GitLab Pages with only project member visibility return 401 Unauthorized
Summary
We create a GitLab Page with "Only Project Member" visibility, some users browse this page may occasionally get 401 unauthorized error. However these users have already logged their GitLab account in gitlab.com.
Steps to reproduce
- Logged in gitlab.com
- Create a project and enable GitLab page with only project member visibility
- Enter this GitLab page website in a browser and open another two tab/window with same website.
- Wait for 10 minutes and let gitlab-pages cookie disappear automatically.
- Reload one window to trigger auto reauthorize GitLab OAuth, immediately reload another window. One or two of websites may occur 401 unauthorized error.
Example Project
You may create any one
What is the current bug behavior?
We guess there is only one OAuth authorization code exist for a user on a OAuth client at the same time. Because it takes several seconds to finish OAuth authorization flow between endpoints, if a user start a new flow before an old flow finished, it would cause 401 error.
What is the expected correct behavior?
Get a 200 OK result with same actions.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)