Closed animedbz16 closed 2 months ago
@richard-julien : What do you think about this ?
We need to try to reproduce. Logout should of course return, something since broken.
I will also note that the default reason why the request does not time out seems to be due to the default value of APP__REQUEST_TIMEOUT is 20 minutes. This value is passed to the node httpServer
Looking at node, they set a default for this to be 2 minutes which seems way more reasonable.
https://nodejs.org/api/https.html#serversettimeoutmsecs-callback
I'm not sure why OpenCTI would want to keep requests pending for up to 20 minutes in nature, but figured I would share this feedback as well.
Locally I'm missing a user in the session when asking for logout, I'll check.
Description
We have configured OpenCTI with OpenID Connect SSO provided by Microsoft ADFS, we have noticed that after the default 20 minutes for a session to timeout that the user is not logged out. We enabled the APP__SESSION_IDLE_TIMEOUT to ensure that a dialog is presented to the user, but it appears that if no intervention is made to extend the session that the frontend appliation will attempt to make a request to
/logout
This request gets routed to the following code:
https://github.com/OpenCTI-Platform/opencti/blob/f0ed94129c1dafb0040bed13b51ab98d2d9b5213/opencti-platform/opencti-graphql/src/http/httpPlatform.js#L316C7-L317C18
The
user
object is attempted to be accessed from thereq.session
, however, when you inspect the value of user this isundefined
because the session has already expired.If there is no user object, then none of the code is run and nothing is returned and thus nothing is ever returned to the front end and so the frontend continues to show that the network request to
/logout
is pending.The dialog ultimately closes, the page is never routed away and thus if a user was idle and came back to their computer, they would still see the OpenCTI user interface, then attempt to do something and then when making a request the backend would see there is no user or they are unautheniticated and then the UI would navigate to the login page. This can pose a problem if someone was updating various data, then click save / update only to realize that they are not logged in and they lose what they had typed.
We have also noticed this issue exists when we configure authentication with LDAP as well.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
/logout
, but this request never receives a responseExpected Output
The user should be logged out and then navigated to the /login page
Actual Output
The user is not logged in and continues to be able to view the last page they were on.
Additional information
Screenshots (optional)
https://github.com/OpenCTI-Platform/opencti/assets/2822632/fdc98ffc-c163-4222-8f0c-ad89aa0f77bc