Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirect into app from auth flows when already logged in #10075

Closed
jryans opened this issue Jun 17, 2019 · 4 comments
Closed

Redirect into app from auth flows when already logged in #10075

jryans opened this issue Jun 17, 2019 · 4 comments
Labels
A-Login A-Password-Reset A-Registration P1 T-Enhancement

Comments

@jryans
Copy link
Collaborator

jryans commented Jun 17, 2019

If you're already logged in, then loading the auth flows should redirect back inside the app instead of making it appear that you are logged out.

We should verify that no one is depending on the current behaviour before making a change here.
@turt2live
Copy link
Member

This is somewhat relied on for 3pid validation. When adding a 3pid or you happen to click on a validation link in your email, we direct people to the auth pages. We should already be very careful about trampling on sessions in those cases as of a recent release.

@lampholder
Copy link
Member

©bob:matrix.org is logged into riot, but wants to test something with a fresh account. So he opens an incognito browser to register ©test.234234:matrix.org (associated with [email protected]). Then he accidentally opens the email validation link in his main non-incognito browser window. What can we do and what do we want to do?

(I know there's a separate use case involving associating threepids with existing accounts outside of registration, but I'm going to exclude that for the time being).

The registration threepid validation needs to redirect to riot's /register, which then needs to poll the homeserver's /register in order to:

  • see if there are any more registration steps required for ©test.234234:matrix.org
  • get the user to complete those steps if they're necessary, or issue the final 'complete registration' instruction to the homeserver otherwise

But ©bob:matrix.org already has an active riot session in this browser. What to do? As far as I can tell we only have two stable options:

  1. log out ©bob:matrix.org's active session and replace it with ©test.234234:matrix.org
  2. refuse to complete ©test.234234:matrix.org's registration (despite the fact that we will have successfully completed the association between ©test.234234:matrix.org and [email protected]) and tell the user to log out first or open the verification link in a different browser

Of those, only option 2. is any good. I think that could work fine, as long as:

  • Riot's /register has enough information available to it to discern that the threepid verification wasn't destined for the active session, and
  • threepid verification is idempotent (so opening the verif link in another browser does the right thing)

Thoughts?

@dbkr
Copy link
Member

dbkr commented Jun 17, 2019

Have we ruled out special-casing it, ie. saying, "well done for registering ©test.234234:matrix.org but you're already logged in as ©bob:matrix.org, what'll it be?"

@turt2live
Copy link
Member

(the special casing was what happened pre-registration sprint ftr, to fix #6875)

@dbkr dbkr mentioned this issue Jun 19, 2019
Merged
@dbkr dbkr closed this as completed Jun 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Login A-Password-Reset A-Registration P1 T-Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jryans @dbkr @turt2live @lampholder