Project

General

Profile

Actions
Copy link

Feature #16679

closed

Option to store token in session storage & idle timeout

Added by Peter Amstutz over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Lucas Di Pentima
Category:
Workbench2
Target version:
2020-09-09 Sprint
Story points:
-
Release:
Arvados 2.1.0
Release relationship:
Auto

Description

Option for Workbench 2 to store token in session storage instead of local storage, so that when the tab/browser is closed, the token is discarded.

"Open in new tab" operations should pass along the token (if possible) to avoid making the user log in again.

We should also add an idle timeout, it looks like we can do this via a react component:

https://blog.bitsrc.io/how-to-implement-idle-timeout-in-react-830d21c32942

Confirm (with tests) that Workbench 2 normal logout hits the API logout endpoint and expires the token.

Subtasks 2 (0 open2 closed)

Task #16759: Review 16679-token-security-enhancementsResolvedLucas Di Pentima09/07/2020Actions
Task #16793: Review 16679-wb2-idle-timeout-config (arvados repo)ResolvedPeter Amstutz09/01/2020Actions

Related issues

Related to Arvados Epics - Idea #16520: GxP QualificationResolved08/01/202004/30/2021Actions
Actions
Copy link
 #1

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Peter Amstutz over 3 years ago

Actions
Copy link
 #3

Updated by Peter Amstutz over 3 years ago

  • Release set to 25
Actions
Copy link
 #4

Updated by Peter Amstutz over 3 years ago

  • Target version set to 2020-09-09 Sprint
Actions
Copy link
 #5

Updated by Lucas Di Pentima over 3 years ago

  • Assigned To set to Lucas Di Pentima
Actions
Copy link
 #6

Updated by Lucas Di Pentima over 3 years ago

From chat: We could publish the Login.TokenLifetime setting and use that to decide where to store the token.

Actions
Copy link
 #7

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
  • Subject changed from Option to store token in session storage to Option to store token in session storage & idle timeout
Actions
Copy link
 #8

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions
Copy link
 #9

Updated by Lucas Di Pentima over 3 years ago

  • Status changed from New to In Progress
Actions
Copy link
 #10

Updated by Lucas Di Pentima over 3 years ago

Updates at 201e2b7e3 - branch 16679-wb2-idle-timeout-config
Test run: developer-run-tests: #2061

  • Adds Workbench.IdleTimeout config knob for workbench2
Actions
Copy link
 #11

Updated by Lucas Di Pentima over 3 years ago

Update at 0b38c1d85

  • Exports Login.TokenLifetime so that can be used by Workbench2 to store tokens on session storage.
Actions
Copy link
 #12

Updated by Peter Amstutz over 3 years ago

Lucas Di Pentima wrote:

Update at 0b38c1d85

  • Exports Login.TokenLifetime so that can be used by Workbench2 to store tokens on session storage.

LGTM

Actions
Copy link
 #13

Updated by Lucas Di Pentima over 3 years ago

Updates at arvados-workbench2|2a15974a - branch 16679-token-security-enhancements
Test run: developer-tests-workbench2: #88

  • Adds tests confirming that the logout endpoint is hit on logout.
  • Adds auto logout component that gets used when Workbench.IdleTimeout config is non-zero, with tests.
  • Uses session storage on auth services when Login.TokenLifetime config is non-zero.
  • Removes sessions list from storage on logout, as tokens are also saved there.
Actions
Copy link
 #14

Updated by Peter Amstutz over 3 years ago

My only comment is that switching to session storage should probably be linked to enabling Workbench.IdleTimeout, not TokenLifetime. The rest LGTM.

Actions
Copy link
 #15

Updated by Anonymous over 3 years ago

  • % Done changed from 50 to 100
  • Status changed from In Progress to Resolved
Actions
Copy link

Also available in: Atom PDF