Project

General

Profile

Actions

Story #16848

closed

Token handling improvements

Added by Peter Amstutz over 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Workbench2
Start date:
02/17/2021
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
2.0

Description

  • "Show current token" dialog in workbench should give you a button to request a new token instead of showing the one in use by Workbench. Change the label to something like "Get API token".
    • If LoginCluster is set and current cluster is not the login cluster, show the workbench token
    • If the "create token" API call fails, show the workbench token
  • Auto-logout should coordinate across browser tabs so that it only logs out when all of them have been idle. When there is activity, it should update a timestamp in localStorage. When deciding whether to logout due to an idle timeout, check that the shared timestamp in localStorage is expired.

Possibly useful, there's a "storage" event that happens when localStorage is updated.

https://html.spec.whatwg.org/multipage/webstorage.html#the-storageevent-interface


Subtasks 1 (0 open1 closed)

Arvados - Task #17031: Review 16848-token-handling-improvementsResolvedPeter Amstutz02/17/2021

Actions

Related issues

Related to Arvados Epics - Story #16520: GxP QualificationResolved08/01/202004/30/2021

Actions
Related to Arvados - Feature #16180: Add a "Copy to Clipboard" Button for the tokenResolved

Actions
Related to Arvados - Bug #16159: Expire or invalidate token when logging out (logout)ResolvedLucas Di Pentima04/08/2021

Actions
Actions #1

Updated by Peter Amstutz over 3 years ago

  • Category deleted (Workbench2)
  • Description updated (diff)
Actions #2

Updated by Peter Amstutz over 3 years ago

  • Target version set to 2020-10-07 Sprint
Actions #3

Updated by Peter Amstutz over 3 years ago

  • Release deleted (31)
  • Category set to Workbench2
Actions #4

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2020-10-07 Sprint to 2020-10-21 Sprint
Actions #5

Updated by Peter Amstutz over 3 years ago

Actions #6

Updated by Peter Amstutz over 3 years ago

  • Related to Feature #16180: Add a "Copy to Clipboard" Button for the token added
Actions #7

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #8

Updated by Peter Amstutz over 3 years ago

  • Related to Bug #16159: Expire or invalidate token when logging out (logout) added
Actions #9

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2020-10-21 Sprint to 2020-11-04 Sprint
Actions #10

Updated by Peter Amstutz over 3 years ago

  • Assigned To set to Peter Amstutz
Actions #11

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2020-11-04 Sprint to 2020-11-18
Actions #12

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2020-11-18 to 2020-12-02 Sprint
Actions #13

Updated by Peter Amstutz over 3 years ago

  • Story points set to 2.0
Actions #14

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #15

Updated by Peter Amstutz over 3 years ago

  • Assigned To deleted (Peter Amstutz)
Actions #16

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2020-12-02 Sprint to 2020-12-16 Sprint
Actions #17

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2020-12-16 Sprint to 2021-01-06 Sprint
Actions #18

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-01-06 Sprint to 2021-01-20 Sprint
Actions #19

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-01-20 Sprint to 2021-02-03 Sprint
Actions #20

Updated by Peter Amstutz about 3 years ago

  • Assigned To set to Lucas Di Pentima
Actions #21

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-02-03 Sprint to 2021-02-17 sprint
Actions #22

Updated by Lucas Di Pentima about 3 years ago

  • Status changed from New to In Progress
Actions #23

Updated by Lucas Di Pentima about 3 years ago

Updates at arvados-workbench2|211054b9 - branch 16848-token-handling-improvements
Test run: developer-tests-workbench2: #289

  • Renames "Get current token" dialog to "Get API Token".
  • Synchronizes session idle timer between different browser tabs/windows.
  • On app startup, and after session initialization, store a second token to be used on parts of the UI that hands out tokens to the user.
  • Use the extra token on the "Get API Token" and "Open as network folder or S3 bucket" dialogs. This is to avoid giving the user tokens that may be expired by a wb2 logout action.
  • Adds a "Get new token" button to the "Get API token" dialog.
  • When API.TokenLifetime is set, users cannot create tokens, so:
    • Don't show token creation errors on app startup.
    • Show wb2's token when a token is needed.
    • Show a warning message when the user clicks on the "Get new token" button saying it isn't allowed.
  • When Login.LoginCluster is set and it isn't wb2's home cluster, don't request the extra token and hide the "Get new token" button.
Actions #25

Updated by Lucas Di Pentima about 3 years ago

  • Target version changed from 2021-02-17 sprint to 2021-03-03 sprint
Actions #26

Updated by Peter Amstutz about 3 years ago

  • How hard would it be to have the "extra" token created the first time it is needed by the "Get Token" or "Open as S3 bucket" dialogs? If I am reading this right, the current approach will create an extra token every time the application loads, whether it is used or not.
  • Didn't we talk about making the "Get Token" dialog box display the time the token would expire? I don't see that here.
Actions #27

