The access JWT lives only 10 minutes, so the SPA constantly refreshes it via the single-use, rotation-on-use refresh cookie. The only concurrency guard was the Web Locks API, which exists exclusively in secure contexts. On insecure HTTP deployments there is no coordination, so triggers that fire close together (initial load, proactive timer, focus handler, 401 interceptor) each POST with the SAME cookie before the rotated Set-Cookie lands. One rotates successfully, the other matches 0 rows and gets a 401, and the loser bounces the user to /login even though the rotation actually succeeded. A: add a module-level in-flight promise in refreshToken() so concurrent calls in the same tab share one underlying refresh, in every context (HTTP included), independent of navigator.locks. The existing Web Locks usage stays as the secondary cross-tab layer for secure contexts. D: retry the refresh exactly once before treating a failure as a real logout. After a lost race the browser cookie is already the rotated valid one, so a fresh second attempt succeeds; only if both fail do we log out. Implemented DRY via refreshTokenWithRetry() used by renewToken() and the expired-JWT path in checkAuth(). The happy path (single tab, secure context, no race) is unchanged. Fixes #2863 |
||
|---|---|---|
| .claude | ||
| .github | ||
| .vscode | ||
| .zed | ||
| build | ||
| contrib | ||
| desktop | ||
| examples/plugins/example | ||
| frontend | ||
| pkg | ||
| rest | ||
| veans | ||
| .devcontainer.json | ||
| .dockerignore | ||
| .editorconfig | ||
| .envrc | ||
| .gitignore | ||
| .golangci.yml | ||
| .opensourcefinder-verify | ||
| AGENTS.md | ||
| CHANGELOG.md | ||
| CLAUDE.md | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
| cliff.toml | ||
| code-header-template.txt | ||
| conductor.json | ||
| config-raw.json | ||
| crowdin.yml | ||
| devenv.lock | ||
| devenv.nix | ||
| devenv.yaml | ||
| go.mod | ||
| go.sum | ||
| magefile.go | ||
| main.go | ||
| mise.toml | ||
| nfpm.yaml | ||
| publiccode.yml | ||
| renovate.json | ||
| tsconfig.json | ||
| vikunja.initd | ||
| vikunja.service | ||
README.md
Vikunja
The Todo-app to organize your life.
If Vikunja is useful to you, please consider buying me a coffee, sponsoring me on GitHub or buying a sticker pack. I'm also offering a hosted version of Vikunja if you want a hassle-free solution for yourself or your team.
Table of contents
Security Reports
If you find any security-related issues you don't want to disclose publicly, please use the contact information on our website.
Features
See the features page on our website for a more exhaustive list or try it on try.vikunja.io!
Docs
All docs can be found on the Vikunja home page.
Roadmap
See the roadmap (hosted on Vikunja!) for more!
Contributing
Please check out the contribution guidelines on the website.
License
Most of this repository is licensed under AGPL‑3.0‑or‑later.
The contents of desktop/ are licensed under
GPL‑3.0‑or‑later.
Unsplash Images
Background images from Unsplash are distributed under the Unsplash License. The license requires giving credit to the photographer and Unsplash. See Unsplash’s terms for more information.