Web user still "kind of" logged in after session expires
See original GitHub issueYour Environment
- verdaccio version: v5.10.0
- node version: v16.15.0
- package manager: npm 8.5.5 (but bug is in website)
- os: verdaccio runs on linux, user runs chrome version 101 on MacOS
- platform: Website
NOTE: the Local Storage in chrome still contains
username
,darkMode
, andtoken
Describe the bug
After the web session expires for a logged-in user (after ~60 minutes) the user is still shown in the user-dropdown but has no access to packages (we use access: $authenticated
). In order to view the packages again the user has to log-out and then log-in again.
To Reproduce
- Start verdaccio with
access: $authenticated
configuration - Log into web server as a valid user
- wait until session expires (~60 minutes)
- reload page:
- No Packages are shown:
Correct
- User is still shown (e.g., “Hi joerg.rech”):
Intended?
- To log-in the user has to log-out and then log-in again:
Inconvenient
Expected behavior
I expected that the user can directly log-in without having to log-out first. Either by showing a menuitem to log-in in the user dropdown (e.g., where the log-out menuitem is) or by directly showing the log-in modal dialog.
Screenshots, server logs, package manager log
N/A
Configuration File (cat ~/.config/verdaccio/config.yaml)
I don’t think this will help - but I can provide it if you need it
Environment information
Verdaccio is running on AWS ec2 t2.micro
instance using pm2 verdaccio
behind a load balancer using a certificate to support https.
Environment Info:(node:25430) [LRU_CACHE_OPTION_maxAge] DeprecationWarning: The maxAge option is deprecated. Please use options.ttl instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
System:
OS: Linux 5.10 Amazon Linux 2
CPU: (1) x64 Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz
Binaries:
npm: 8.5.5 - ~/.nvm/versions/node/v16.15.0/bin/npm
npmGlobalPackages:
verdaccio: 5.10.0
Debugging output
N/A for web?
Issue Analytics
- State:
- Created a year ago
- Reactions:4
- Comments:8 (1 by maintainers)
Top GitHub Comments
No much time this week sorry, maybe over the next weeks or whenever I find some time next days, no guarantee.
Thank you for the info. I think I found the cause.
Looks like the web UI shows “logged in” status when values
token
andusername
are present in the local storage of the browser (https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage), which has no expiration time and is cleaned only by logging out.Following the login, the
token
expires after 1 hour (https://verdaccio.org/docs/configuration/#security), but it is still present in the local storage until the user logs out.Since the
token
in my case was only 349 bytes long, which is well below 4096 bytes (http://browsercookielimits.iain.guru/), I think, that using the cookie with expiration time 1 hour (or the value from config) would be a better solution for this case.