Story #16848

Token handling improvements

Added by Peter Amstutz about 1 year ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Workbench2
Start date:
02/17/2021
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
2.0

Description

  • "Show current token" dialog in workbench should give you a button to request a new token instead of showing the one in use by Workbench. Change the label to something like "Get API token".
    • If LoginCluster is set and current cluster is not the login cluster, show the workbench token
    • If the "create token" API call fails, show the workbench token
  • Auto-logout should coordinate across browser tabs so that it only logs out when all of them have been idle. When there is activity, it should update a timestamp in localStorage. When deciding whether to logout due to an idle timeout, check that the shared timestamp in localStorage is expired.

Possibly useful, there's a "storage" event that happens when localStorage is updated.

https://html.spec.whatwg.org/multipage/webstorage.html#the-storageevent-interface


Subtasks

Arvados - Task #17031: Review 16848-token-handling-improvementsResolvedPeter Amstutz


Related issues

Related to Arvados Epics - Story #16520: GxP QualificationResolved08/01/202004/30/2021

Related to Arvados - Feature #16180: Add a "Copy to Clipboard" Button for the tokenNew

Related to Arvados - Bug #16159: Expire or invalidate token when logging out (logout)Resolved04/08/2021

Associated revisions

Revision a2eefb68
Added by Lucas Di Pentima 7 months ago

Merge branch '16848-token-handling-improvements'
Closes #16848

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

Revision 18e2272d
Added by Lucas Di Pentima 7 months ago

Merge branch '16848-unit-tests-fixes'
Refs #16848

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

History

#1 Updated by Peter Amstutz about 1 year ago

  • Category deleted (Workbench2)
  • Description updated (diff)

#2 Updated by Peter Amstutz about 1 year ago

  • Target version set to 2020-10-07 Sprint

#3 Updated by Peter Amstutz about 1 year ago

  • Release deleted (31)
  • Category set to Workbench2

#4 Updated by Peter Amstutz about 1 year ago

  • Target version changed from 2020-10-07 Sprint to 2020-10-21 Sprint

#5 Updated by Peter Amstutz about 1 year ago

#6 Updated by Peter Amstutz about 1 year ago

  • Related to Feature #16180: Add a "Copy to Clipboard" Button for the token added

#7 Updated by Peter Amstutz about 1 year ago

  • Description updated (diff)

#8 Updated by Peter Amstutz about 1 year ago

  • Related to Bug #16159: Expire or invalidate token when logging out (logout) added

#9 Updated by Peter Amstutz about 1 year ago

  • Target version changed from 2020-10-21 Sprint to 2020-11-04 Sprint

#10 Updated by Peter Amstutz 12 months ago

  • Assigned To set to Peter Amstutz

#11 Updated by Peter Amstutz 12 months ago

  • Target version changed from 2020-11-04 Sprint to 2020-11-18

#12 Updated by Peter Amstutz 11 months ago

  • Target version changed from 2020-11-18 to 2020-12-02 Sprint

#13 Updated by Peter Amstutz 11 months ago

  • Story points set to 2.0

#14 Updated by Peter Amstutz 11 months ago

  • Description updated (diff)

#15 Updated by Peter Amstutz 11 months ago

  • Assigned To deleted (Peter Amstutz)

#16 Updated by Peter Amstutz 11 months ago

  • Target version changed from 2020-12-02 Sprint to 2020-12-16 Sprint

#17 Updated by Peter Amstutz 11 months ago

  • Target version changed from 2020-12-16 Sprint to 2021-01-06 Sprint

#18 Updated by Peter Amstutz 10 months ago

  • Target version changed from 2021-01-06 Sprint to 2021-01-20 Sprint

#19 Updated by Peter Amstutz 9 months ago

  • Target version changed from 2021-01-20 Sprint to 2021-02-03 Sprint

#20 Updated by Peter Amstutz 9 months ago

  • Assigned To set to Lucas Di Pentima

#21 Updated by Peter Amstutz 9 months ago

  • Target version changed from 2021-02-03 Sprint to 2021-02-17 sprint

#22 Updated by Lucas Di Pentima 8 months ago

  • Status changed from New to In Progress

#23 Updated by Lucas Di Pentima 8 months ago

Updates at arvados-workbench2|211054b9 - branch 16848-token-handling-improvements
Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/289/

  • Renames "Get current token" dialog to "Get API Token".
  • Synchronizes session idle timer between different browser tabs/windows.
  • On app startup, and after session initialization, store a second token to be used on parts of the UI that hands out tokens to the user.
  • Use the extra token on the "Get API Token" and "Open as network folder or S3 bucket" dialogs. This is to avoid giving the user tokens that may be expired by a wb2 logout action.
  • Adds a "Get new token" button to the "Get API token" dialog.
  • When API.TokenLifetime is set, users cannot create tokens, so:
    • Don't show token creation errors on app startup.
    • Show wb2's token when a token is needed.
    • Show a warning message when the user clicks on the "Get new token" button saying it isn't allowed.
  • When Login.LoginCluster is set and it isn't wb2's home cluster, don't request the extra token and hide the "Get new token" button.

