Cancel background traffic before login/register so session cookie isn't clobbered

mvdbeek · mvdbeek · commit 4c095fc94089 · 2026-04-24T09:08:13.000+02:00
When handle_user_login invalidates the previous anonymous session and a
concurrent request using the old cookie is still in flight, the server
creates a *new* anonymous session for it and responds with a fresh
`Set-Cookie: galaxysession=&lt;anon&gt;`. If that response lands between the
login POST and the full-page navigation, the browser navigates with the
anonymous cookie and the new page loads logged out. Under the TEMP SSE
flag this happens often enough to trip `wait_for_logged_in` in selenium.

Fix: synchronously close all long-lived connections (SSE, polling
watchers) and rotate a shared axios AbortController before sending the
login/register POST. With no in-flight anonymous-cookie request, the
server can't emit the clobbering Set-Cookie, and the authenticated
cookie survives until navigation.
diff --git a/client/src/api/pendingRequests.ts b/client/src/api/pendingRequests.ts
@@ -0,0 +1,47 @@
+/**
+ * Shared ``AbortController`` for axios requests so we can cancel everything
+ * still in flight right before a login/register navigation.
+ *
+ * Why this exists: when the server processes a request that carries the old
+ * anonymous ``galaxysession`` cookie *after* ``handle_user_login`` has marked
+ * that session ``is_valid=False``, it creates a fresh anonymous session and
+ * responds with ``Set-Cookie: galaxysession=<new>``. Delivered into the cookie
+ * jar after the login response but before the new page loads, it overwrites
+ * the just-issued authenticated cookie — so the new page loads anonymous and
+ * ``wait_for_logged_in`` times out in selenium. Aborting the TCP connection
+ * before the response headers are parsed prevents that ``Set-Cookie`` from
+ * ever applying.
+ */
+import axios, { type InternalAxiosRequestConfig } from "axios";
+
+let activeController = new AbortController();
+
+/** Explicit opt-out header that the login/register POST itself sets. */
+export const SKIP_PENDING_REQUESTS_HEADER = "x-galaxy-skip-pending-abort";
+
+/**
+ * Install a request interceptor that attaches the shared signal to every
+ * outgoing axios request that didn't set one itself. Call once at app boot.
+ */
+export function installPendingRequestsInterceptor() {
+    axios.interceptors.request.use((config: InternalAxiosRequestConfig) => {
+        if (config.signal !== undefined) {
+            return config;
+        }
+        if (config.headers?.[SKIP_PENDING_REQUESTS_HEADER]) {
+            delete config.headers[SKIP_PENDING_REQUESTS_HEADER];
+            return config;
+        }
+        config.signal = activeController.signal;
+        return config;
+    });
+}
+
+/**
+ * Abort every axios request that is using the shared signal and install a
+ * fresh controller so subsequent requests can still go out.
+ */
+export function cancelPendingAxiosRequests() {
+    activeController.abort();
+    activeController = new AbortController();
+}
diff --git a/client/src/components/Login/LoginForm.vue b/client/src/components/Login/LoginForm.vue
@@ -15,6 +15,8 @@ import {
 import { computed, ref } from "vue";
 import { useRouter } from "vue-router/composables";
 
+import { SKIP_PENDING_REQUESTS_HEADER } from "@/api/pendingRequests";
+import { discardActiveConnectionsBeforeAuthNavigation } from "@/composables/useAuthNavigation";
 import localize from "@/utils/localization";
 import { withPrefix } from "@/utils/redirect";
 import { errorMessageAsString } from "@/utils/simple-error";
@@ -86,13 +88,22 @@ async function submitLogin() {
         redirect = props.redirect ?? null;
     }
 
+    // Close SSE, stop polling, and abort in-flight axios before sending the
+    // login POST — otherwise a late anonymous-cookie response can overwrite
+    // the authenticated cookie we're about to receive.
+    discardActiveConnectionsBeforeAuthNavigation();
+
     try {
-        const response = await axios.post(withPrefix("/user/login"), {
-            login: login.value,
-            password: password.value,
-            redirect: redirect,
-            session_csrf_token: props.sessionCsrfToken,
-        });
+        const response = await axios.post(
+            withPrefix("/user/login"),
+            {
+                login: login.value,
+                password: password.value,
+                redirect: redirect,
+                session_csrf_token: props.sessionCsrfToken,
+            },
+            { headers: { [SKIP_PENDING_REQUESTS_HEADER]: "1" } },
+        );
 
         if (response.data.message && response.data.status) {
             alert(response.data.message);
diff --git a/client/src/components/Register/RegisterForm.vue b/client/src/components/Register/RegisterForm.vue
@@ -14,8 +14,10 @@ import {
 } from "bootstrap-vue";
 import { computed, type Ref, ref } from "vue";
 
