Skip to content

Gitlab oauth token is not refreshed, logging out user after two hours #7352

New issue
New issue
Open
Open
Gitlab oauth token is not refreshed, logging out user after two hours#7352
Labels
area: extensions/backends/gitlabpinnedtype: bugcode to address defects in shipped code
@LHSnow

Description

@LHSnow
LHSnow
opened on Dec 19, 2024

Describe the bug

Users are logged out without warning, probably caused by the login oauth token expiring and not being properly refreshed, as required since gitlab 15. It is no longer possible to have non-expiring tokens in gitlab.

To Reproduce

  1. Login using PKCE/gitlab backend (see config below)
  2. Wait for two hours (the standard expiration time of gitlab oauth tokens)
  3. Scheduled calls to the gitlab user endpoint now starts returning 401 errors

Expected behavior

The scheduled call to user should refresh the oauth token and keep the user signed in.

Request logs

still working request:

GET /api/v4/user HTTP/2
Host: <redacted>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Referer: <redacted>
Authorization: Bearer 9d752b972c...
Origin: <redacted>
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
If-None-Match: W/"692f5c5cee24de6dc8fdfe5a9c4a51c6"
Priority: u=4
Cache-Control: max-age=0

still ok response:

HTTP/2 200 
server: nginx
date: Thu, 19 Dec 2024 12:06:25 GMT
content-type: application/json
access-control-allow-methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
access-control-allow-origin: *
access-control-expose-headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page, X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size, X-Request-Id, ETag
access-control-max-age: 7200
cache-control: max-age=0, private, must-revalidate
etag: W/"4752a3456d96fe4f2ad80a03fa61df63"
vary: Accept-Encoding, Origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-gitlab-meta: {"correlation_id":"01JFFCZQMCVYHV6STWWV8JYVDV","version":"1"}
x-request-id: 01JFFCZQMCVYHV6STWWV8JYVDV
x-runtime: 0.036890
strict-transport-security: max-age=63072000
referrer-policy: strict-origin-when-cross-origin
content-encoding: gzip
X-Firefox-Spdy: h2

minutes later, another request to /user:

GET /api/v4/user HTTP/2
Host: <redacted>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Referer: <redacted>
Authorization: Bearer 9d752b972ce8c8cd1...
Origin: <redacted>
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
If-None-Match: W/"4752a3456d96fe4f2ad80a03fa61df63"
Priority: u=4
Cache-Control: max-age=0

which results in a 401

HTTP/2 401 
server: nginx
date: Thu, 19 Dec 2024 12:11:25 GMT
content-type: application/json
content-length: 118
access-control-allow-methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
access-control-allow-origin: *
access-control-expose-headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page, X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size, X-Request-Id, ETag
access-control-max-age: 7200
cache-control: no-cache
vary: Origin
www-authenticate: Bearer realm="Protected by OAuth 2.0", error="invalid_token", error_description="Token is expired. You can either do re-authorization or token refresh."
x-gitlab-meta: {"correlation_id":"01JFFD8WP4PK59WTRJDV7WWET4","version":"1"}
x-request-id: 01JFFD8WP4PK59WTRJDV7WWET4
x-runtime: 0.038033
strict-transport-security: max-age=63072000
X-Firefox-Spdy: h2

{"error":"invalid_token","error_description":"Token is expired. You can either do re-authorization or token refresh."}

Applicable Versions:

  • Decap CMS version: 3.3.3
  • Git provider: Gitlab
  • OS: debian bookworm
  • Browser version: 128.5.2esr (64-bit)

CMS configuration

backend:
  name: gitlab 
  repo: <redacted>
  auth_type: pkce 
  app_id: 50e280b...
  api_root: https://<redacted>/api/v4
  base_url: https://<redacted>
  auth_endpoint: oauth/authorize
  branch: master

Additional context

The toast error message saying the user has been logged out is visible only briefly, and if the user is away from their computer they might completely miss it. Error messages such as this should stay visible. Once the user is logged out, the error message for any server interaction changes to the non-descriptive API_ERROR.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: extensions/backends/gitlabpinnedtype: bugcode to address defects in shipped code

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions