Open sgal opened 1 year ago
It's probably as simple as easy as handling sqlcon.ErrNotFound
in https://github.com/ory/hydra/blob/872720b3c0d92341a78791004ded44ac8d4ff7c8/consent/strategy_default.go#L292 and return a nil error for that case:
err := s.r.ConsentManager().DeleteLoginSession(r.Context(), sid)
if errors.Is(sqlcon.ErrNoRows) {
return nil
}
return err
Maybe add one e2e test for it to prevent future regressions?
@aeneasr I'm not sure that will be enough. If we handle the Not found error in that line, it would still fail here https://github.com/ory/hydra/blob/872720b3c0d92341a78791004ded44ac8d4ff7c8/consent/strategy_default.go#L353.
And that entire block is quite wrong, because the cookie session was invalidated and therefore should not be used.
I found the issue it seems.
It starts in the correct place here https://github.com/ory/hydra/blob/master/consent/strategy_default.go#L420-L426
Since skip: false
and remember: false
.
Then it goes into https://github.com/ory/hydra/blob/master/consent/strategy_default.go#L283 where it invalidates the cookie by setting its max-age
to -1
. The problem here is that the cookie belongs to the old session that was already deleted by a headless logout.
The sid
of the already invalidated session is returned back to revokeAuthenticationSession
, where we try to delete it via this https://github.com/ory/hydra/blob/master/consent/strategy_default.go#L292. And it fails with Not Found
since the session is already deleted.
Not sure how to best handle this, what are your thoughts @aeneasr @hperl?
Head-on approach would be to ignore Not Found
errors in https://github.com/ory/hydra/blob/master/consent/strategy_default.go#L292, but that feels like a hack to me.
IMHO this should be OK - the session is deleted, so the Not Found is acceptable. Would you be able to send a PR? Thanks a lot!
Preflight checklist
Describe the bug
The login session cookie that belongs to the login session that was invalidated through
revokeOAuth2LoginSessions
are breaking the next login attempt for the user withremember: false
.It looks like for
remember: false
login sessions, the login session cookie is still read and in case of the invalid value, 404 error is thrown, discarding the current login attempt.Reproducing the bug
remember: true
for both login and consent requestsrevokeOAuth2LoginSessions
by eithersubject
orsid
ory_hydra_session
cookie is still present (it is not invalidated in therevokeOAuth2LoginSessions
call)remember: false
in the login requestNot found
errorIf you manually delete the
ory_hydra_session
cookie before step 4, the problem disappears.Relevant log output
This is the error log from Hydra. It looks like it tries to delete the login session (because it is not valid), but fails because it is already deleted. This happens during
/oauth2/auth?consent_verifier=...
requestMore readable stack trace
Relevant configuration
No response
Version
2.1.1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker
Additional Context
No response