+import { SKIP_PENDING_REQUESTS_HEADER } from "@/api/pendingRequests";
 import { getOIDCIdpsWithRegistration, type OIDCConfig } from "@/components/User/ExternalIdentities/ExternalIDHelper";
 import { Toast } from "@/composables/toast";
+import { discardActiveConnectionsBeforeAuthNavigation } from "@/composables/useAuthNavigation";
 import localize from "@/utils/localization";
 import { withPrefix } from "@/utils/redirect";
 import { errorMessageAsString } from "@/utils/simple-error";
@@ -72,15 +74,24 @@ const registerColumnDisplay = computed(() => Boolean(props.termsUrl));
 async function submit() {
     disableCreate.value = true;
 
+    // Close SSE, stop polling, and abort in-flight axios before sending the
+    // register POST — otherwise a late anonymous-cookie response can overwrite
+    // the authenticated cookie we're about to receive.
+    discardActiveConnectionsBeforeAuthNavigation();
+
     try {
-        const response = await axios.post(withPrefix("/user/create"), {
-            email: email.value,
-            username: username.value,
-            password: password.value,
-            confirm: confirm.value,
-            subscribe: subscribe.value,
-            session_csrf_token: props.sessionCsrfToken,
-        });
+        const response = await axios.post(
+            withPrefix("/user/create"),
+            {
+                email: email.value,
+                username: username.value,
+                password: password.value,
+                confirm: confirm.value,
+                subscribe: subscribe.value,
+                session_csrf_token: props.sessionCsrfToken,
+            },
+            { headers: { [SKIP_PENDING_REQUESTS_HEADER]: "1" } },
+        );
 
         if (response.data.message && response.data.status) {
             Toast.info(response.data.message);
diff --git a/client/src/composables/useAuthNavigation.ts b/client/src/composables/useAuthNavigation.ts
@@ -0,0 +1,26 @@
+import { cancelPendingAxiosRequests } from "@/api/pendingRequests";
+import { useEntryPointStore } from "@/stores/entryPointStore";
+import { useHistoryStore } from "@/stores/historyStore";
+import { useNotificationsStore } from "@/stores/notificationsStore";
+
+/**
+ * Tear down every long-lived connection and cancel every in-flight axios
+ * request so that nothing issued under the old anonymous ``galaxysession``
+ * cookie can land on the server after ``handle_user_login`` has invalidated
+ * it. See ``client/src/api/pendingRequests.ts`` for the race this guards
+ * against.
+ *
+ * Call this synchronously as the first step of a login or registration
+ * submit, before the authenticating POST goes out. The shared abort
+ * controller is rotated, so the login/register POST (issued right after)
+ * will use a fresh signal and is not affected.
+ */
+export function discardActiveConnectionsBeforeAuthNavigation() {
+    // Order: close SSE streams first (synchronous TCP close), then stop the
+    // polling watchers so they can't kick off new fetches, then abort any
+    // axios requests still in flight.
+    useHistoryStore().stopWatchingHistory();
+    useEntryPointStore().stopWatchingEntryPoints();
+    useNotificationsStore().stopWatchingNotifications();
+    cancelPendingAxiosRequests();
+}
diff --git a/client/src/entry/analysis/index.ts b/client/src/entry/analysis/index.ts
@@ -2,6 +2,7 @@
 import { createPinia, PiniaVuePlugin } from "pinia";
 import Vue from "vue";
 
+import { installPendingRequestsInterceptor } from "@/api/pendingRequests";
 import { initGalaxyInstance } from "@/app";
 import { initSentry } from "@/app/addons/sentry";
 import { initWebhooks } from "@/app/addons/webhooks";
@@ -13,6 +14,12 @@ import App from "./App.vue";
 Vue.use(PiniaVuePlugin);
 const pinia = createPinia();
 