#25 Updated by Lucas Di Pentima 8 months ago

  • Target version changed from 2021-02-17 sprint to 2021-03-03 sprint

#26 Updated by Peter Amstutz 8 months ago

  • How hard would it be to have the "extra" token created the first time it is needed by the "Get Token" or "Open as S3 bucket" dialogs? If I am reading this right, the current approach will create an extra token every time the application loads, whether it is used or not.
  • Didn't we talk about making the "Get Token" dialog box display the time the token would expire? I don't see that here.

#27 Updated by Lucas Di Pentima 8 months ago

Updates at arvados-workbench2|a51a9c10
Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/298/ (just one new flaky test failing)

  • Avoid creating a new token at session init time, only when requested by the user.
  • Show token expiration date on the "Get API Token" dialog when available.

#28 Updated by Lucas Di Pentima 8 months ago

  • Target version changed from 2021-03-03 sprint to 2021-03-17 sprint

#29 Updated by Peter Amstutz 8 months ago

Lucas Di Pentima wrote:

Updates at arvados-workbench2|a51a9c10
Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/298/ (just one new flaky test failing)

  • Avoid creating a new token at session init time, only when requested by the user.
  • Show token expiration date on the "Get API Token" dialog when available.

A few more comments:

When the expiration date is empty or null, it should say something like "This token does not have an expiration date" instead of rendering nothing.

In getNewExtraToken(), this seems to be missing "extraApiTokenExpiration":

dispatch(authActions.SET_EXTRA_TOKEN({ extraToken: newExtraToken }));

If you set the expiration on the token some other way (such as the command line) Workbench will not notice. I suggest that when (reuseStored && extraApiToken) it should fetch the api_client_authorization record for that token using cthe "api_client_authorization.current" endpoint (which probably needs to be added to ApiClientAuthorizationService) because that it will fail if the token is invalid. If "api_client_authorization.current" fails it can try to create a new token.

#30 Updated by Lucas Di Pentima 7 months ago

Updates at ab1faae9
Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/306/
  • Added message for non-expiring tokens on the "Get API token" dialog.
  • The getNewExtraToken() function checks the cached token's validity before returning it. Also refresh its expiration date on the store just in case it changed.

Pending: I'm struggling with getNewExtraToken()'s unit testing because of the amount of previous state required and multiple API calls involved, trying to mock all that.

#32 Updated by Peter Amstutz 7 months ago

Ok I apologize because this is absolutely scope creep and you can tell me to go pound sand, but: could we add button to copy only the token and not the entire block of shell code? I'm thinking the text would be something like this:

The Arvados API token is a secret key that enables the Arvados SDKs to access Arvados with the proper permissions.
For more information see Getting an API token.

Your Arvados API host is: ... [copy to clipboard button]
Your token is: v2/x2b8c-gj3su-qjoa01idfdfyczx/5kf9gdosqvvmsn8jthhrbq2ws5sx1ogvwtruo1oid6p0i1tfos [copy to clipboard button]
This token expires at ... / This token does not have an expiration date

[Generate new Token]

Paste the following lines at a shell prompt to set up the necessary environment for Arvados SDKs to authenticate to your account.

HISTIGNORE=$HISTIGNORE:'export ARVADOS_API_TOKEN=*'
export ARVADOS_API_TOKEN=v2/x2b8c-gj3su-qjoa01idfdfyczx/5kf9gdosqvvmsn8jthhrbq2ws5sx1ogvwtruo1oid6p0i1tfos
export ARVADOS_API_HOST=172.17.0.2:8000
unset ARVADOS_API_HOST_INSECURE

[Copy to clipboard]

#33 Updated by Lucas Di Pentima 7 months ago

Updates at arvados-workbench2|21cb7a9d
Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/313/

  • Applies suggested updates from the above comments on the 'Get API token' dialog.

#35 Updated by Peter Amstutz 7 months ago

Lucas Di Pentima wrote:

Updates at arvados-workbench2|e84e9949
Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/316/

  • Adds unit test for getNewExtraToken()

Just one more suggestion, maybe use <DetailsAttribute> and label them "API Host", "API Token" and "Token Expiration"?

Rest LGTM.

#36 Updated by Lucas Di Pentima 7 months ago

Updates at: arvados-workbench2|835fca71

Changed data display layout to use <DetailsAttribute /> as suggested. Reduced the shell code block's font size a little so it doesn't show an horizontal scrollbar.

Will merge to master.

#37 Updated by Anonymous 7 months ago

  • Status changed from In Progress to Resolved

#38 Updated by Lucas Di Pentima 7 months ago

Unit tests failing because of the use of DetailsAttribute component that requires a mocked store.

Fix at arvados-workbench2|4c2c72d6 - branch 16848-unit-tests-fixes
Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/332/

Also available in: Atom PDF