Uncaught PHP Logic Exception on login: leaked metadata was detected

[druliner]

"The controller result claims to be providing relevant cache metadata, but leaked metadata was detected. Please ensure you are not rendering content too early. Returned object class: Drupal\Core\Routing\TrustedRedirectResponse." at /data/www/d10core/core/lib/Drupal/Core/EventSubscriber/EarlyRenderingControllerWrapperSubscriber.php line 154', referer: https://idp.u.washington.edu/

Error occurs when user does not yet have a shib session so it can be mitigated by including session request in .htaccess AuthType Shibboleth ShibRequestSetting requireSession 0 ShibRequestSetting redirectToSSL 443 Require shibboleth

Just a guess but suspect the "return new TrustedRedirectResponse" in src/Controller/LoginController.php needs to be handled in a render context:

https://www.drupal.org/forum/support/module-development-and-code-questions/2022-07-20/the-controller-result-claims-to-be-providing-relevant-cache-metadata-but-leaked-metadata-was#comment-14657883

https://www.drupal.org/node/2513810

[jvogtuw]

Thanks for all the research. The following worked for me but, like the person who suggested using ->getGeneratedUrl(), I don't know why it works. Replace LoginController.php line 122 with this:

return new TrustedRedirectResponse($this->shibbolethAuthManager->getLoginUrl()->toString()->getGeneratedUrl());

I ran into another error in the login() function with RedirectResponse() after fixing this one, so be on the lookout for that commit as well.

[jvogtuw]

Ugh, now I'm getting a new error: Error: Call to a member function getGeneratedUrl() on string in Drupal\shibboleth\Controller\LoginController->login().

Somehow that wasn't happening in testing with incognito sessions yesterday.

[jvogtuw]

Oh, it may have to do with the Drupal session being active but the Shibboleth session having expired.