Bug #16159
closed
Expire or invalidate token when logging out (logout)
Description
Logging out of workbench should invalidate the current token. (Currently, it just causes the browser to forget it.)
This means:
- workbench (1|2) logout includes API token to be revoked
- if a token is supplied, the logout route in controller expires the token
Workbench 2 "Get API token" creates new token (done)
Workbench 1 should tell the user that the token will expire when they log out, and provide a link to Workbench 2 dialog that creates a new API token.
Related issues
Updated by Peter Amstutz over 3 years ago
- Related to Idea #16848: Token handling improvements added
Updated by Peter Amstutz over 3 years ago
- Related to Idea #16520: GxP Qualification added
Updated by Peter Amstutz about 3 years ago
- Subject changed from Expire or invalidate token when logging out to Expire or invalidate token when logging out (logout)
Updated by Peter Amstutz about 3 years ago
- Target version set to 2021-03-17 sprint
- Description updated (diff)
Updated by Lucas Di Pentima about 3 years ago
- Target version changed from 2021-03-17 sprint to 2021-03-31 sprint
Updated by Lucas Di Pentima about 3 years ago
- Status changed from New to In Progress
Updated by Lucas Di Pentima about 3 years ago
Status update: At 94b3b18d0 I've tried to obtain the user's token from the context and use it to update the database setting the expires_at field to current_timestamp. It didn't work, because for some reason (testing on arvbox) I'm getting a v2 token that doesn't exist on the database. It doesn't even get listed when requesting them from wb1 with an admin account... I'm not sure where it's coming from.
Updated by Lucas Di Pentima about 3 years ago
Status update: The problem was that controller was getting the API token from the browser's cookies, once I tried with an incognito session, the error went away.
Updated by Lucas Di Pentima about 3 years ago
- Target version changed from 2021-03-31 sprint to 2021-04-14 sprint
Updated by Lucas Di Pentima about 3 years ago
- Related to Feature #17518: Workbench2 lets users auto-login and access dialogs through direct links added
Updated by Lucas Di Pentima about 3 years ago
Tom,
WIP ready for review at c7c0826 - branch 16159-token-expiration-on-logout
I'm struggling with testing. The lib/controller/federation suite fails because I require to have a db handler and I'm not sure yet how to add/mock it.
Before investing more time in fixing the tests I would like to validate my approach with you, just in case is completely off.
Thanks!
Updated by Lucas Di Pentima about 3 years ago
Updates at 0d248fb5c
Test run: developer-run-tests: #2408
Added tests to login_testuser_test.go, and I'm not sure if I should add the same tests for other login providers, or how could I check that all login provider's Logout function call the new token expiration function. Any guidance on that is welcome.
Updated by Tom Clegg about 3 years ago
Question: I see workbench1 deletes the token from session before attempting token expiry. I think this means that, if the expire-and-redirect call returns an error, going back to workbench1 will show "logged out", but the token still won't really be expired on the API side. Perhaps it would be better to remove "session.clear" so the user can keep trying logout until the token can be neutralized? This would mean that with a new workbench1 version + old apiserver version users would be unable to log out at all, but I think that would be OK.
LGTM, thanks!
Updated by Lucas Di Pentima about 3 years ago
Thanks! forgot about the wb2 branch: 16159-logout-request-with-token @ arvados-workbench2|c15afce
Test run: developer-tests-workbench2: #369
Updated by Tom Clegg about 3 years ago
There is some appeal to doing it with XHR/fetch instead, but I don't think we should get hung up on it. LGTM, thanks.
Updated by Lucas Di Pentima about 3 years ago
- Status changed from In Progress to Resolved