Open Bug 1898219 Opened 6 months ago Updated 6 months ago

Lando Treestatus gets " The CSRF token has expired" after some time of inactivity.

Categories

(Conduit :: Lando, defect, P2)

Product:
Conduit
Component:
Lando
Type:
defect

Tracking

(Not tracked)

People

(Reporter: ctuns, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: workaround in comment 5)

Attachments

(2 files)

screen.png
106.94 KB, image/png
Details
TreeStatus_same_browser.png
53.77 KB, image/png
Details
Attached image screen.png

In Web Developer Tools->Storage->cookies says login should last until June 22nd.
I appear as logged in but when I try to change anything I get the "The CSRF token has expired" error and I have to log out and log back in to make it work again, after ~1h of inactivity I have to redo the process.

Cristian had also mentioned the issue is reproducible if he logs in, changes the tree state, closes the treestatus tab, open treestatus later.

Blocks: lando-treestatus

Curious if refreshing the page and then trying again helps? CSRF token is unrelated to the login session, but usually is only valid for an hour or so after page load. If that doesn't help, there might be a bug here that is not refreshing the CSRF token on the page itself.

I tried refreshing the page, close the tab and open another, only log out and log back in works, but I can make a few more tests(if you want) after a moment( I just logged out and logged in to close the tree, so I won't encounter the bug for a few minutes)

Most likely this is a problem with the way the form is loaded on the page, thanks for checking.

I did the test again and refreshing won't help because if I refresh the page with the error on it, won't get me back to the initial page. I pressed the Treestatus button and tried making a changed without re-logging and it worked. I will spend more time monitoring this.

That was my gut feeling, I think when there is an error, the backend is returning the old CSRF token in the response (with the redirect).

Severity: -- → S3
Priority: -- → P2
Whiteboard: workaround in comment 3
Whiteboard: workaround in comment 3 → workaround in comment 5

Today I accessed TreeStatus from the Treeherder menu -> Infra -> TreeStatus.
It appears that I'm logged in, even after several refreshes/closing and reopening the page.
I tried to close the tree but I got the the CSRF token [..] error the first time, and after a few refreshes I kept getting Could not update trees: Appropriate token is expired. Please log out and back in.. Please try again later, and the second one won't go away until I specifically log out and log back in again.

Being that I was already logged in on Treeherder, shouldn't accessing TreeStatus from there automatically take my credentials?
In my understanding, if the token expires after a certain period of time, I shouldn't be able to do any action on TreeStatus, and there shouldn't appear any user logged in.

I tried to reproduce the issue on a fresh browser, where I haven't logged in before, and I got the following results:

  • Scenario 1:
    • I was not logged in on Treeherder, and I tried to access TreeStatus: Treeherder menu -> Infra -> TreeStatus.
    • On the TreeStatus page, it showed that there was no user logged in. ->expected.
  • Scenario 2:
    • I logged in on Treeherder, accessed TreeStatus the same way: Treeherder menu -> Infra -> TreeStatus.
    • On the TreeStatus page, it showed that there was no user logged in.
    • I attached a screenshot in #Comment 7, those are the two tabs of the same browser from Scenario 2.

I think the confusion comes up from the fact that on the browser each sheriff uses on a daily basis, TreeStatus shows up as having the user logged in (when the token is actually expired) , and we believed that the credentials were taken as before when logging in on Treeherder as it happened with the old Treestatus.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: