Reset multi_auth cookies on error #1957
Draft
+127
−42
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
fix #1821 based on #1956
I found out that we have a race condition on logout that exists without any account switching code: if a request starts before we receive the signout response (that deletes
next-auth.session-token) and finishes after it, we're logged back in because it includesnext-auth.session-tokenin the request headers and therefore also in the response headers thanks to the implicit refresh on all requests.However, I have also seen in the timings of the network tab that it's possible that a request still includes the cookie after it was deleted AND after we reloaded the page. This is somehow related to slow requests since this is reliably reproducible if we poll for
meevery second but sleep for 5 seconds on the server before replying.Since I wasn't able to prevent this from happening and I am not 100% sure that this is what causes #1821 or other issues with account switching that appear non-deterministic, I decided to show an error in the account switch dialog when we noticed that something is off with the cookies on the server.
TODO
multi_authare missingScreenshots
Checklist
Are your changes backwards compatible? Please answer below:
yes
On a scale of 1-10 how well and how have you QA'd this change and any features it might affect? Please answer below:
tbd
For frontend changes: Tested on mobile, light and dark mode? Please answer below:
yes, tested mobile, light and dark mode
Did you introduce any new environment variables? If so, call them out explicitly here:
yes