fix: InactivitySessionTimeoutMiddleware: Check for last_login (allow Django admin login + access)

label_studio/core/middleware.py

@@ -211,9 +211,10 @@ def process_request(self, request) -> None:
         current_time = time.time()
         last_login = request.session['last_login'] if 'last_login' in request.session else 0
 
-        # Check if this request is too far from when the login happened
-        if (current_time - last_login) > settings.MAX_SESSION_AGE:
-            logger.info(
+        # Check if this request is too far from when the login happened,
+        # but only when last_login was set before
+        if last_login and (current_time - last_login) > settings.MAX_SESSION_AGE:
+            logger.warn(
                 f'Request is too far from last login {current_time - last_login:.0f} > {settings.MAX_SESSION_AGE}; logout'
             )
             logout(request)

label_studio/tests/test_django_admin_login.py

@@ -0,0 +1,25 @@
+from django.urls import reverse
+
+
+def test_django_admin_login(admin_user, client, live_server):
+    response = client.get(reverse("admin:index"))
+
+    # Make sure we are redirected to the django admin login page
+    assert response.status_code == 302
+    assert response.url.startswith(reverse("admin:login"))
+
+    credentials = {"username": admin_user.email, "password": "password"}
+    response = client.post(response.url, credentials)
+
+    # We should be redirected to the django index
+    assert response.status_code == 302
+    assert response.url.startswith(reverse("admin:index"))
+
+    # No last_login key has been set in the session as we do not
+    # login via the regular /users/login page
+    assert not "last_login" in client.session
+
+    # And our logged in session will still be valid
+    response = client.get(reverse("admin:index"))
+
+    assert response.status_code == 200