Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0047888
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Retail Modules] Web POSmajorunable to reproduce2021-10-20 06:572021-12-31 14:08
ReporteralostaleView Statuspublic 
Assigned Tocberner 
PriorityurgentResolutionfixedFixed in VersionRR22Q1
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget VersionRR22Q1
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned To
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0047888: checkServerAvailability does not fail even if the session is corrupted

DescriptionIf a session is corrupted and its csrf token is lost, POS goes offline on the next online POST request as it returns correctly 401 due to missing token, which is correct.

When in offline checkServerAvailability requests are sent, they respond with 200 so POS considers it is online, although the next POST request will also fail.
Steps To ReproduceAlthough it is unclear why the session got corrupted, this is part of a sequence of requests seen in an actual customer (attached the full sequence of requests received for that session):

1. 19:04 - 19:12 regular activity
2. 19:12:14 AppCacheManifest 200 -> reload page? Might the session be corrupted after this one
3. 19:21:09 ProcessCashClose 401 -> the request is sent without csrf token which makes the validation fail which makes the pos to go offline
4. checkServerAvailability every 10s 200 -> 3 successful requests make pos to go online
5. ProcessCashClose 401 -> actual request fails again so pos is offline again
6. repeats steps 4 and 5
Proposed SolutioncheckServerAvailability should include a csrf token check and in case it is not valid the user should be notified and sent back to login window as their session is not valid anymore.
TagsNo tags attached.
Attached Fileslog file icon 25390BD087868B3F5BEB2CDCEAD44D9E.log [^] (950,589 bytes) 2021-10-20 06:58

- Relationships Relation Graph ] Dependency Graph ]
related to feature request 0039123 closedjarmendariz Openbravo ERP Add CSRF Token support 

-  Notes
(0133308)
hgbot (developer)
2021-11-23 17:25

Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/303 [^]
(0133334)
hgbot (developer)
2021-11-24 18:25

Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/672 [^]
(0133391)
hgbot (developer)
2021-11-26 14:36

Merge Request created: https://gitlab.com/openbravo/ci/modules/org.openbravo.retail.samplebpintegration/-/merge_requests/5 [^]
(0133785)
hgbot (developer)
2021-12-16 18:12

Repository: https://gitlab.com/openbravo/ci/modules/org.openbravo.retail.samplebpintegration [^]
Changeset: ddf1e62d995685d8ff42361d4f549dfa5ca721cd
Author: Cristian Berner <cristian.berner@openbravo.com>
Date: 26-11-2021 11:56:59
URL: https://gitlab.com/openbravo/ci/modules/org.openbravo.retail.samplebpintegration/-/commit/ddf1e62d995685d8ff42361d4f549dfa5ca721cd [^]

Related to ISSUE-47888: Proxy request with error should not proceed

Previously proxy bp requests allowed errors to slip through, this means
that if for example we get a 401 error when doing the request, it will
fail because there's no data present in the response. This is fixed by
rejecting the request if it contains an error.

---
M web/org.openbravo.retail.samplebpintegration/js/SampleBPIntegrationProxy.js
---
(0133786)
hgbot (developer)
2021-12-16 18:12

Merge request merged: https://gitlab.com/openbravo/ci/modules/org.openbravo.retail.samplebpintegration/-/merge_requests/5 [^]
(0134085)
hgbot (developer)
2021-12-31 14:08

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2 [^]
Changeset: 038f77b993724e9e8dc621f0cab8295fa313fecf
Author: Cristian Berner <cristian.berner@openbravo.com>
Date: 31-12-2021 14:06:47
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/commit/038f77b993724e9e8dc621f0cab8295fa313fecf [^]

Related to ISSUE-47888: Show dialog when user session is broken and requires logging out

If session is in an unrecoverable offline mode, the user requires to
logs out and back in to have a new csrf token for him. This project
shows this dialog to the user every 2 minutes and informs him on the
actions required to have a valid online session.

