The bug we have found involves 3 different “sub issues” along the way. The most critical issue is the last one (3). The others are partially expected, but I don’t believe they are being ideally handled either. Issue 3 however will crash the server for all users for a short period of time.
- When some users are logged out by an Administrator, they are not notified of being logged out. Their browser will not display the “you have been logged out” modal.
- If a user is logged out and does not receive this notification modal (1), they can click on their user menu (top right avatar). This sends off a request to get the latest 5 notifications (/notifications?recent=true&limit=5). Because the user has been logged out, this will fail (403). It seems Discourse (or Ember) will immediately retry this request indefinitely, flooding the server with these requests very rapidly.
- If the user has been logged out and did not receive the notification modal (1) and opened the user menu (2), attempting to refresh the page will result in a 500 Internal error message. This may occasionally be 429, if you have sent too many requests due to having the user menu open (2) before refreshing.
Note: I personally cannot reproduce the first error, however I have seen this issue occur consistently with a QA member. I have yet to figure out the difference between his setup and mine that may be causing this, it does not seem to be account related, and we used the same browsers (though the Chrome version number may not have been the same). Regardless, I will outline the steps for faking a reproduction of the first error, as it is necessary to reproduce the other errors if you do not get the first issue.
How to reproduce:
- Log in to Discourse as a user.
- Log in to Discourse as an admin in a separate browser (or incognito, if using Chrome).
- As Admin, navigate to the User’s Admin page and force them to log out.
- If you receive the popup modal, use the Developer console to delete the modal
- Click the user menu in the top right (avatar). It may or may not display a loading circle.
- Check the Network tab of the Developer console it will be filling up rapidly with the attempt to grab notifications.
- While the user menu is open from Part 2 (or shortly after), refresh the page. You will receive an Internal Server Error.
The page continue to receive this error for a short time (a few minutes), but will eventually correct itself and leave you logged out on the main forum page.
Part 3.2 (alternative, with SSO sign in):
- While the user menu is open from Part 2 (or shortly after), click on a link (in this case, I clicked the “Latest” tab).
- Click “Go Back”. You should see the same error message, but note that the address is for the main Forum page again.
- Click “Go Back” again. This ends up at SSO login, which will fail and leave the user on a blank page.
- Like 3.1, this will persist for a few minutes before a refresh will leave the user on Discourse with a message “Login Error: Account login timed out, please try logging in again.”
It should be noted that the areas I have tried accessing with Part 3.2 are available to a user who is not logged in, but I assume is denied to the logged out user because their browser is still including their credentials (which are no longer valid).
Also, here is what I believe is the error that was logged:
Discourse::InvalidAccess (Discourse::InvalidAccess) /var/www/discourse/lib/auth/default_current_user_provider.rb:63:inrescue in current_user’`
Also the full backtrace is here (this didn’t display nicely in MD code blocks, so I copied out to pastebin instead).