Users Never Signed-In, yet have repos published

[sefsh]

• Gitea version (or commit ref):
• Git version: 1.11.1
• Operating system: ubuntu:bionic-20180821
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:
  N/A

Description

When I check for users with the Last Sign-In status Never Signed-In, I find users that have published repos on the platform. This shouldn't be possible.

Screenshots

[jolheiser]

Is there a chance someone transferred a repo to this account?
Or that the user created the repo via push-create if enabled before logging in?

[lunny]

There is a known issue that if user only push/pull via git, the Last Sign-In didn't update.

[rnowak]

Chiming in to add that this is also the case if the user authenticates via a header set in REVERSE_PROXY_AUTHENTICATION_USER both for the web interface as well as git interactions over https.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[fnetX]

AFAICT this is also the case if a user registers and does actions within pers first session (this also explains how a user could create a repo which is not possible with push / pull alone).

[zeripath]

Ok that's a much simpler bug to fix!

[furai]

I get the same issue - I have gitea behind reverse proxy and last sign-in doesn't update.
(Also for some reason when I log-in, I get presented with a blank screen until I refresh, and I don't know why.)

[zeripath]

AFAICT this is also the case if a user registers and does actions within pers first session (this also explains how a user could create a repo which is not possible with push / pull alone).

I think that that this has been patrially fixed already in 1.14+ probably earlier (excepting potentially ReverseProxy)

SetLastLogin() does not appear to be called on API logins. Is it possible therefore that these are creations from the API?

[zeripath]

I get the same issue - I have gitea behind reverse proxy and last sign-in doesn't update.
(Also for some reason when I log-in, I get presented with a blank screen until I refresh, and I don't know why.)

This should be fixed by #15304

[wolfogre]

AFAICT this is also the case if a user registers and does actions within pers first session (this also explains how a user could create a repo which is not possible with push / pull alone).

The case should be fixed by #21731.