---
M src-db/database/sourcedata/AD_MESSAGE.xml
M web-jspack/org.openbravo.core2/src/components/BaseDialog/BaseDialog.scss
M web-jspack/org.openbravo.core2/src/components/StatusBar/ServerStatusButton.jsx
M web-jspack/org.openbravo.core2/src/components/StatusBar/stories/ServerStatusButton.stories.jsx
M web-jspack/org.openbravo.core2/src/components/StatusBar/stories/StatusBarStoriesUtils.jsx
M web-jspack/org.openbravo.core2/src/core/authentication/LoginProcess.js
M web-jspack/org.openbravo.core2/src/core/remote-server/BackendServer.js
M web-jspack/org.openbravo.core2/src/core/remote-server/__test__/BackendServer.test.js
M web-jspack/org.openbravo.core2/src/model/session/__test__/Logout.test.js
M web-jspack/org.openbravo.core2/src/model/session/user-actions/Logout.js
---
(0134086)
hgbot (developer)
2021-12-31 14:08

Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/672 [^]
(0134087)
hgbot (developer)
2021-12-31 14:08

Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core [^]
Changeset: 595f45b20ba8d2572b92d0fc5f9e095cd6602501
Author: Cristian Berner <cristian.berner@openbravo.com>
Date: 31-12-2021 14:04:17
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/commit/595f45b20ba8d2572b92d0fc5f9e095cd6602501 [^]

Fixes ISSUE-47888: CSRF token offline improvements

Shows the user a confirmation message when it's session has been
broken when csrf token mismatchs and informs that it's in
an unrecoverable offline state until he logs back in again.

This message is shown every 2 minutes until the users logs out so the
session can be regenerated.

---
A web/org.openbravo.mobile.core/app/model/business-object/remote-server/actions/SetUnrecoverableOffline.js
M src-db/database/sourcedata/AD_MESSAGE.xml
M src/org/openbravo/mobile/core/MobileCoreComponentProvider.java
M web-test/integration/remote-server/BackendServer.test.js
M web-test/integration/remote-server/RemoteServer.test.js
M web/org.openbravo.mobile.core/app/integration/remote-server/BackendServer.js
M web/org.openbravo.mobile.core/app/integration/remote-server/RemoteServer.js
M web/org.openbravo.mobile.core/app/util/network/Request.js
M web/org.openbravo.mobile.core/app/view/DialogUIHandler.js
M web/org.openbravo.mobile.core/source/component/ob-menu.js
---
(0134088)
hgbot (developer)
2021-12-31 14:08

Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.mobile.core/-/merge_requests/303 [^]

- Issue History
Date Modified Username Field Change
2021-10-20 06:57 alostale New Issue
2021-10-20 06:57 alostale Assigned To => platform
2021-10-20 06:57 alostale Triggers an Emergency Pack => No
2021-10-20 06:57 alostale Steps to Reproduce Updated View Revisions
2021-10-20 06:58 alostale File Added: 25390BD087868B3F5BEB2CDCEAD44D9E.log
2021-10-20 07:14 alostale Relationship added related to 0039123
2021-11-16 16:54 egoitz Issue Monitored: egoitz
2021-11-23 17:25 hgbot Note Added: 0133308
2021-11-24 18:25 hgbot Note Added: 0133334
2021-11-26 14:36 hgbot Note Added: 0133391
2021-12-16 18:12 hgbot Note Added: 0133785
2021-12-16 18:12 hgbot Note Added: 0133786
2021-12-27 16:08 AugustoMauch Assigned To platform => cberner
2021-12-27 16:08 AugustoMauch Status new => scheduled
2021-12-31 14:08 hgbot Note Added: 0134085
2021-12-31 14:08 hgbot Note Added: 0134086
2021-12-31 14:08 hgbot Resolution open => fixed
2021-12-31 14:08 hgbot Status scheduled => closed
2021-12-31 14:08 hgbot Fixed in Version => RR22Q1
2021-12-31 14:08 hgbot Note Added: 0134087
2021-12-31 14:08 hgbot Note Added: 0134088


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker