Expire or invalidate token when logging out (logout)
Logging out of workbench should invalidate the current token. (Currently, it just causes the browser to forget it.)
- workbench (1|2) logout includes API token to be revoked
- if a token is supplied, the logout route in controller expires the token
Workbench 2 "Get API token" creates new token (done)
Workbench 1 should tell the user that the token will expire when they log out, and provide a link to Workbench 2 dialog that creates a new API token.
#10 Updated by Lucas Di Pentima 23 days ago
Status update: At 94b3b18d0 I've tried to obtain the user's token from the context and use it to update the database setting the
expires_at field to
current_timestamp. It didn't work, because for some reason (testing on
arvbox) I'm getting a v2 token that doesn't exist on the database. It doesn't even get listed when requesting them from wb1 with an admin account... I'm not sure where it's coming from.
#14 Updated by Lucas Di Pentima 13 days ago
WIP ready for review at c7c0826 - branch
I'm struggling with testing. The
lib/controller/federation suite fails because I require to have a db handler and I'm not sure yet how to add/mock it.
Before investing more time in fixing the tests I would like to validate my approach with you, just in case is completely off.
#15 Updated by Lucas Di Pentima 8 days ago
Updates at 0d248fb5c
Test run: https://ci.arvados.org/job/developer-run-tests/2408/
Added tests to
login_testuser_test.go, and I'm not sure if I should add the same tests for other login providers, or how could I check that all login provider's
Logout function call the new token expiration function. Any guidance on that is welcome.
Question: I see workbench1 deletes the token from session before attempting token expiry. I think this means that, if the expire-and-redirect call returns an error, going back to workbench1 will show "logged out", but the token still won't really be expired on the API side. Perhaps it would be better to remove "session.clear" so the user can keep trying logout until the token can be neutralized? This would mean that with a new workbench1 version + old apiserver version users would be unable to log out at all, but I think that would be OK.
#17 Updated by Lucas Di Pentima 8 days ago
Thanks! forgot about the wb2 branch:
16159-logout-request-with-token @ arvados-workbench2|c15afce