Rocket.Chat Android apps are forcefully logged out after making CSS changes

[chotaire]

Description:

In Rocket.Chat 6.0.0, when making any change under Workspace -> Settings -> Layout -> Custom CSS, it seems that all users are logged out of their Rocket.Chat Android app sessions when they open the app thereafter.

Steps to reproduce:

1. Make any change under Workspace -> Settings -> Layout -> Custom CSS
2. Open Rocket.Chat app on Android
3. Verify you are being logged out

Expected behavior:

Phone app users shouldn't be logged out, as CSS changes do not have any effect on the phone app at all. Instead, web browser sessions should be forcefully hard-reloaded, the same way it happens when updating Rocket.Chat (dockerized) to a newer version.

Actual behavior:

Phone app users are logged out after every change made to CSS. If a user is using multiple phones, they'll all be logged out. I did not receive any similar reports from iOS users.

Server Setup Information:

• Version of Rocket.Chat Server: 6.0.0
• Operating System: Linux
• Deployment Method: Docker
• Number of Running Instances: 1
• DB Replicaset Oplog: Enabled
• NodeJS Version: v14.21.2
• MongoDB Version: 5.0.15 / wiredTiger

Client Setup Information

• Desktop App or Browser Version: Rocket.Chat Android App v4.36.0.38053
• Operating System: Android 13

[bulkinav]

I confirm this issue in Rocket Chat 5.x and it happens in the iOS app too.

[dudanogueira]

Ooopsi. This is doesn't seem like a React App issue, sorry!

Moving it back to main repo :)

[bulkinav]

In fact, this problem occurs when you need to enter TOTP code when your making changes in Settings. After that, there is a logout from all other devices.

[david-uhlig]

In fact, this problem occurs when you need to enter TOTP code when your making changes in Settings. After that, there is a logout from all other devices.

Can confirm this. Still happens on 6.5.0

[bulkinav]

@sampaiodiego please review this issue, because it is very intrusive and brings a lot of inconvenience. I mentioned you because I don't know who can tackle this problem from Rocket team.

[chotaire]

I've no longer received reports of other (non-admin) users being logged out. Can someone confirm that any users other than yourself are being logged after making changes to CSS (or as @bulkinav mentioned, when doing any change in Settings that requires a TOTP verification)? Actually, I might have to rename this issue and alter its entire description if it's the same code throughout Settings which is causing the logout.

[sampaiodiego]

alright, this is very weird but I've confirmed it definitely happens.. just to confirm, are you guys using 2FA via email or TOTP?

[david-uhlig]

@sampaiodiego happens to me without 2FA. I change some admin setting, have to enter my password to confirm and get logged out afterward on the Android app and other web browser sessions. I'm not immediately logged out of the current web session though.

[chotaire]

Same here, it's just asking for the user password.

[sampaiodiego]

alright, I've found the issue.. it goes back to version 5.4.3 .. I'm still trying to understand the reasoning behind the change that introduced the issue.. I'll get back when have something else to share

[sampaiodiego]

JFYI the fix has been published in 6.5.3 release

[chotaire]

Just to confirm that this is normal, after updating the docker version of Rocket.Chat, the web ui will no longer force-reload. Is this intended behavior?

[sampaiodiego]

@chotaire there is a random delay now.. this was done to help hammering the backend with all clients reloading at the same time..

[chotaire]

Thanks to the team for addressing all this.

[paulchen]

Just to confirm that this is normal, after updating the docker version of Rocket.Chat, the web ui will no longer force-reload. Is this intended behavior?

To my knowledge, this was already introduced some time ago in #30858.