search

logto-io / logto

šŸ§‘ā€šŸš€ The better identity infrastructure for developers and the open-source alternative to Auth0.
https://logto.io
Mozilla Public License 2.0
8.69k stars 440 forks source link

bug: Infinite loop login #6359

Closed msmarks closed 3 months ago

msmarks commented 3 months ago

Describe the bug

If a user has logged in before but has not accessed for a long time, then the next time they visit, they will enter some loops that cannot be exited.

Maybe related to https://github.com/logto-io/js/issues/732

Expected behavior

How to reproduce?

environment Client: "@ logto/browser": "^ 2.2.16" Server: Docker image svhd/logo: 1.17.0

I personally find it difficult to reproduce this issue, but based on the reports from my users, they have all logged in before but have not visit my website for a long time. From the logs, they all have the following loop.

The loop is:

  1. call await logtoClient.isAuthenticated(), it returns true.
  2. Then call await logtoClient.getAccessToken(some resouce), it throw error, the error.message is Load failed.
  3. Then we call await logtoClient.signIn(some callbackURL), it redirect without showing any inputbox, immediately redirect back with code param.
  4. Then we call await logtoClient.handleSignInCallback(window.location.href) and success.
  5. Goto Step 1.

I have tried adjusting the system date and other methods myself, but I am unable to reproduce this issue. I will continue to follow up.

Or is there any way to break out of this loop?

Context

Screenshots

charIeszhao commented 3 months ago

Can you post the entire audit log record when await logtoClient.getAccessToken(some resouce) failed?

msmarks commented 3 months ago

At present, I am unable to obtain the call stack, mainly because the users who reported the error are remote mobile users. I will continue to try to reproduce it.

The error 'Load failed' should come from the fetch API in JavaScript. Considering the call to getAccessToken, if I understand correctly, it will try to apply for a new token through the getAccessTokenByRefreshToken function when the local access token expires, which includes the fetch call. If I guess correctly, this error should come from the call to the fetch function.

I will continue to try to contact technically capable users to provide more detailed information.

msmarks commented 3 months ago

I'm sorry, after investigating, I found it is my fault. In order to eliminate the code in the url, I made location.replace between steps 4 and 5, which resulted in the cancellation of the fetch in step 2. Thanks for support.

charIeszhao commented 3 months ago

Thanks for the detailed update.