Updated by Lucas Di Pentima about 3 years ago

Updates at arvados-workbench2|a51a9c10
Test run: developer-tests-workbench2: #298 (just one new flaky test failing)

  • Avoid creating a new token at session init time, only when requested by the user.
  • Show token expiration date on the "Get API Token" dialog when available.
Actions #28

Updated by Lucas Di Pentima almost 3 years ago

  • Target version changed from 2021-03-03 sprint to 2021-03-17 sprint
Actions #29

Updated by Peter Amstutz almost 3 years ago

Lucas Di Pentima wrote:

Updates at arvados-workbench2|a51a9c10
Test run: developer-tests-workbench2: #298 (just one new flaky test failing)

  • Avoid creating a new token at session init time, only when requested by the user.
  • Show token expiration date on the "Get API Token" dialog when available.

A few more comments:

When the expiration date is empty or null, it should say something like "This token does not have an expiration date" instead of rendering nothing.

In getNewExtraToken(), this seems to be missing "extraApiTokenExpiration":

dispatch(authActions.SET_EXTRA_TOKEN({ extraToken: newExtraToken }));

If you set the expiration on the token some other way (such as the command line) Workbench will not notice. I suggest that when (reuseStored && extraApiToken) it should fetch the api_client_authorization record for that token using cthe "api_client_authorization.current" endpoint (which probably needs to be added to ApiClientAuthorizationService) because that it will fail if the token is invalid. If "api_client_authorization.current" fails it can try to create a new token.

Actions #30

Updated by Lucas Di Pentima almost 3 years ago

Updates at ab1faae9
Test run: developer-tests-workbench2: #306
  • Added message for non-expiring tokens on the "Get API token" dialog.
  • The getNewExtraToken() function checks the cached token's validity before returning it. Also refresh its expiration date on the store just in case it changed.

Pending: I'm struggling with getNewExtraToken()'s unit testing because of the amount of previous state required and multiple API calls involved, trying to mock all that.

Actions #31

Updated by Lucas Di Pentima almost 3 years ago

Update at arvados-workbench2|eb633efd
Test run: developer-tests-workbench2: #308

  • Resets cached token when not valid.
Actions #32

Updated by Peter Amstutz almost 3 years ago

Ok I apologize because this is absolutely scope creep and you can tell me to go pound sand, but: could we add button to copy only the token and not the entire block of shell code? I'm thinking the text would be something like this:

The Arvados API token is a secret key that enables the Arvados SDKs to access Arvados with the proper permissions.
For more information see Getting an API token.

Your Arvados API host is: ... [copy to clipboard button]
Your token is: v2/x2b8c-gj3su-qjoa01idfdfyczx/5kf9gdosqvvmsn8jthhrbq2ws5sx1ogvwtruo1oid6p0i1tfos [copy to clipboard button]
This token expires at ... / This token does not have an expiration date

[Generate new Token]

Paste the following lines at a shell prompt to set up the necessary environment for Arvados SDKs to authenticate to your account.

HISTIGNORE=$HISTIGNORE:'export ARVADOS_API_TOKEN=*'
export ARVADOS_API_TOKEN=v2/x2b8c-gj3su-qjoa01idfdfyczx/5kf9gdosqvvmsn8jthhrbq2ws5sx1ogvwtruo1oid6p0i1tfos
export ARVADOS_API_HOST=172.17.0.2:8000
unset ARVADOS_API_HOST_INSECURE

[Copy to clipboard]

Actions #33

Updated by Lucas Di Pentima almost 3 years ago

Updates at arvados-workbench2|21cb7a9d
Test run: developer-tests-workbench2: #313

  • Applies suggested updates from the above comments on the 'Get API token' dialog.
Actions #34

Updated by Lucas Di Pentima almost 3 years ago

Updates at arvados-workbench2|e84e9949
Test run: developer-tests-workbench2: #316

  • Adds unit test for getNewExtraToken()
Actions #35

Updated by Peter Amstutz almost 3 years ago

Lucas Di Pentima wrote:

Updates at arvados-workbench2|e84e9949
Test run: developer-tests-workbench2: #316

  • Adds unit test for getNewExtraToken()

Just one more suggestion, maybe use <DetailsAttribute> and label them "API Host", "API Token" and "Token Expiration"?

Rest LGTM.

Actions #36

Updated by Lucas Di Pentima almost 3 years ago

Updates at: arvados-workbench2|835fca71

Changed data display layout to use <DetailsAttribute /> as suggested. Reduced the shell code block's font size a little so it doesn't show an horizontal scrollbar.

Will merge to master.

Actions #37

Updated by Anonymous almost 3 years ago

  • Status changed from In Progress to Resolved
Actions #38

Updated by Lucas Di Pentima almost 3 years ago

Unit tests failing because of the use of DetailsAttribute component that requires a mocked store.

Fix at arvados-workbench2|4c2c72d6 - branch 16848-unit-tests-fixes
Test run: developer-tests-workbench2: #332

Actions

Also available in: Atom PDF