Going to /users/sign_in can redirect to JSON
This has been reported a few times in Slack. People click the 'sign in' link in the handbook, which seems to go to the last page you viewed based on the Devise defaults and https://gitlab.com/gitlab-org/gitlab/-/blob/e58c91f41003235eda5dfa9095dad1672a80aac8/app/controllers/application_controller.rb#L191-193
However, if you're on an issue page - like this one - then your browser will be making a bunch of AJAX requests. For me, that manifests in https://gitlab.com/users/sign_in redirecting to a page like https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/462.json?serializer=sidebar_extras
quite often.
This is annoying whether you're using GitLab.com or self-managed.
Updated findings
Devise actually doesn't store the location based on the last viewed page. It only stores the location when you visit a page that needs authentication, just before it redirects to the sign in page.
In Project::IssuesController
, we manually trigger storing the current location so that users can view a public issue, click sign in, and then get redirected back to the public issue they were viewing.
This before_action
was checking for !request.xhr?
which depends on X-Requested-With
. That stopped working recently because we enabled startup JS which now loads the sidebar using fetch
and omits that header.
This means requests to the sidebar JSON were stored.
Steps to reproduce
- Open an issue.
- Find the
xxx.json?serializer=sidebar_extras
request in the inspector and resend the request. (To make sure this AJAX request finishes after the HTML request for the issue and the session here is the last one written to Redis) - Visit
/users/sign_in
.