Bug #16159
closed
Expire or invalidate token when logging out (logout)
Added by Tom Clegg about 4 years ago.
Updated over 2 years ago.
Release relationship:
Auto
Description
Logging out of workbench should invalidate the current token. (Currently, it just causes the browser to forget it.)
This means:
- workbench (1|2) logout includes API token to be revoked
- if a token is supplied, the logout route in controller expires the token
Workbench 2 "Get API token" creates new token (done)
Workbench 1 should tell the user that the token will expire when they log out, and provide a link to Workbench 2 dialog that creates a new API token.
- Related to Idea #16848: Token handling improvements added
- Description updated (diff)
- Description updated (diff)
- Subject changed from Expire or invalidate token when logging out to Expire or invalidate token when logging out (logout)
- Target version set to 2021-03-17 sprint
- Description updated (diff)
- Assigned To set to Lucas Di Pentima
- Target version changed from 2021-03-17 sprint to 2021-03-31 sprint
- Status changed from New to In Progress
Status update: At 94b3b18d0 I've tried to obtain the user's token from the context and use it to update the database setting the expires_at field to current_timestamp. It didn't work, because for some reason (testing on arvbox) I'm getting a v2 token that doesn't exist on the database. It doesn't even get listed when requesting them from wb1 with an admin account... I'm not sure where it's coming from.
Status update: The problem was that controller was getting the API token from the browser's cookies, once I tried with an incognito session, the error went away.
- Target version changed from 2021-03-31 sprint to 2021-04-14 sprint
- Related to Feature #17518: Workbench2 lets users auto-login and access dialogs through direct links added
Tom,
WIP ready for review at c7c0826 - branch 16159-token-expiration-on-logout
I'm struggling with testing. The lib/controller/federation suite fails because I require to have a db handler and I'm not sure yet how to add/mock it.
Before investing more time in fixing the tests I would like to validate my approach with you, just in case is completely off.
Thanks!
Updates at 0d248fb5c
Test run: developer-run-tests: #2408 
Added tests to login_testuser_test.go, and I'm not sure if I should add the same tests for other login providers, or how could I check that all login provider's Logout function call the new token expiration function. Any guidance on that is welcome.
Question: I see workbench1 deletes the token from session before attempting token expiry. I think this means that, if the expire-and-redirect call returns an error, going back to workbench1 will show "logged out", but the token still won't really be expired on the API side. Perhaps it would be better to remove "session.clear" so the user can keep trying logout until the token can be neutralized? This would mean that with a new workbench1 version + old apiserver version users would be unable to log out at all, but I think that would be OK.
LGTM, thanks!
There is some appeal to doing it with XHR/fetch instead, but I don't think we should get hung up on it. LGTM, thanks.
- Status changed from In Progress to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by