Skip to content

Workaround for missing value from session

Alex Buijs requested to merge workaround-for-missing-value-in-session into master

What does this MR do and why?

We experienced several cases where users were redirected to the sign in page after registering a new account, instead of having to verify their identity (this feature is behind a feature flag and was turned off when we discovered this).

Here are 2 graphs from the logs during the time the feature flag was toggled on:

Total hits Redirects
Screenshot_2023-03-03_at_11.51.03 Screenshot_2023-03-03_at_11.49.03

Our theory is a race condition might happen from the moment a user is created and the moment the user is fetched on the redirected page. This could be the case when writing to the primary database and reading from the replica.

  1. User is created and it's ID is added to the session before redirecting: https://gitlab.com/gitlab-org/gitlab/blob/master/app/controllers/registrations_controller.rb#L137-138
  2. User's ID is read from the session in the before_action on the redirected page and used to fetch it from the database: https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/controllers/users/identity_verification_controller.rb#L92

If our theory is correct, this MR fixes the issue by sticking the request to the primary database after creating the user and before redirecting.

Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/248

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Alex Buijs

Merge request reports

Loading