+// Attach the shared AbortController signal to every outgoing axios request
+// so we can cancel in-flight anonymous-cookie requests before login/register
+// navigates — otherwise their late ``Set-Cookie: galaxysession=<anon>`` can
+// clobber the authenticated cookie.
+installPendingRequestsInterceptor();
+
 window.addEventListener("load", async () => {
     // Create Galaxy object
     const Galaxy = await initGalaxyInstance();
diff --git a/client/src/stores/entryPointStore.ts b/client/src/stores/entryPointStore.ts
@@ -43,7 +43,13 @@ export const useEntryPointStore = defineStore("entryPointStore", () => {
     function handleEntryPointSSEEvent(_event: MessageEvent) {
         fetchEntryPoints().catch((err) => console.error("Error refreshing entry points from SSE push:", err));
     }
-    const { connect: sseConnect, connected: sseConnected } = useSSE(handleEntryPointSSEEvent, ["entry_point_update"]);
+    const {
+        connect: sseConnect,
+        disconnect: sseDisconnect,
+        connected: sseConnected,
+    } = useSSE(handleEntryPointSSEEvent, ["entry_point_update"]);
+    let stopPolling: (() => void) | null = null;
+    let stopConnectedWatcher: (() => void) | null = null;
 
     let watchingInitialized = false;
 
@@ -65,18 +71,19 @@ export const useEntryPointStore = defineStore("entryPointStore", () => {
                 // navigated away and missed events" window.
                 fetchEntryPoints().catch((err) => console.warn("Initial entry-point load failed", err));
                 sseConnect();
-                watch(sseConnected, (isConnected, wasConnected) => {
+                stopConnectedWatcher = watch(sseConnected, (isConnected, wasConnected) => {
                     if (isConnected && !wasConnected) {
                         fetchEntryPoints().catch((err) =>
                             console.error("Error refreshing entry points on SSE reconnect:", err),
                         );
                     }
                 });
             } else {
-                const { startWatchingResource } = useResourceWatcher(fetchEntryPoints, {
+                const { startWatchingResource, stopWatchingResource } = useResourceWatcher(fetchEntryPoints, {
                     shortPollingInterval: ACTIVE_POLLING_INTERVAL,
                     enableBackgroundPolling: false,
                 });
+                stopPolling = stopWatchingResource;
                 startWatchingResource();
             }
         };
@@ -139,6 +146,22 @@ export const useEntryPointStore = defineStore("entryPointStore", () => {
         }
     }
 
+    // Closes the SSE stream and stops the polling watcher; paired with login
+    // /register flows so background traffic doesn't outlive the navigation
+    // and clobber the freshly authenticated session cookie.
+    function stopWatchingEntryPoints() {
+        sseDisconnect();
+        if (stopPolling) {
+            stopPolling();
+            stopPolling = null;
+        }
+        if (stopConnectedWatcher) {
+            stopConnectedWatcher();
+            stopConnectedWatcher = null;
+        }
+        watchingInitialized = false;
+    }
+
     return {
         entryPoints,
         entryPointsForJob,
@@ -147,5 +170,6 @@ export const useEntryPointStore = defineStore("entryPointStore", () => {
         updateEntryPoints,
         removeEntryPoint,
         startWatchingEntryPoints,
+        stopWatchingEntryPoints,
     };
 });
diff --git a/client/src/stores/historyStore.ts b/client/src/stores/historyStore.ts
@@ -397,7 +397,12 @@ export const useHistoryStore = defineStore("historyStore", () => {
     // SSE-driven history updates: when we receive a history_update event,
     // immediately trigger a refresh of the current history
     const SSE_HISTORY_EVENT_TYPES = ["history_update"] as const;
-    const { connect: sseHistoryConnect } = useSSE(handleHistorySSEEvent, SSE_HISTORY_EVENT_TYPES);
+    const { connect: sseHistoryConnect, disconnect: sseHistoryDisconnect } = useSSE(
+        handleHistorySSEEvent,
+        SSE_HISTORY_EVENT_TYPES,
+    );
+    let stopHistoryPolling: (() => void) | null = null;
+    let stopIsWatchingWatcher: (() => void) | null = null;
 
