Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

App logout when reopening app with GitLab SSO and Strict CSRF enforcement enabled #8262

Open
Fadi-Albahrani opened this issue Oct 15, 2024 · 0 comments
Open

App logout when reopening app with GitLab SSO and Strict CSRF enforcement enabled #8262

Fadi-Albahrani opened this issue Oct 15, 2024 · 0 comments

Comments

@Fadi-Albahrani
Copy link

Summary

The first request after opening the app for the second time /users/status/ids returns 401 saying it's messing CSRF header.

Environment Information

  • Device Name: Any, but tried on Galaxy S22+
  • OS Version: Any, but tried on Android 13
  • Mattermost App Version: 2.18.1
  • Mattermost Server Version: 9.5.6
  • Auth Method: SSO with redirect URL to GitLab
  • Server flags: "ExperimentalStrictCSRFEnforcement": true

Steps to reproduce

  1. Set "ExperimentalStrictCSRFEnforcement": true on the server (ours is 9.5.6)
  2. Login using SSO with redirect URL to GitLab
  3. Close the app, then open it

Expected behavior

No logout should happen

Observed behavior (that appears unintentional)

The user gets an immediate logout from the server

Further details

Upon debugging the app locally we observed that there seems to be an issue with retrieving the CSRF token from cookies when reopening the app
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Fadi-Albahrani