Fork me on GitHub

Hey, I have a rather weird bug: after authentification with friend , the browser (sometimes?) redirects to /favicon.ico – I don’t have a favicon in my code and this error also happens from time to time in my other projects; is this a known ring issue, does it have to do with order of middlewares or is it connected to friend-auth? I can’t find a reason for this behaviour; Does someone have an idea? – Thank you!


Browsers often request favicon.ico to display it as a mini-icon in the browser tab but I don't see a reason why you should be explicitly redirected there. We use both friend and ring and I've never seen such a behavior


so after a successful login the POST /login endpoint returns a 303, and a location header pointing to the favicon file 😐


seems like :default-landing-uri of friend is being ignored when this favicon thingy kicks in… on a subsequent login, it works as expected


just looking at the session data, there is :cemerick.friend/unauthorized-uri … I don’t even…


@synthomat So a request is being made for the favicon before you've auth'd -- which makes sense. I would recommend setting up auth so /favicon.ico is allowed through without requiring auth -- make it an exempt route.


oh god, no please…


just found this out myself:man-facepalming:


had do inject a logging middleware to find out what’s going on…


so friend stores the originally requested resource before the authentication page kicks in to conveniently redirect the user back to the original request after successful authentification; but because (technically) favicon.ico happens to be the latest requested resource, friend redirects the user to that file after successful authentification


mind -> blown


I only know because it has bitten me countless times in various situations and so now I always make sure that URL is readable regardless of auth/login stuff...


wouldn’t it be better if friend stored the redirect url in a query parameter like many other libs do instead in the session?


good point @seancorfield, I now just added a fake favicon to my resource folder and it seems to do the trick; friend does not intercept because it’s a file that can actually be fetched


(I've never used Friend or Buddy or any other Clojure auth lib)