Project

General

Profile

Actions

Bug #16159

closed

Expire or invalidate token when logging out (logout)

Added by Tom Clegg almost 5 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
API
Target version:
Start date:
04/08/2021
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

Logging out of workbench should invalidate the current token. (Currently, it just causes the browser to forget it.)

This means:

  1. workbench (1|2) logout includes API token to be revoked
  2. if a token is supplied, the logout route in controller expires the token

Workbench 2 "Get API token" creates new token (done)

Workbench 1 should tell the user that the token will expire when they log out, and provide a link to Workbench 2 dialog that creates a new API token.


Subtasks 2 (0 open2 closed)

Task #17481: Review 16159-token-expiration-on-logoutResolvedLucas Di Pentima04/08/2021

Actions
Task #17533: Review 16159-logout-request-with-token (wb2 repo)Resolved04/13/2021

Actions

Related issues 3 (1 open2 closed)

Related to Arvados Workbench 2 - Story #16848: Token handling improvementsResolvedLucas Di Pentima02/17/2021

Actions
Related to Arvados Epics - Story #16520: GxP QualificationResolved08/01/202004/30/2021

Actions
Related to Arvados Workbench 2 - Feature #17518: Workbench2 lets users auto-login and access dialogs through direct linksNew

Actions
Actions #1

Updated by Peter Amstutz about 4 years ago

  • Related to Story #16848: Token handling improvements added
Actions #2

Updated by Peter Amstutz about 4 years ago

Actions #3

Updated by Peter Amstutz about 4 years ago

  • Description updated (diff)
Actions #4

Updated by Peter Amstutz about 4 years ago

  • Description updated (diff)
Actions #5

Updated by Peter Amstutz almost 4 years ago

  • Subject changed from Expire or invalidate token when logging out to Expire or invalidate token when logging out (logout)
Actions #6

Updated by Peter Amstutz almost 4 years ago

  • Description updated (diff)
  • Target version set to 2021-03-17 sprint
Actions #7

Updated by Peter Amstutz almost 4 years ago

  • Assigned To set to Lucas Di Pentima
Actions #8

Updated by Lucas Di Pentima almost 4 years ago

  • Target version changed from 2021-03-17 sprint to 2021-03-31 sprint
Actions #9

Updated by Lucas Di Pentima almost 4 years ago

  • Status changed from New to In Progress
Actions #10

Updated by Lucas Di Pentima over 3 years ago

Status update: At 94b3b18d0 I've tried to obtain the user's token from the context and use it to update the database setting the expires_at field to current_timestamp. It didn't work, because for some reason (testing on arvbox) I'm getting a v2 token that doesn't exist on the database. It doesn't even get listed when requesting them from wb1 with an admin account... I'm not sure where it's coming from.

Actions #11

Updated by Lucas Di Pentima over 3 years ago

Status update: The problem was that controller was getting the API token from the browser's cookies, once I tried with an incognito session, the error went away.

Actions #12

Updated by Lucas Di Pentima over 3 years ago

  • Target version changed from 2021-03-31 sprint to 2021-04-14 sprint
Actions #13

Updated by Lucas Di Pentima over 3 years ago

  • Related to Feature #17518: Workbench2 lets users auto-login and access dialogs through direct links added
Actions #14

Updated by Lucas Di Pentima over 3 years ago

Tom,

WIP ready for review at c7c0826 - branch 16159-token-expiration-on-logout

I'm struggling with testing. The lib/controller/federation suite fails because I require to have a db handler and I'm not sure yet how to add/mock it.
Before investing more time in fixing the tests I would like to validate my approach with you, just in case is completely off.

Thanks!

Actions #15

Updated by Lucas Di Pentima over 3 years ago

Updates at 0d248fb5c
Test run: developer-run-tests: #2408

Added tests to login_testuser_test.go, and I'm not sure if I should add the same tests for other login providers, or how could I check that all login provider's Logout function call the new token expiration function. Any guidance on that is welcome.

Actions #16

Updated by Tom Clegg over 3 years ago

Question: I see workbench1 deletes the token from session before attempting token expiry. I think this means that, if the expire-and-redirect call returns an error, going back to workbench1 will show "logged out", but the token still won't really be expired on the API side. Perhaps it would be better to remove "session.clear" so the user can keep trying logout until the token can be neutralized? This would mean that with a new workbench1 version + old apiserver version users would be unable to log out at all, but I think that would be OK.

LGTM, thanks!

Actions #17

Updated by Lucas Di Pentima over 3 years ago

Thanks! forgot about the wb2 branch: 16159-logout-request-with-token @ arvados-workbench2|c15afce

Test run: developer-tests-workbench2: #369

Actions #18

Updated by Tom Clegg over 3 years ago

There is some appeal to doing it with XHR/fetch instead, but I don't think we should get hung up on it. LGTM, thanks.

Actions #19

Updated by Lucas Di Pentima over 3 years ago

  • Status changed from In Progress to Resolved
Actions #20

Updated by Peter Amstutz about 3 years ago

  • Release set to 41
Actions

Also available in: Atom PDF