Feature #16679

Option to store token in session storage & idle timeout

Added by Peter Amstutz about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Workbench2
Target version:
Start date:
09/01/2020
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

Option for Workbench 2 to store token in session storage instead of local storage, so that when the tab/browser is closed, the token is discarded.

"Open in new tab" operations should pass along the token (if possible) to avoid making the user log in again.

We should also add an idle timeout, it looks like we can do this via a react component:

https://blog.bitsrc.io/how-to-implement-idle-timeout-in-react-830d21c32942

Confirm (with tests) that Workbench 2 normal logout hits the API logout endpoint and expires the token.


Subtasks

Task #16759: Review 16679-token-security-enhancementsResolvedLucas Di Pentima

Task #16793: Review 16679-wb2-idle-timeout-config (arvados repo)ResolvedPeter Amstutz


Related issues

Related to Arvados Epics - Story #16520: GxP QualificationResolved08/01/202004/30/2021

Associated revisions

Revision 16919ef3
Added by Lucas Di Pentima about 1 year ago

Merge branch '16679-wb2-idle-timeout-config'. Refs #16679

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

Revision ecd0b3c0
Added by Lucas Di Pentima about 1 year ago

Merge branch '16679-token-security-enhancements'
Closes #16679

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

Revision 3b6e8232 (diff)
Added by Lucas Di Pentima about 1 year ago

16679: Unexports Login.TokenLifetime config. Refs #16679.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

History

#1 Updated by Peter Amstutz about 1 year ago

  • Description updated (diff)

#2 Updated by Peter Amstutz about 1 year ago

#3 Updated by Peter Amstutz about 1 year ago

  • Release set to 25

#4 Updated by Peter Amstutz about 1 year ago

  • Target version set to 2020-09-09 Sprint

#5 Updated by Lucas Di Pentima about 1 year ago

  • Assigned To set to Lucas Di Pentima

#6 Updated by Lucas Di Pentima about 1 year ago

From chat: We could publish the Login.TokenLifetime setting and use that to decide where to store the token.

#7 Updated by Peter Amstutz about 1 year ago

  • Description updated (diff)
  • Subject changed from Option to store token in session storage to Option to store token in session storage & idle timeout

#8 Updated by Peter Amstutz about 1 year ago

  • Description updated (diff)

#9 Updated by Lucas Di Pentima about 1 year ago

  • Status changed from New to In Progress

#10 Updated by Lucas Di Pentima about 1 year ago

Updates at 201e2b7e3 - branch 16679-wb2-idle-timeout-config
Test run: https://ci.arvados.org/job/developer-run-tests/2061/

  • Adds Workbench.IdleTimeout config knob for workbench2

#11 Updated by Lucas Di Pentima about 1 year ago

Update at 0b38c1d85

  • Exports Login.TokenLifetime so that can be used by Workbench2 to store tokens on session storage.

#12 Updated by Peter Amstutz about 1 year ago

Lucas Di Pentima wrote:

Update at 0b38c1d85

  • Exports Login.TokenLifetime so that can be used by Workbench2 to store tokens on session storage.

LGTM

#13 Updated by Lucas Di Pentima about 1 year ago

Updates at arvados-workbench2|2a15974a - branch 16679-token-security-enhancements
Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/88/

  • Adds tests confirming that the logout endpoint is hit on logout.
  • Adds auto logout component that gets used when Workbench.IdleTimeout config is non-zero, with tests.
  • Uses session storage on auth services when Login.TokenLifetime config is non-zero.
  • Removes sessions list from storage on logout, as tokens are also saved there.

#14 Updated by Peter Amstutz about 1 year ago

My only comment is that switching to session storage should probably be linked to enabling Workbench.IdleTimeout, not TokenLifetime. The rest LGTM.

#15 Updated by Anonymous about 1 year ago

  • % Done changed from 50 to 100
  • Status changed from In Progress to Resolved

Also available in: Atom PDF