     function handleHistorySSEEvent(event: MessageEvent) {
         try {
@@ -448,11 +453,17 @@ export const useHistoryStore = defineStore("historyStore", () => {
                 // The resource watcher fires its handler once immediately and
                 // then re-schedules on the polling interval, which covers the
                 // initial load as well as ongoing updates.
-                const { startWatchingResource, isWatchingResource } = useResourceWatcher(watchHistory, {
-                    shortPollingInterval: ACTIVE_POLLING_INTERVAL,
-                    longPollingInterval: INACTIVE_POLLING_INTERVAL,
+                const { startWatchingResource, stopWatchingResource, isWatchingResource } = useResourceWatcher(
+                    watchHistory,
+                    {
+                        shortPollingInterval: ACTIVE_POLLING_INTERVAL,
+                        longPollingInterval: INACTIVE_POLLING_INTERVAL,
+                    },
+                );
+                stopHistoryPolling = stopWatchingResource;
+                stopIsWatchingWatcher = watch(isWatchingResource, (v) => (isWatchingHistory.value = v), {
+                    immediate: true,
                 });
-                watch(isWatchingResource, (v) => (isWatchingHistory.value = v), { immediate: true });
                 startWatchingResource();
             }
         };
@@ -569,6 +580,23 @@ export const useHistoryStore = defineStore("historyStore", () => {
         return contentStats;
     }
 
+    // Closes SSE and stops polling so the watcher can't emit a trailing
+    // anonymous-cookie request that would overwrite the authenticated
+    // ``galaxysession`` cookie set by the login/register response.
+    function stopWatchingHistory() {
+        sseHistoryDisconnect();
+        if (stopHistoryPolling) {
+            stopHistoryPolling();
+            stopHistoryPolling = null;
+        }
+        if (stopIsWatchingWatcher) {
+            stopIsWatchingWatcher();
+            stopIsWatchingWatcher = null;
+        }
+        isWatchingHistory.value = false;
+        watchingInitialized = false;
+    }
+
     return {
         histories,
         changingCurrentHistory,
@@ -598,6 +626,7 @@ export const useHistoryStore = defineStore("historyStore", () => {
         restoreHistories,
         handleTotalCountChange,
         startWatchingHistory: startWatchingHistoryWithSSE,
+        stopWatchingHistory,
         isWatchingHistory,
         loadCurrentHistory,
         loadCurrentHistoryId,
diff --git a/client/src/stores/notificationsStore.ts b/client/src/stores/notificationsStore.ts
@@ -27,7 +27,8 @@ export const useNotificationsStore = defineStore("notificationsStore", () => {
 
     // --- SSE setup (listen only for notification event types) ---
     const NOTIFICATION_EVENT_TYPES = ["notification_update", "broadcast_update", "notification_status"] as const;
-    const { connect: sseConnect } = useSSE(handleSSEEvent, NOTIFICATION_EVENT_TYPES);
+    const { connect: sseConnect, disconnect: sseDisconnect } = useSSE(handleSSEEvent, NOTIFICATION_EVENT_TYPES);
+    let stopPolling: (() => void) | null = null;
 
     function handleSSEEvent(event: MessageEvent) {
         try {
@@ -132,10 +133,14 @@ export const useNotificationsStore = defineStore("notificationsStore", () => {
             if (configStore.config?.enable_notification_system) {
                 sseConnect();
             } else {
-                const { startWatchingResource: startPolling } = useResourceWatcher(getNotificationStatus, {
-                    shortPollingInterval: ACTIVE_POLLING_INTERVAL,
-                    longPollingInterval: INACTIVE_POLLING_INTERVAL,
-                });
+                const { startWatchingResource: startPolling, stopWatchingResource } = useResourceWatcher(
+                    getNotificationStatus,
+                    {
+                        shortPollingInterval: ACTIVE_POLLING_INTERVAL,
+                        longPollingInterval: INACTIVE_POLLING_INTERVAL,
+                    },
+                );
+                stopPolling = stopWatchingResource;
                 startPolling();
             }
         };
@@ -201,6 +206,19 @@ export const useNotificationsStore = defineStore("notificationsStore", () => {
         totalUnreadCount.value = notifications.value.filter((n) => !n.seen_time).length;
     }
 
+    // Closes the SSE stream and stops the polling watcher so nothing running
+    // in the background can outlive a full-page navigation (login/register).
+    // A late-arriving response from an anonymous-cookie request would otherwise
+    // overwrite the just-issued authenticated ``galaxysession`` cookie.
+    function stopWatchingNotifications() {
+        sseDisconnect();
+        if (stopPolling) {
+            stopPolling();
+            stopPolling = null;
+        }
+        watchingInitialized = false;
+    }
+
     return {
         notifications,
         totalUnreadCount,
@@ -209,5 +227,6 @@ export const useNotificationsStore = defineStore("notificationsStore", () => {
         updateNotification,
         updateBatchNotification,
         startWatchingNotifications,
+        stopWatchingNotifications,
     };
 });
