"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Stefan Sperling <stsp@stsp.name>
Subject:
Re: gotwebd: refresh site to "redirect" after login
To:
Johannes Thyssen Tishman <johannes@thyssentishman.com>, gameoftrees@openbsd.org
Date:
Thu, 18 Jun 2026 20:00:26 +0200

Download raw body.

Thread 
On Thu, Jun 18, 2026 at 02:49:27PM +0000, Johannes Thyssen Tishman wrote:
> While testing a mobile app I'm writing to improve GotHub's user
> experience on phones, stsp and gonzalo noticed that some browsers
> (Fennec and Vanadium, Firefox and Chromium based browsers, respectively)
> were not redirecting to the site index after authentication. This was
> reproduced by launching the browser with the authentication URL
> programmatically (using dart's url_launcher library[0]), as well as by
> using "Open with" from the context menu in Termux when selecting the
> authentication URL.
> 
> The issue is discussed in this[1] StackOverflow thread, which suggests
> the workaround implemented by the diff below. Essentially, instead of
> redirecting using a HTTP 307 'Temporary Redirect' response, reply with
> 200 OK and perform a client-side "redirection" using an HTML 'meta
> http-equiv="refresh"' tag.
> 
> For the record, the alternative workaround suggested in the same thread,
> setting SameSite to 'Lax' instead of 'Strict', works as well. However,
> after discussing it on IRC #gothub, the client-side "redirection" was
> preferred.
> 
> One downside of using this workaround is that the fallback link is
> briefly visible as the page is refreshed. We could remove this, causing
> only a blank page to be briefly shown, but this might confuse users of
> browsers which do not refresh the page automatically (e.g. text-based
> browsers like w3m).
> 
> [0] https://pub.dev/packages/url_launcher
> [1] https://stackoverflow.com/questions/4694089/sending-browser-cookies-during-a-302-redirect
> 
> M  gotwebd/auth.c      |   4+  4-
> M  gotwebd/gotwebd.h   |   1+  0-
> M  gotwebd/pages.tmpl  |  18+  0-
> 
> 3 files changed, 23 insertions(+), 4 deletions(-)

I think this change is good, ok by me. And thanks for working this out!

The only thing which comes to mind is that we should perhaps use our
own gotweb.css in the temporary redirect page rather than unstyled HTML.
But that might be overkill for a page only a small subset of browsers
will ever be displaying long enough for anyone to look at.

> commit - 69ac886cd64b82483fbb0e3114eb447f1d2ff9e0
> commit + 13cf335092172a3ae3c8ab7bce7d083abeb98fad
> blob - 9ce13d25fe65a225dbd3f2f1a8a98f4acd96fbd2
> blob + 963e7c22de79dcb2c2d60c45c45f44c369cc5444
> --- gotwebd/auth.c
> +++ gotwebd/auth.c
> @@ -291,7 +291,6 @@ do_login(struct request *c)
>  	char *token = NULL;
>  	const char *identifier = NULL;
>  	const time_t validity = 24 * 60 * 60; /* 1 day */
> -	struct gotweb_url url;
>  	struct gotwebd_repo *repo;
>  
>  	int r;
> @@ -398,9 +397,10 @@ logged_in:
>  		goto err;
>  	}
>  
> -	memset(&url, 0, sizeof(url));
> -	url.action = INDEX;
> -	gotweb_reply(c, 307, "text/html", &url);
> +	if (gotweb_reply(c, 200, "text/html", NULL) == -1)
> +		return;
> +	gotweb_render_fake_redirect(c->tp);
> +
>  	return;
>  
>  err:
> blob - ec9668b156a1cadb11e21ae4905edc9752a45453
> blob + fb2666bc8da4753a650628be81212330d0379ef6
> --- gotwebd/gotwebd.h
> +++ gotwebd/gotwebd.h
> @@ -667,6 +667,7 @@ int	gotweb_render_blame(struct template *);
>  int	gotweb_render_patch(struct template *);
>  int	gotweb_render_rss(struct template *);
>  int	gotweb_render_unauthorized(struct template *);
> +int	gotweb_render_fake_redirect(struct template *);
>  
>  /* parse.y */
>  struct gotwebd_repo * gotwebd_new_repo(const char *);
> blob - 892402a866c859317430fd61139d234250479f7d
> blob + 46d63f952fe699261e1b986996d1a61cb516e1f5
> --- gotwebd/pages.tmpl
> +++ gotwebd/pages.tmpl
> @@ -1468,3 +1468,21 @@ date: {{ datebuf }} {{ " UTC" }} {{ "\n" }}
>  {{ define gotweb_render_unauthorized(struct template *tp) }}
>  <p>Wrong or missing authentication code</p>
>  {{ end }}
> +
> +{{ define gotweb_render_fake_redirect(struct template *tp) }}
> +{!
> +	struct gotweb_url url;
> +	memset(&url, 0, sizeof(url));
> +	url.action = INDEX;
> +!}
> +<html>
> +<head>
> +  <meta http-equiv="refresh" content="0;url={{ render gotweb_render_url(tp->tp_arg, &url) }}">
> +</head>
> +<body>
> +<p>
> +  Please <a href="{{ render gotweb_render_url(tp->tp_arg, &url) }}">click here</a>
> +  {{ " " }} if the page does not redirect automatically.
> +</body>
> +</html>
> +{{ end }}
> 
>