mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-11 11:59:55 -05:00
[GH-ISSUE #7754] [Bug]: OIDC login fails on iOS Safari — WorkerBridge stays UNASSIGNED on fresh session #80624
Open
opened 2026-05-19 04:27:31 -05:00 by GiteaMirror
·
3 comments
No Branch/Tag Specified
master
tabedzki/feat/replacing-month-picker-with-day-picker
enforce-append-only-migrations-ci
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
claude/error-codes-worker-boundary-26i5uu
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
ai/simplify-categories-get-api
api-browser-custom-data-dir
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#80624
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @DeltaEchoFour on GitHub (May 8, 2026).
Original GitHub issue: https://github.com/actualbudget/actual/issues/7754
What happened?
Describe the bug
On iOS Safari (and as a PWA), OIDC login fails on any fresh browser session. After successfully authenticating with the OpenID provider and being redirected back to
/openid-cb?token=…, the app hangs on "Loading global preferences" and displays "No Server Configured" at the bottom of the screen. Theuser-tokenkey is never written toasyncStorage.The same flow works correctly on desktop Safari immediately after a password logout (i.e. with an established SharedWorker session). The failure is specific to iOS Safari on a fresh session where no prior SharedWorker state exists.
Expected behaviour
OIDC login completes successfully and the user is authenticated, consistent with the behaviour on desktop browsers.
Actual behaviour
The app loads at the correct
/openid-cb?token=…URL (confirmed viawindow.location.href) but the OIDC callback handler silently fails to write the auth token toasyncStorage. The app shows "No Server Configured" indefinitely.Root cause (investigated)
Using eruda (mobile JS console) and SharedWorker log inspection, the following was observed on iOS:
On a fresh iOS session, the tab connecting at
/openid-cbstarts asUNASSIGNEDand never transitions to a leader role. The OIDC callback handler depends on the WorkerBridge being in an established state to writeuser-tokentoasyncStorage. Because the WorkerBridge isUNASSIGNED, this write fails silently and the callback never completes.On desktop Safari (with an existing SharedWorker session from a prior password login or OIDC session), the tab is already an established lobby leader when the OIDC callback runs, so the write succeeds.
Confirmed via inspection of asyncStorage after failed iOS callback:
Confirmed via inspection of asyncStorage on working desktop session:
Environment
actualbudget/actual-server)Additional context
/openid/callbackand issues a token (302 to/openid-cb?token=…is observed in server logs)user-tokenand navigating to/via the eruda console results in successful authentication/openid-cb?token=…after the initial failure can succeed intermittently, once the SharedWorker has had time to settleACTUAL_OPENID_SERVER_HOSTNAMEis correctly configuredSuggested fix
The OIDC callback handler at
/openid-cbshould not depend on the WorkerBridge being in an established (leader) role to write the auth token. On a fresh session, the tab will always start asUNASSIGNEDat this route. The handler should either:user-tokenandserver-urldirectly toasyncStorage(bypassing the WorkerBridge), then redirect to/; orHow can we reproduce the issue?
Steps to reproduce
/openid-cb?token=<uuid>Where are you hosting Actual?
Docker
What browsers are you seeing the problem on?
Safari
Operating System
Mobile Device
@jshaofa-ui commented on GitHub (May 10, 2026):
🔧 Solution Proposal
Root Cause
On iOS Safari fresh sessions, the SharedWorker coordinator's
inithandler sends__role-change: UNASSIGNEDbut does NOT send aconnectmessage when existing budget groups are present. This means:messageQueueinconnection/index.tsis never flushed (only flushes onconnect)send('subscribe-set-token', { token })is queued but never deliveredasyncStorage→ OIDC login fails silentlyFix — Three-Layer Defense
1. Primary: Direct IndexedDB write (
packages/desktop-client/src/components/manager/subscribe/OpenIdCallback.ts)Write the auth token directly to IndexedDB from the main thread, bypassing the WorkerBridge entirely:
2. Coordinator fix (
packages/desktop-client/src/shared-browser-server-core.ts)Send synthetic
connectto UNASSIGNED tabs:3. SharedWorker timeout fallback (
packages/desktop-client/src/browser-preload.js)5-second timeout that falls back to a direct Worker if SharedWorker doesn't respond.
Why This Works
subscribe-set-tokenhandler is idempotent (justasyncStorage.setItem)@emcbem commented on GitHub (May 12, 2026):
Right when I setup OIDC for the first time I experience this bug, great timing :( Solution looks great though!
@joel-jeremy commented on GitHub (May 12, 2026):
Thank you for reporting the bug! @jshaofa-ui Please feel free to create a PR so maintainers can have a look at the solution.