search

hypothesis / h

Annotate with anyone, anywhere.
https://hypothes.is/
BSD 2-Clause "Simplified" License
2.95k stars 427 forks source link

Poor behavior when users get logged out but still have pages open #8948

Open seanh opened 1 month ago

seanh commented 1 month ago

Related: https://github.com/hypothesis/h/issues/8949

Inactive h users get logged out after seven days when their auth ticket expires, whereas active h users get logged out every thirty days when their auth cookie expires.

If a user has a tab open when their ticket or cookie expires and they get logged out, and the user tries to continue using that tab, they'll run into a variety of unhelpful error messages depending on what they try to do (see below).

One way to reproduce this issue is to leave a tab open for at least seven days (or at least thirty days if you remain active in other tabs) then return to the old tab an try to continue using it.

But it's not necessary to leave a tab open for a long time to run into these issues: auth cookies expire every thirty days whether the user is active or not. If a user's auth cookie is 29 days, 23 hours, 59 minutes and 59 seconds old and they open a page for more than a second and then try to click something on the page they'll run into these issue.

Another way to run into this problem is to have multiple tabs open, log out in one tab, and then try to continue using another open tab.

The error message that the user will run into depends on what they try to do. Here's some examples:

Editing their user profile:

image

Clicking on a link to a page that they need to be logged in to see:

image

Creating a group:

image

seanh commented 1 month ago

I think we'd need multiple solutions to solve this. For example:

  1. When loading HTML pages that require authentication and the request is not authenticated, perhaps the backend should redirect the browser to the login page with a flash message saying "You've been logged out, please log in again"

  2. The same as (1) but for form submissions

  3. When JavaScript code makes an API request and gets a 404 response from the API, the frontend code should redirect the browser to the login page.

    This may also require better API responses from the backend when authentication is missing.

    This would probably need to be implemented multiple times as I think we have multiple places in h's JavaScript code that do API requests (e.g. the new Preact app that's currently used when creating and editing groups; and legacy JavaScript code that's still used by other pages such as when editing your user account settings or profile)

robertknight commented 1 month ago

I think we'd need multiple solutions to solve this. For example:

I agree. We'll need more than one change to resolve this. From an end-user's perspective I think that either redirecting to a login page or flashing a warning that the user is logged out would be acceptable. In the case where there is unsaved data on the page it would be preferable if that was not lost.