[BUG] Leantime logs out with every page change and injects %2F into the URLs repeatedly.

[JustEnoughDucks]

If you have problems with the installation please use our community forum

What set up are you using

• Cloud Hosted Version
• Self Hosted

Describe the bug
2FA is not enabled!

After initial login which takes 5-10 logins and a refresh because it keeps appending a %2F redirect after every login attempt, (https://my.domain.here/auth/login?redirect=%2F%2F%2F%2F%2F)clicking on any button that would trigger a refresh results in a redirect to the base URL such as https://my.domain.here/auth/login?redirect=%2Fprojects%2FchangeCurrentProject%2F10

This means per session, I have to log in anywhere from 40-100 times. There are no errors in the logs

To Reproduce
Steps to reproduce the behavior:

1. Go to base domain
2. Login
3. Redirect to base URL
4. Repeat steps 2-3 indefinitely
5. Refresh page
6. Login and get directed to the homepage
7. Click any button that requires a new webpage to appear
8. Get redirected back to the base URL
9. Login and get directed to requested page

Expected behavior
I expect to log in 1 time per session and be able to use the software

Leantime Version
Which Leantime version are you using

Server
Docker, reverse proxied through Traefik.

PHP / MySQL Version
10.11.6-MariaDB
PHP 8.1.28

[marcelfolaron]

Are you using an OIDC provider? I went to the URL and the login screen seems to be through Authelia.
We haven't tested logins via Authelia but it sounds like an oidc config. I can't reproduce this issue with the standard login methods. The %2F is a urlencoded "/". Is that in your config anywhere?

[JustEnoughDucks]

No, there is an authelia front-end 2FA for the entire site. Anything after the user is authenticated can log into service-per-service through their own provider.

My compose looks like this:

services:
  leantime:
    image: leantime/leantime:latest
    container_name: leantime
    restart: unless-stopped
    secrets:
      - lean-db-password
      - lean-session-password
    security_opt:
      - no-new-privileges:true
    environment:
      LEAN_APP_URL: 'https://my.domain.here'                    # Only needed for subdirectory setup; protocol (http or https) and base URL , trailing slash not needed
      LEAN_SITENAME: 'Leantime'                                         # Name of your site, can be changed later
      LEAN_DB_HOST: 'mariadb:3306'                                    # Database host, derived from container_name in leantime_db container
      LEAN_DB_USER: 'leantime'
      LEAN_DB_PASSWORD_FILE: /run/secrets/lean-db-password
      LEAN_DB_DATABASE: 'leantime'
      LEAN_DEFAULT_TIMEZONE: $TZ                         # Set default server timezone
      LEAN_SESSION_PASSWORD_FILE: /run/secrets/lean-session-password         # Salting sessions. Replace with a strong password
      LEAN_SESSION_EXPIRATION: 28800                                    # How many seconds after inactivity should we logout?  28800seconds = 8hours
      PUID: $PUID
      PGID: $PGID
      TZ: $TZ

    volumes:
      - $USERDIR/dockerconfig/leantime/public_userfiles:/var/www/html/public/userfiles
      - $USERDIR/dockerconfig/leantime/userfiles:/var/www/html/userfiles
    ports:
      - "8089:80"                                                       # The port to expose and access Leantime
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=web"
      ## HTTP Routers
      - "traefik.http.routers.leantime-rtr.entrypoints=https"
      - "traefik.http.routers.leantime-rtr.rule=Host(`manage.$DOMAINNAME`)"
      - "traefik.http.routers.leantime-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.leantime-rtr.middlewares=chain-authelia@file"
#     - "traefik.http.routers.leantime-rtr.middlewares=chain-no-auth@file"
      ## HTTP Services
      - "traefik.http.routers.leantime-rtr.service=leantime-svc"
      - "traefik.http.services.leantime-svc.loadbalancer.server.port=80"
    networks:
      web:
        ipv4_address: 192.168.90.28



volumes:
  userfiles:
  public_userfiles:

secrets:
  lean-db-password:
    file: $SECRETSDIR/LEAN_DB_PASSWORD
  lean-session-password:
    file: $SECRETSDIR/LEAN_SESSION_PASSWORD

networks:
  web:
    external: true

Everything has worked for close to 2 years until the most recent update to 3.1.4 from 3.0.7 I believe it was.

[JustEnoughDucks]

I have narrowed it down, because this is quite a bad issue.

The problem begins on 3.1.2. 3.1.1 works perfectly.

I don't know what commit broke things, but maybe it has to do with the middleware improvements that caused a bug somewhere?

[pablopoo]

Same issue here. Running 3.1.1 ok.
Tested 3.1.4 and got a redirect loop with OIDC login.
Noticed that with 3.1.4 my session id keeps changing. With 3.1.1 stay the same, must be by the changes on app/Core/Session.php

Could be that the session ID is regenerated before processing the SSO postback redirect? so the app lost the context and don't know what to do with the IdP response?