[PR #956] [MERGED] handle expired token being null and prevent constant rerender #3537

Closed
opened 2026-02-22 18:33:59 -05:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Mintplex-Labs/anything-llm/pull/956
Author: @timothycarambat
Created: 3/22/2024
Status: Merged
Merged: 3/26/2024
Merged by: @timothycarambat

Base: masterHead: catch-fatal-hash-comparison


📝 Commits (2)

  • 5876d99 handle expired token being null and prevent constant rerender
  • dcd2c93 reset defaults

📊 Changes

5 files changed (+21 additions, -9 deletions)

View changed files

📝 frontend/src/components/Modals/Password/index.jsx (+6 -4)
📝 frontend/src/components/PrivateRoute/index.jsx (+1 -1)
📝 frontend/src/pages/Login/index.jsx (+3 -1)
📝 frontend/src/utils/paths.js (+2 -2)
📝 server/utils/middleware/validatedRequest.js (+9 -1)

📄 Description

When using AnythingLLM with a password or multi-user auth state the default token expiry is set to 30 days expiration (TBD custom config for this value).

If you are logged in and do not re-visit the system for some time where the token then expires on revisit the token will fail to verify and will return a null value, which will fatally crash the bcrypt compareHash function. Passing an empty '' instead when invalid will then cause an infinite re-render on the login screen.

Additional work was required to have this work when the session is fully expired:

  • Invalidate token as normal
  • Send the user to log in, but prevent auto login via a query param set during redirect due to invalid auth.
  • User can log in again and get a new session token.

  • Tested as all roles in multi-user
  • Tested with just password
  • Tested with no password instance

resolves #947


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Mintplex-Labs/anything-llm/pull/956 **Author:** [@timothycarambat](https://github.com/timothycarambat) **Created:** 3/22/2024 **Status:** ✅ Merged **Merged:** 3/26/2024 **Merged by:** [@timothycarambat](https://github.com/timothycarambat) **Base:** `master` ← **Head:** `catch-fatal-hash-comparison` --- ### 📝 Commits (2) - [`5876d99`](https://github.com/Mintplex-Labs/anything-llm/commit/5876d994c91e70afc8dc25a32ecee068fdbf0f40) handle expired token being null and prevent constant rerender - [`dcd2c93`](https://github.com/Mintplex-Labs/anything-llm/commit/dcd2c937733904c68f4672a62dc025bdd88aab2e) reset defaults ### 📊 Changes **5 files changed** (+21 additions, -9 deletions) <details> <summary>View changed files</summary> 📝 `frontend/src/components/Modals/Password/index.jsx` (+6 -4) 📝 `frontend/src/components/PrivateRoute/index.jsx` (+1 -1) 📝 `frontend/src/pages/Login/index.jsx` (+3 -1) 📝 `frontend/src/utils/paths.js` (+2 -2) 📝 `server/utils/middleware/validatedRequest.js` (+9 -1) </details> ### 📄 Description When using AnythingLLM with a password or multi-user auth state the default token expiry is set to 30 days expiration (TBD custom config for this value). If you are logged in and do not re-visit the system for some time where the token then expires on revisit the token will fail to verify and will return a `null` value, which will fatally crash the `bcrypt` `compareHash` function. Passing an empty `''` instead when invalid will then cause an infinite re-render on the login screen. Additional work was required to have this work when the session is fully expired: - Invalidate token as normal - Send the user to log in, but **prevent** auto login via a query param set during redirect due to invalid auth. - User can log in again and get a new session token. --------- - Tested as all roles in multi-user - Tested with just password - Tested with no password instance ------ resolves #947 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-02-22 18:33:59 -05:00
yindo closed this issue 2026-02-22 18:33:59 -05:00
yindo changed title from [PR #956] handle expired token being null and prevent constant rerender to [PR #956] [MERGED] handle expired token being null and prevent constant rerender 2026-06-05 15:13:56 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#3537