4
- Uploading svg file using the image field shows an unsupported media type HOT 2
- Unable to connect to Azure Redis Cache after Directus v10.9.0 update HOT 2
- User is not redirected to User Profile if registered with No "Email Verification" HOT 1
- Related Collections dropdown of Builder M2A relation does not work - duplicates relations HOT 1
- Show logs on docker image when using extensions hooks HOT 1
- E-Mail Hashing - Privacy Improvment HOT 6
- Web UI: Unexpected Error: INVALID_TOKEN HOT 2
- email templates path not working HOT 21
- Deep filtering not working with Many to Any relationships HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from directus.