Invalid JWT tokens don't properly log you out of the frontend

Steps to reproduce:

1. Set up a minimal Vikunja server. Do not include a JWT secret. (docker-compose.yml included for ease of setup)
2. Create an account and do stuff
3. Restart the server. (This generates a new JWT token)
4. Refresh the page.

Expected outcome:

You should be brought to the login page

Actual outcome:

You can continue to navigate an empty interface. Attempts to access information from the API are denied, however the frontend still sees your session as valid. I have attached an image of what it looks like to be logged in with an invalid jwt token.

image1538×689 58.7 KB

docker-compose.yml:

version: '2'
services:
  db:
    image: mariadb:10
    command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
    environment:
      MYSQL_ROOT_PASSWORD: imgladthispasswordisloggedinplaintext
      MYSQL_USER: vikunja
      MYSQL_PASSWORD: ifihadtomakeapassword
      MYSQL_DATABASE: vikunja
    volumes:
      - ./db:/var/lib/mysql
  api:
    image: vikunja/api:latest
    environment:
      VIKUNJA_DATABASE_HOST: db
      VIKUNJA_DATABASE_PASSWORD: ifihadtomakeapassword
      VIKUNJA_DATABASE_TYPE: mysql
      VIKUNJA_DATABASE_USER: vikunja
      VIKUNJA_SERVICE_FRONTENDURL: https://localhost:3456/
    volumes:
      - ./data:/app/vikunja/files
    ports:
      - 3456:3456
    depends_on:
      - db
    restart: on-failure
  frontend:
    image: vikunja/frontend
    ports:
      - 80:80
    environment:
      VIKUNJA_API_URL: http://localhost:3456/api/v1
    restart: always

Looks like this is a bug. Thanks for reporting.

I just realized I posted the database password…

It’s a good thing that the database container is not exposed to the internet XD

Should be fixed in 91976e23f9 - please check with the next unstable build (~30 min) if the problem went away.

Much closer to expected behavior - a refresh brings you to the login screen, though you can still explore a dead interface if your JWT token expires and the window is open.