In Firefox, Github OAuth login goes into infinite redirect loops

[mendhak]

Describe the bug/problem

Hi, wanted to know if anyone is seeing an infinite redirect loop during OAuth login with Github? From what I can tell this is specific to Firefox (tried Ubuntu, Android). Github OAuth login works fine in Edge when I tested.

I'll click the Github icon, it redirects to Github, which passes back to my Calibre Web, which goes back to Github, and back and forth repeatedly, until Github blocks my IP.

My Calibre Web is hosted on an https domain, let's say "https://calibre.example.com". I can see the state generated by Calibre Web, passed to Github, Github sees I'm logged in, and sends me back to Calibre Web with the state field, but the logs indicate it can't see any state (see below).

Troubleshooting:

I've added 'github.com' and 'calibre.example.com' to Firefox's Enhanced Tracking Protection Exceptions. Under Cookies site and data, they are set to Allow under Cookies exceptions.

Tried removing and readding the Github client id/secret.

Logfile:

Even with debug log, this is the only message that appears:

[2024-09-18 18:12:38,290] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:12:56,083] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:12:56,850] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:12:57,694] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:12:58,537] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:14:43,180] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:14:44,133] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:14:45,044] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:14:45,933] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:14:46,835] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:14:47,798] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:14:51,253] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:14:52,191] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:14:53,001] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login [2024-09-18 18:14:53,841] INFO {flask_dance.consumer.oauth2:275} state not found, redirecting user to login

If I let it keep going eventually Github blocks my IP and shows this message about exceeding their rate limit.

Network traffic:

Environment:

• OS: Windows 11, Ubuntu 24.04, Android 14
• Python version: 3.10.12
• Calibre-Web version: 0.6.23 - d3233b4b9cf4ec540ff31fba787865cb95810ae3 - 2024-08-05T18:42:13+02:00
• Docker container: linuxserver/calibre-web:0.6.23
• Browser: Firefox latest

[mendhak]

As a test I changed in cps/__init__.py:

SESSION_COOKIE_SAMESITE='Strict'

to

SESSION_COOKIE_SAMESITE='Lax'

and restarted, and it started working, so I guess it must be related to this commit somehow?