From: Johannes Thyssen Tishman <johannes@thyssentishman.com>
Subject: gotwebd: refresh site to "redirect" after login
To: gameoftrees@openbsd.org
Date: Thu, 18 Jun 2026 14:49:27 +0000

While testing a mobile app I'm writing to improve GotHub's user
experience on phones, stsp and gonzalo noticed that some browsers
(Fennec and Vanadium, Firefox and Chromium based browsers, respectively)
were not redirecting to the site index after authentication. This was
reproduced by launching the browser with the authentication URL
programmatically (using dart's url_launcher library[0]), as well as by
using "Open with" from the context menu in Termux when selecting the
authentication URL.

The issue is discussed in this[1] StackOverflow thread, which suggests
the workaround implemented by the diff below. Essentially, instead of
redirecting using a HTTP 307 'Temporary Redirect' response, reply with
200 OK and perform a client-side "redirection" using an HTML 'meta
http-equiv="refresh"' tag.

For the record, the alternative workaround suggested in the same thread,
setting SameSite to 'Lax' instead of 'Strict', works as well. However,
after discussing it on IRC #gothub, the client-side "redirection" was
preferred.

One downside of using this workaround is that the fallback link is
briefly visible as the page is refreshed. We could remove this, causing
only a blank page to be briefly shown, but this might confuse users of
browsers which do not refresh the page automatically (e.g. text-based
browsers like w3m).

[0] https://pub.dev/packages/url_launcher
[1] https://stackoverflow.com/questions/4694089/sending-browser-cookies-during-a-302-redirect

M  gotwebd/auth.c      |   4+  4-
M  gotwebd/gotwebd.h   |   1+  0-
M  gotwebd/pages.tmpl  |  18+  0-

3 files changed, 23 insertions(+), 4 deletions(-)

commit - 69ac886cd64b82483fbb0e3114eb447f1d2ff9e0
commit + 13cf335092172a3ae3c8ab7bce7d083abeb98fad
blob - 9ce13d25fe65a225dbd3f2f1a8a98f4acd96fbd2
blob + 963e7c22de79dcb2c2d60c45c45f44c369cc5444
--- gotwebd/auth.c
+++ gotwebd/auth.c
@@ -291,7 +291,6 @@ do_login(struct request *c)
 	char *token = NULL;
 	const char *identifier = NULL;
 	const time_t validity = 24 * 60 * 60; /* 1 day */
-	struct gotweb_url url;
 	struct gotwebd_repo *repo;
 
 	int r;
@@ -398,9 +397,10 @@ logged_in:
 		goto err;
 	}
 
-	memset(&url, 0, sizeof(url));
-	url.action = INDEX;
-	gotweb_reply(c, 307, "text/html", &url);
+	if (gotweb_reply(c, 200, "text/html", NULL) == -1)
+		return;
+	gotweb_render_fake_redirect(c->tp);
+
 	return;
 
 err:
blob - ec9668b156a1cadb11e21ae4905edc9752a45453
blob + fb2666bc8da4753a650628be81212330d0379ef6
--- gotwebd/gotwebd.h
+++ gotwebd/gotwebd.h
@@ -667,6 +667,7 @@ int	gotweb_render_blame(struct template *);
 int	gotweb_render_patch(struct template *);
 int	gotweb_render_rss(struct template *);
 int	gotweb_render_unauthorized(struct template *);
+int	gotweb_render_fake_redirect(struct template *);
 
 /* parse.y */
 struct gotwebd_repo * gotwebd_new_repo(const char *);
blob - 892402a866c859317430fd61139d234250479f7d
blob + 46d63f952fe699261e1b986996d1a61cb516e1f5
--- gotwebd/pages.tmpl
+++ gotwebd/pages.tmpl
@@ -1468,3 +1468,21 @@ date: {{ datebuf }} {{ " UTC" }} {{ "\n" }}
 {{ define gotweb_render_unauthorized(struct template *tp) }}
 <p>Wrong or missing authentication code</p>
 {{ end }}
+
+{{ define gotweb_render_fake_redirect(struct template *tp) }}
+{!
+	struct gotweb_url url;
+	memset(&url, 0, sizeof(url));
+	url.action = INDEX;
+!}
+<html>
+<head>
+  <meta http-equiv="refresh" content="0;url={{ render gotweb_render_url(tp->tp_arg, &url) }}">
+</head>
+<body>
+<p>
+  Please <a href="{{ render gotweb_render_url(tp->tp_arg, &url) }}">click here</a>
+  {{ " " }} if the page does not redirect automatically.
+</body>
+</html>
+{{ end }}