[User Testing] User Login

About

• Feature: User Login
• Route: https://localhost:8444/login

Checklist

• This feature testing stage has been completed.

Description

Users should be able to login in a secure fashion using the /login route.

When AUR_CONFIG's [options] disable_http_login is set to 1, cookies use the Secure and SameSite=strict attributes. When it is set to 0, of course, the converse happens -- completely insecure cookies are used.

Intended session persistence timing:

• Remember Me checked: 2592000 seconds (30 days)
• Otherwise: 7200 seconds (2 hours)

Caveat: The PHP implementation re-emits cookies without secure or samesite attributes. So, if users are switching between PHP and FastAPI on a local Docker instance configured on different ports, browsing around authenticated PHP will mean that the next browsing of FastAPI will be unauthenticated. This is due to how clients handle cookies emission: they store cookies for localhost (regardless of the port). This may also occur on aur-dev.archlinux.org as versions are changed.

Known Bugs

• #184 (closed) - Fixed infinite redirection loop
• #197 (closed) - Fixed conflicting session ID generation
• !322 (merged)

Unimplemented

• #199

Reporters

Following is a list of reporters who have contributed to helping test this feature which is updated as feedback is provided.