Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Web user still "kind of" logged in after session expires

See original GitHub issue

Your Environment

verdaccio version: v5.10.0
node version: v16.15.0
package manager: npm 8.5.5 (but bug is in website)
os: verdaccio runs on linux, user runs chrome version 101 on MacOS
platform: Website

NOTE: the Local Storage in chrome still contains username, darkMode, and token

Describe the bug

After the web session expires for a logged-in user (after ~60 minutes) the user is still shown in the user-dropdown but has no access to packages (we use access: $authenticated). In order to view the packages again the user has to log-out and then log-in again.

To Reproduce

Start verdaccio with access: $authenticated configuration
Log into web server as a valid user
wait until session expires (~60 minutes)
reload page:

No Packages are shown: Correct
User is still shown (e.g., “Hi joerg.rech”): Intended?
To log-in the user has to log-out and then log-in again: Inconvenient

Expected behavior

I expected that the user can directly log-in without having to log-out first. Either by showing a menuitem to log-in in the user dropdown (e.g., where the log-out menuitem is) or by directly showing the log-in modal dialog.

Screenshots, server logs, package manager log

N/A

Configuration File (cat ~/.config/verdaccio/config.yaml)

I don’t think this will help - but I can provide it if you need it

Environment information

Verdaccio is running on AWS ec2 t2.micro instance using pm2 verdaccio behind a load balancer using a certificate to support https.

Environment Info:(node:25430) [LRU_CACHE_OPTION_maxAge] DeprecationWarning: The maxAge option is deprecated. Please use options.ttl instead.
(Use `node --trace-deprecation ...` to show where the warning was created)

  System:
    OS: Linux 5.10 Amazon Linux 2
    CPU: (1) x64 Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz
  Binaries:
    npm: 8.5.5 - ~/.nvm/versions/node/v16.15.0/bin/npm
  npmGlobalPackages:
    verdaccio: 5.10.0

Debugging output

N/A for web?

Issue Analytics

State:
Created a year ago
Reactions:4
Comments:8 (1 by maintainers)

Top GitHub Comments

3reactions

juanpicadocommented, Jul 7, 2022

@juanpicado, can you take a quick look at this?

No much time this week sorry, maybe over the next weeks or whenever I find some time next days, no guarantee.

2reactions

Maros112358commented, Jul 6, 2022

I have a feeling of déjà vu, you should take a look at my thread here: #3059

Let me know if you found something helpful.

Thank you for the info. I think I found the cause.

Looks like the web UI shows “logged in” status when values token and username are present in the local storage of the browser (https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage), which has no expiration time and is cleaned only by logging out.

Following the login, the token expires after 1 hour (https://verdaccio.org/docs/configuration/#security), but it is still present in the local storage until the user logs out.

Since the token in my case was only 349 bytes long, which is well below 4096 bytes (http://browsercookielimits.iain.guru/), I think, that using the cookie with expiration time 1 hour (or the value from config) would be a better solution for this case.