Login: Detect redirect loop and give users useful advice

This reverts commit fbd8bbbeaa.

src/pretix/control/templates/pretixcontrol/auth/login.html

@@ -19,6 +19,14 @@
             </ul>
             <br>
         {% endif %}
+        {% if possible_cookie_problem %}
+            <div class="alert alert-warning">
+                {% blocktrans trimmed %}
+                    It looks like your browser is not accepting our cookie and you need to log in repeatedly. Please
+                    check if your browser is set to block cookies, or delete all existing cookies and retry.
+                {% endblocktrans %}
+            </div>
+        {% endif %}
         {% csrf_token %}
         {% bootstrap_form form %}
         <div class="form-group buttons">

src/pretix/control/views/auth.py

@@ -149,6 +149,8 @@ def login(request):
             return process_login(request, form.user_cache, form.cleaned_data.get('keep_logged_in', False))
     else:
         form = LoginForm(backend=backend, request=request)
+        # Detect redirection loop (usually means cookie not accepted)
+        ctx['possible_cookie_problem'] = request.path in request.headers.get("Referer", "")
     ctx['form'] = form
     ctx['can_register'] = settings.PRETIX_REGISTRATION
     ctx['can_reset'] = settings.PRETIX_PASSWORD_RESET

src/pretix/helpers/cookies.py

@@ -34,10 +34,7 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
     if not is_secure:
         # https://www.chromestatus.com/feature/5633521622188032
         return
-
-    useragent = request.headers.get('User-Agent', '')
-
-    if should_send_same_site_none(useragent):
+    if should_send_same_site_none(request.headers.get('User-Agent', '')):
         # Chromium is rolling out SameSite=Lax as a default
         # https://www.chromestatus.com/feature/5088147346030592
         # This however breaks all pretix-in-an-iframe things, such as the pretix Widget.
@@ -47,29 +44,8 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
         # This will only work on secure cookies as well
         # https://www.chromestatus.com/feature/5633521622188032
         response.cookies[key]['secure'] = is_secure
-
-        if can_send_partitioned_cookie(useragent):
-            # CHIPS
-            response.cookies[key]['Partitioned'] = True
-
-
-def can_send_partitioned_cookie(useragent):
-    # Safari currently exhibits a bug where Partitioned cookies (CHIPS) are not
-    # sent back to the originating site after multi-hop cross-site redirects,
-    # breaking SSO login flows in pretix.
-    #
-    # Partitioned cookies were initially introduced in Safari 18.4, removed
-    # again in 18.5 due to a bug, and reintroduced in Safari 26.2, where the
-    # current issue is present.
-    #
-    # Once the Safari issue is fixed, this check should be refined to be
-    # conditional on the affected versions only.
-    #
-    # WebKit issues:
-    #
-    #   - https://bugs.webkit.org/show_bug.cgi?id=292975
-    #   - https://bugs.webkit.org/show_bug.cgi?id=306194
-    return not is_safari(useragent)
+        # CHIPS
+        response.cookies[key]['Partitioned'] = True
 
 
 # Based on https://www.chromium.org/updates/same-site/incompatible-clients

src/pretix/plugins/paypal2/payment.py

@@ -786,29 +786,23 @@ class PaypalMethod(BasePaymentProvider):
                 else:
                     pp_captured_order = response.result
 
+                for purchaseunit in pp_captured_order.purchase_units:
+                    for capture in purchaseunit.payments.captures:
+                        try:
+                            ReferencedPayPalObject.objects.get_or_create(order=payment.order, payment=payment, reference=capture.id)
+                        except ReferencedPayPalObject.MultipleObjectsReturned:
+                            pass
+
+                        if capture.status != 'COMPLETED':
+                            messages.warning(request, _('PayPal has not yet approved the payment. We will inform you as '
+                                                        'soon as the payment completed.'))
+                            payment.info = json.dumps(pp_captured_order.dict())
+                            payment.state = OrderPayment.PAYMENT_STATE_PENDING
+                            payment.save()
+                            return
+
             payment.refresh_from_db()
 
-            any_captures = False
-            all_captures_completed = True
-            for purchaseunit in pp_captured_order.purchase_units:
-                for capture in purchaseunit.payments.captures:
-                    try:
-                        ReferencedPayPalObject.objects.get_or_create(order=payment.order, payment=payment, reference=capture.id)
-                    except ReferencedPayPalObject.MultipleObjectsReturned:
-                        pass
-
-                    if capture.status != 'COMPLETED':
-                        all_captures_completed = False
-                    else:
-                        any_captures = True
-            if not (any_captures and all_captures_completed):
-                messages.warning(request, _('PayPal has not yet approved the payment. We will inform you as '
-                                            'soon as the payment completed.'))
-                payment.info = json.dumps(pp_captured_order.dict())
-                payment.state = OrderPayment.PAYMENT_STATE_PENDING
-                payment.save()
-                return
-
             if pp_captured_order.status != 'COMPLETED':
                 payment.fail(info=pp_captured_order.dict())
                 logger.error('Invalid state: %s' % repr(pp_captured_order.dict()))