Bug #16159

Expire or invalidate token when logging out (logout)

Added by Tom Clegg about 1 year ago. Updated 7 days ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
API
Target version:
Start date:
04/08/2021
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-

Description

Logging out of workbench should invalidate the current token. (Currently, it just causes the browser to forget it.)

This means:

  1. workbench (1|2) logout includes API token to be revoked
  2. if a token is supplied, the logout route in controller expires the token

Workbench 2 "Get API token" creates new token (done)

Workbench 1 should tell the user that the token will expire when they log out, and provide a link to Workbench 2 dialog that creates a new API token.


Subtasks

Task #17481: Review 16159-token-expiration-on-logoutResolvedLucas Di Pentima

Task #17533: Review 16159-logout-request-with-token (wb2 repo)Resolved


Related issues

Related to Arvados Workbench 2 - Story #16848: Token handling improvementsResolved02/17/2021

Related to Arvados Epics - Story #16520: GxP QualificationIn Progress08/01/202004/30/2021

Related to Arvados Workbench 2 - Feature #17518: Workbench2 lets users auto-login and access dialogs through direct linksNew

Associated revisions

Revision e46caaf8
Added by Lucas Di Pentima 8 days ago

Merge branch '16159-token-expiration-on-logout'
Refs #16159

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

Revision 547664ec
Added by Lucas Di Pentima 7 days ago

Merge branch '16159-logout-request-with-token'
Closes #16159

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

History

#1 Updated by Peter Amstutz 7 months ago

  • Related to Story #16848: Token handling improvements added

#2 Updated by Peter Amstutz 7 months ago

#3 Updated by Peter Amstutz 7 months ago

  • Description updated (diff)

#4 Updated by Peter Amstutz 5 months ago

  • Description updated (diff)

#5 Updated by Peter Amstutz 2 months ago

  • Subject changed from Expire or invalidate token when logging out to Expire or invalidate token when logging out (logout)

#6 Updated by Peter Amstutz about 2 months ago

  • Target version set to 2021-03-17 sprint
  • Description updated (diff)

#7 Updated by Peter Amstutz about 2 months ago

  • Assigned To set to Lucas Di Pentima

#8 Updated by Lucas Di Pentima about 1 month ago

  • Target version changed from 2021-03-17 sprint to 2021-03-31 sprint

#9 Updated by Lucas Di Pentima about 1 month ago

  • Status changed from New to In Progress

#10 Updated by Lucas Di Pentima 23 days ago

Status update: At 94b3b18d0 I've tried to obtain the user's token from the context and use it to update the database setting the expires_at field to current_timestamp. It didn't work, because for some reason (testing on arvbox) I'm getting a v2 token that doesn't exist on the database. It doesn't even get listed when requesting them from wb1 with an admin account... I'm not sure where it's coming from.

#11 Updated by Lucas Di Pentima 22 days ago

Status update: The problem was that controller was getting the API token from the browser's cookies, once I tried with an incognito session, the error went away.

#12 Updated by Lucas Di Pentima 21 days ago

  • Target version changed from 2021-03-31 sprint to 2021-04-14 sprint

#13 Updated by Lucas Di Pentima 15 days ago

  • Related to Feature #17518: Workbench2 lets users auto-login and access dialogs through direct links added

#14 Updated by Lucas Di Pentima 13 days ago

Tom,

WIP ready for review at c7c0826 - branch 16159-token-expiration-on-logout

I'm struggling with testing. The lib/controller/federation suite fails because I require to have a db handler and I'm not sure yet how to add/mock it.
Before investing more time in fixing the tests I would like to validate my approach with you, just in case is completely off.

Thanks!

#15 Updated by Lucas Di Pentima 8 days ago

Updates at 0d248fb5c
Test run: https://ci.arvados.org/job/developer-run-tests/2408/

Added tests to login_testuser_test.go, and I'm not sure if I should add the same tests for other login providers, or how could I check that all login provider's Logout function call the new token expiration function. Any guidance on that is welcome.

#16 Updated by Tom Clegg 8 days ago

Question: I see workbench1 deletes the token from session before attempting token expiry. I think this means that, if the expire-and-redirect call returns an error, going back to workbench1 will show "logged out", but the token still won't really be expired on the API side. Perhaps it would be better to remove "session.clear" so the user can keep trying logout until the token can be neutralized? This would mean that with a new workbench1 version + old apiserver version users would be unable to log out at all, but I think that would be OK.

LGTM, thanks!

#17 Updated by Lucas Di Pentima 8 days ago

Thanks! forgot about the wb2 branch: 16159-logout-request-with-token @ arvados-workbench2|c15afce

Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/369/

#18 Updated by Tom Clegg 7 days ago

There is some appeal to doing it with XHR/fetch instead, but I don't think we should get hung up on it. LGTM, thanks.

#19 Updated by Lucas Di Pentima 7 days ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF