Forbidden error, Jobs fail to start

[mihow]

There seems to be a auth issue for the endpoint Forbidden: /api/v2/jobs/[ID]/run/

Clicking the Start button shows the ... status dots for one second, then does nothing. No error is displayed.

I think there is a general issue with the CSRF token or the session cookie.

[mihow]

@annavik I was able to recreate the issue! It seems like the "sessionid" cookie does not get cleared when a user is detected as being logged out. Here is a screencast of it happening: Screencast from 07-08-2024 02:48:53 PM.webm

You can't see my mouse here, but I delete the "sessionid" cookie and then am able to login.

[annavik]

Hmm, this is very strange! I still have some problems reproducing this. The cookies you have are not present for me to begin with. I wonder if this could be related to admin login messing things up? I mean being logged in on https://api.beluga.insectai.org/admin/? Have you been logged in on this service on localhost?

Here is a short summary of the current FE logic for auth:

• On login, we make a post request to auth/token/login. We get a long lived token in response, which we will keep in local storage.
• On logout we first make a post request to BE auth/token/logout. Then we clear the auth token from local storage, nothing more. FE is not forcing any cookies to be cleared.
• There are only 2 situations where we will logout the user. First one is when user clicks logout. Second one is if a request to the endpoint /me ends up with a 403 response. We call this endpoint every 10 second when the app is active.

Happy to tweak this logic if needed, just want to understand what is going on first :)