On the git master - I cannot login to the WebUI anymore

[mmohring]

Issue Description

When I update my OBS instance from:
git commit 1b0d5ab
to:
git commit 5c57d1b

I cannot login with my users anymore from the WebUI
I can still use the api and command line tool osc

Expected Result

I should be able to login

How to Reproduce

1. click on login in the WebUI
2. select a user from the Webbrowers, stored
3. click on "Login In"
4. https://<myobshost>/session returns: 403

Further Information

From the production.log logfile:

W, [2026-03-05T14:28:33.476169 #18796] WARN -- : [08f57bf2-d91f-4a26-a53a-b2957e489e60] Can't verify CSRF token authenticity.
I, [2026-03-05T14:28:33.479529 #18796] INFO -- : [08f57bf2-d91f-4a26-a53a-b2957e489e60] method=POST path=/session format=html controller=Webui::SessionController action=create status=403 allocations=1272 duration=11.70 view=0.00 db=1.10 params={"authenticity_token" => "[FILTERED]", "username" => "MartinMohring", "password" => "[FILTERED]", "commit" => "Log In"} host=192.168.0.32 backend=0 user=nobody bot=false
F, [2026-03-05T14:28:33.485682 #18796] FATAL -- : [08f57bf2-d91f-4a26-a53a-b2957e489e60]
[08f57bf2-d91f-4a26-a53a-b2957e489e60] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
[08f57bf2-d91f-4a26-a53a-b2957e489e60]
[08f57bf2-d91f-4a26-a53a-b2957e489e60] app/controllers/webui/webui_controller.rb:45:in 'Webui::WebuiController#handle_unverified_request'
[08f57bf2-d91f-4a26-a53a-b2957e489e60] config/initializers/prefer_xml_over_html.rb:15:in 'PreferXmlOverHtml#call'

[mmohring]

I could reproduce the issue by restoring my DB before the migration and restoring the old version. Then I could login again. Then upgrade, DB migrate. Restart OBS servers. And failing again.

I use:

• a normal SQL user DB. No LDAP or whatever
• anon access is off

I am currently checking app/controllers/webui/webui_controller.rb:45 ...

I could not bisect the exact commit yet. The version:
git commit 0411507
that is used on build.opensuse.org also does not work for me.

[eduardoj]

Hi @mmohring, thanks for reporting the issue.

I could not reproduce the issue in my development environment, with the same configuration you mention:

• MariaDB
• anonymous access off

It could be related on what is used to perform the DB migration. Have you used this command?

rails db:migrate:with_data

[mmohring]

Of course do I use:

RAILS_ENV=production bin/rails db:migrate:with_data
and crosscheck with:
RAILS_ENV=production bin/rails db:migrate:status

I am currently bisecting the commit that causes the problem.

My first suspect is the Dalli migration.

[eduardoj]

Of course do I use:

RAILS_ENV=production bin/rails db:migrate:with_data
and crosscheck with:
RAILS_ENV=production bin/rails db:migrate:status

db:migrate:with_data belongs to the rake tasks of the data_migrate Rubygem. That's correct.

db:migrate:status belongs to Rails. See: https://guides.rubyonrails.org/v7.2/active_record_migrations.html#old-migrations

If you would like to know the status of the structure migrations and also the data migrations, you could use:

• data:migrate:status, or
• db:migrate:status:with_data

[mmohring]

I tracked it down.

fails:
d71a82a
works:
d0eb321

I use memcache. Can you run it without memcache, or does the session need memcache ? I check now the changed lines. Can it be that I do not have localhost somewhere configured ?

It must be the memcache gem. You changed the code back, right ? I try now git master HEAD. Maybe I try the old memcache module.

[eduardoj]

Ops, that's explains it. The changes are explained here: #19355.

In order to support the :meta protocol, you should make sure you use Memcached 1.6+.

[mmohring]

But I dont. :D
We should add a dependency in the .spec files.

[mmohring]

I will submit a patch for .spec files. I got it working in SLE 16.x / openSUSE 16.x also . People were complaing about OBS not working on the SLE 16 based line of code. We should discuss what I found, its really strange.
I will test also by using memcache 1.6+ stuff on old distros. I come back next week.

I updated the memcachd pkg to 1.6+ and it worked as expected.