Steps to reproduce:
- Set up a minimal Vikunja server. Do not include a JWT secret. (docker-compose.yml included for ease of setup)
- Create an account and do stuff
- Restart the server. (This generates a new JWT token)
- Refresh the page.
Expected outcome:
You should be brought to the login page
Actual outcome:
You can continue to navigate an empty interface. Attempts to access information from the API are denied, however the frontend still sees your session as valid. I have attached an image of what it looks like to be logged in with an invalid jwt token.
docker-compose.yml:
version: '2'
services:
db:
image: mariadb:10
command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
environment:
MYSQL_ROOT_PASSWORD: imgladthispasswordisloggedinplaintext
MYSQL_USER: vikunja
MYSQL_PASSWORD: ifihadtomakeapassword
MYSQL_DATABASE: vikunja
volumes:
- ./db:/var/lib/mysql
api:
image: vikunja/api:latest
environment:
VIKUNJA_DATABASE_HOST: db
VIKUNJA_DATABASE_PASSWORD: ifihadtomakeapassword
VIKUNJA_DATABASE_TYPE: mysql
VIKUNJA_DATABASE_USER: vikunja
VIKUNJA_SERVICE_FRONTENDURL: https://localhost:3456/
volumes:
- ./data:/app/vikunja/files
ports:
- 3456:3456
depends_on:
- db
restart: on-failure
frontend:
image: vikunja/frontend
ports:
- 80:80
environment:
VIKUNJA_API_URL: http://localhost:3456/api/v1
restart: always