"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
"Omar Polo" <op@omarpolo.com>
Subject:
Re: gotwebd: refresh site to "redirect" after login
To:
Stefan Sperling <stsp@stsp.name>
Cc:
Johannes Thyssen Tishman <johannes@thyssentishman.com>, gameoftrees@openbsd.org
Date:
Fri, 19 Jun 2026 00:28:45 +0200

Download raw body.

Thread
Stefan Sperling <stsp@stsp.name> wrote:
> On Thu, Jun 18, 2026 at 02:49:27PM +0000, Johannes Thyssen Tishman wrote:
> > While testing a mobile app I'm writing to improve GotHub's user
> > experience on phones, stsp and gonzalo noticed that some browsers
> > (Fennec and Vanadium, Firefox and Chromium based browsers, respectively)
> > were not redirecting to the site index after authentication. This was
> > reproduced by launching the browser with the authentication URL
> > programmatically (using dart's url_launcher library[0]), as well as by
> > using "Open with" from the context menu in Termux when selecting the
> > authentication URL.
> > 
> > The issue is discussed in this[1] StackOverflow thread, which suggests
> > the workaround implemented by the diff below. Essentially, instead of
> > redirecting using a HTTP 307 'Temporary Redirect' response, reply with
> > 200 OK and perform a client-side "redirection" using an HTML 'meta
> > http-equiv="refresh"' tag.
> > 
> > For the record, the alternative workaround suggested in the same thread,
> > setting SameSite to 'Lax' instead of 'Strict', works as well. However,
> > after discussing it on IRC #gothub, the client-side "redirection" was
> > preferred.
> > 
> > One downside of using this workaround is that the fallback link is
> > briefly visible as the page is refreshed. We could remove this, causing
> > only a blank page to be briefly shown, but this might confuse users of
> > browsers which do not refresh the page automatically (e.g. text-based
> > browsers like w3m).
> > 
> > [0] https://pub.dev/packages/url_launcher
> > [1] https://stackoverflow.com/questions/4694089/sending-browser-cookies-during-a-302-redirect
> > 
> > M  gotwebd/auth.c      |   4+  4-
> > M  gotwebd/gotwebd.h   |   1+  0-
> > M  gotwebd/pages.tmpl  |  18+  0-
> > 
> > 3 files changed, 23 insertions(+), 4 deletions(-)
> 
> I think this change is good, ok by me. And thanks for working this out!

ok op@ as well.  sorry for not being responsive on this matter.

> The only thing which comes to mind is that we should perhaps use our
> own gotweb.css in the temporary redirect page rather than unstyled HTML.
> But that might be overkill for a page only a small subset of browsers
> will ever be displaying long enough for anyone to look at.

just for a single text line seems a bit overkill, also because it's
likely that the redirect will be quicker than the request for the CSS
file (unless it was cached.)

no objections though if you want to add it!

> > commit - 69ac886cd64b82483fbb0e3114eb447f1d2ff9e0
> > commit + 13cf335092172a3ae3c8ab7bce7d083abeb98fad
> > blob - 9ce13d25fe65a225dbd3f2f1a8a98f4acd96fbd2
> > blob + 963e7c22de79dcb2c2d60c45c45f44c369cc5444
> > --- gotwebd/auth.c
> > +++ gotwebd/auth.c
> > @@ -291,7 +291,6 @@ do_login(struct request *c)
> >  	char *token = NULL;
> >  	const char *identifier = NULL;
> >  	const time_t validity = 24 * 60 * 60; /* 1 day */
> > -	struct gotweb_url url;
> >  	struct gotwebd_repo *repo;
> >  
> >  	int r;
> > @@ -398,9 +397,10 @@ logged_in:
> >  		goto err;
> >  	}
> >  
> > -	memset(&url, 0, sizeof(url));
> > -	url.action = INDEX;
> > -	gotweb_reply(c, 307, "text/html", &url);
> > +	if (gotweb_reply(c, 200, "text/html", NULL) == -1)
> > +		return;
> > +	gotweb_render_fake_redirect(c->tp);
> > +
> >  	return;
> >  
> >  err:
> > blob - ec9668b156a1cadb11e21ae4905edc9752a45453
> > blob + fb2666bc8da4753a650628be81212330d0379ef6
> > --- gotwebd/gotwebd.h
> > +++ gotwebd/gotwebd.h
> > @@ -667,6 +667,7 @@ int	gotweb_render_blame(struct template *);
> >  int	gotweb_render_patch(struct template *);
> >  int	gotweb_render_rss(struct template *);
> >  int	gotweb_render_unauthorized(struct template *);
> > +int	gotweb_render_fake_redirect(struct template *);
> >  
> >  /* parse.y */
> >  struct gotwebd_repo * gotwebd_new_repo(const char *);
> > blob - 892402a866c859317430fd61139d234250479f7d
> > blob + 46d63f952fe699261e1b986996d1a61cb516e1f5
> > --- gotwebd/pages.tmpl
> > +++ gotwebd/pages.tmpl
> > @@ -1468,3 +1468,21 @@ date: {{ datebuf }} {{ " UTC" }} {{ "\n" }}
> >  {{ define gotweb_render_unauthorized(struct template *tp) }}
> >  <p>Wrong or missing authentication code</p>
> >  {{ end }}
> > +
> > +{{ define gotweb_render_fake_redirect(struct template *tp) }}
> > +{!
> > +	struct gotweb_url url;
> > +	memset(&url, 0, sizeof(url));
> > +	url.action = INDEX;
> > +!}
> > +<html>
> > +<head>
> > +  <meta http-equiv="refresh" content="0;url={{ render gotweb_render_url(tp->tp_arg, &url) }}">
> > +</head>
> > +<body>
> > +<p>
> > +  Please <a href="{{ render gotweb_render_url(tp->tp_arg, &url) }}">click here</a>
> > +  {{ " " }} if the page does not redirect automatically.
> > +</body>
> > +</html>
> > +{{ end }}
> > 
> >