Workaround for missing value from session
What does this MR do and why?
We experienced several cases where users were redirected to the sign in page after registering a new account, instead of having to verify their identity (this feature is behind a feature flag and was turned off when we discovered this).
Here are 2 graphs from the logs during the time the feature flag was toggled on:
Total hits | Redirects |
---|---|
Our theory is a race condition might happen from the moment a user is created and the moment the user is fetched on the redirected page. This could be the case when writing to the primary database and reading from the replica.
- User is created and it's ID is added to the session before redirecting: https://gitlab.com/gitlab-org/gitlab/blob/master/app/controllers/registrations_controller.rb#L137-138
- User's ID is read from the session in the
before_action
on the redirected page and used to fetch it from the database: https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/controllers/users/identity_verification_controller.rb#L92
If our theory is correct, this MR fixes the issue by sticking the request to the primary database after creating the user and before redirecting.
Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/248
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.