512f23f Drop the ssh key from the information stored in the cookie

Authored and Committed by pingou 2 months ago
    Drop the ssh key from the information stored in the cookie
    Some ssh keys can be very long or some users can have multiple ssh keys,
    either can result in a significant amount of data stored in the cookie
    and in some cases too much information. If it goes above the limit for
    cookie size, the browser will not store the cookie leading to pagure
    considering the user is not authenticated.
    This then becomes really confusing. The user goes to a page that
    requires authentication, they are redirected to the authentication
    server, there they log in, they're sent back to pagure that set-ups the
    user, they are then redirected to the page they were trying to access in
    the first place, but since the cookie didn't stick, pagure considers
    them not authenticated and sends them back to the authentication server
    and we're entering a loop of redirects between pagure and the
    authentication server, neither of which are producing an
    error/stacktrace that would give some clues to the admins.
    However, it turns out that pagure only uses the ssh key information to
    set-up the user on the pagure side right after authentication. So there
    is absolutely no need to keep that information in memory or in the
    cookie. We can thus, safely, drop that information frome the cookie
    which in turns, breaks the issue described above.
    Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
  • jenkins
    Build #4185 in progress (commit: 512f23f5)
    2 months ago
  • jenkins
    Build #4185 failed (commit: 512f23f5)
    2 months ago
file modified
+5 -0