Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • A aurweb
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 90
    • Issues 90
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 6
    • Merge requests 6
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Arch Linux
  • aurweb
  • Issues
  • #139
Closed
Open
Created Oct 24, 2021 by Kevin Morris@kevrDeveloper0 of 1 task completed0/1 task

[User Testing] User Login

About

  • Feature: User Login
  • Route: https://localhost:8444/login

Checklist

  • This feature testing stage has been completed.

Description

Users should be able to login in a secure fashion using the /login route.

When AUR_CONFIG's [options] disable_http_login is set to 1, cookies use the Secure and SameSite=strict attributes. When it is set to 0, of course, the converse happens -- completely insecure cookies are used.

Intended session persistence timing:

  • Remember Me checked: 2592000 seconds (30 days)
  • Otherwise: 7200 seconds (2 hours)

Caveat: The PHP implementation re-emits cookies without secure or samesite attributes. So, if users are switching between PHP and FastAPI on a local Docker instance configured on different ports, browsing around authenticated PHP will mean that the next browsing of FastAPI will be unauthenticated. This is due to how clients handle cookies emission: they store cookies for localhost (regardless of the port). This may also occur on aur-dev.archlinux.org as versions are changed.

Known Bugs

  • #184 (closed) - Fixed infinite redirection loop
  • #197 (closed) - Fixed conflicting session ID generation
  • !322 (merged)

Unimplemented

  • #199

Reporters

Following is a list of reporters who have contributed to helping test this feature which is updated as feedback is provided.

Name GitLab User
Zero @phantomotap
Hunter Hwittenborn @hwittenborn
Kevin Morris @kevr
Edited Dec 05, 2021 by Kevin Morris
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking