Idea #16848
closed
Token handling improvements
Added by Peter Amstutz over 3 years ago. Updated about 5 hours ago.
Description
- "Show current token" dialog in workbench should give you a button to request a new token instead of showing the one in use by Workbench. Change the label to something like "Get API token".
- If LoginCluster is set and current cluster is not the login cluster, show the workbench token
- If the "create token" API call fails, show the workbench token
- Auto-logout should coordinate across browser tabs so that it only logs out when all of them have been idle. When there is activity, it should update a timestamp in localStorage. When deciding whether to logout due to an idle timeout, check that the shared timestamp in localStorage is expired.
Possibly useful, there's a "storage" event that happens when localStorage is updated.
https://html.spec.whatwg.org/multipage/webstorage.html#the-storageevent-interface
Related issues
Updated by Peter Amstutz over 3 years ago
- Category deleted (
Workbench2) - Description updated (diff)
Updated by Peter Amstutz over 3 years ago
- Target version set to 2020-10-07 Sprint
Updated by Peter Amstutz over 3 years ago
- Release deleted (
31) - Category set to Workbench2
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2020-10-07 Sprint to 2020-10-21 Sprint
Updated by Peter Amstutz over 3 years ago
- Related to Idea #16520: GxP Qualification added
Updated by Peter Amstutz over 3 years ago
- Related to Feature #16180: Add a "Copy to Clipboard" Button for the token added
Updated by Peter Amstutz over 3 years ago
- Related to Bug #16159: Expire or invalidate token when logging out (logout) added
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2020-10-21 Sprint to 2020-11-04 Sprint
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2020-11-04 Sprint to 2020-11-18
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2020-11-18 to 2020-12-02 Sprint
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2020-12-02 Sprint to 2020-12-16 Sprint
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2020-12-16 Sprint to 2021-01-06 Sprint
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2021-01-06 Sprint to 2021-01-20 Sprint
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2021-01-20 Sprint to 2021-02-03 Sprint
Updated by Peter Amstutz about 3 years ago
- Target version changed from 2021-02-03 Sprint to 2021-02-17 sprint
Updated by Lucas Di Pentima about 3 years ago
- Status changed from New to In Progress
Updated by Lucas Di Pentima about 3 years ago
Updates at arvados-workbench2|211054b9 - branch 16848-token-handling-improvements
Test run: developer-tests-workbench2: #289
- Renames "Get current token" dialog to "Get API Token".
- Synchronizes session idle timer between different browser tabs/windows.
- On app startup, and after session initialization, store a second token to be used on parts of the UI that hands out tokens to the user.
- Use the extra token on the "Get API Token" and "Open as network folder or S3 bucket" dialogs. This is to avoid giving the user tokens that may be expired by a wb2 logout action.
- Adds a "Get new token" button to the "Get API token" dialog.
- When
API.TokenLifetimeis set, users cannot create tokens, so:- Don't show token creation errors on app startup.
- Show wb2's token when a token is needed.
- Show a warning message when the user clicks on the "Get new token" button saying it isn't allowed.
- When
Login.LoginClusteris set and it isn't wb2's home cluster, don't request the extra token and hide the "Get new token" button.
Updated by Lucas Di Pentima about 3 years ago
Updates at arvados-workbench2|7d797c64
Test run: developer-tests-workbench2: #291
Fixes unit test
Updated by Lucas Di Pentima about 3 years ago
- Target version changed from 2021-02-17 sprint to 2021-03-03 sprint
Updated by Peter Amstutz about 3 years ago
- How hard would it be to have the "extra" token created the first time it is needed by the "Get Token" or "Open as S3 bucket" dialogs? If I am reading this right, the current approach will create an extra token every time the application loads, whether it is used or not.
- Didn't we talk about making the "Get Token" dialog box display the time the token would expire? I don't see that here.
Updated by Lucas Di Pentima about 3 years ago
Updates at arvados-workbench2|a51a9c10
Test run: developer-tests-workbench2: #298 (just one new flaky test failing)
- Avoid creating a new token at session init time, only when requested by the user.
- Show token expiration date on the "Get API Token" dialog when available.
Updated by Lucas Di Pentima about 3 years ago
- Target version changed from 2021-03-03 sprint to 2021-03-17 sprint
Updated by Peter Amstutz about 3 years ago
Lucas Di Pentima wrote:
Updates at arvados-workbench2|a51a9c10
Test run: developer-tests-workbench2: #298(just one new flaky test failing)
- Avoid creating a new token at session init time, only when requested by the user.
- Show token expiration date on the "Get API Token" dialog when available.
A few more comments:
When the expiration date is empty or null, it should say something like "This token does not have an expiration date" instead of rendering nothing.
In getNewExtraToken(), this seems to be missing "extraApiTokenExpiration":
dispatch(authActions.SET_EXTRA_TOKEN({ extraToken: newExtraToken }));
If you set the expiration on the token some other way (such as the command line) Workbench will not notice. I suggest that when (reuseStored && extraApiToken) it should fetch the api_client_authorization record for that token using cthe "api_client_authorization.current" endpoint (which probably needs to be added to ApiClientAuthorizationService) because that it will fail if the token is invalid. If "api_client_authorization.current" fails it can try to create a new token.
Updated by Lucas Di Pentima about 3 years ago
Test run: developer-tests-workbench2: #306
- Added message for non-expiring tokens on the "Get API token" dialog.
- The
getNewExtraToken()function checks the cached token's validity before returning it. Also refresh its expiration date on the store just in case it changed.
Pending: I'm struggling with getNewExtraToken()'s unit testing because of the amount of previous state required and multiple API calls involved, trying to mock all that.
Updated by Lucas Di Pentima about 3 years ago
Update at arvados-workbench2|eb633efd
Test run: developer-tests-workbench2: #308
- Resets cached token when not valid.
Updated by Peter Amstutz about 3 years ago
Ok I apologize because this is absolutely scope creep and you can tell me to go pound sand, but: could we add button to copy only the token and not the entire block of shell code? I'm thinking the text would be something like this:
The Arvados API token is a secret key that enables the Arvados SDKs to access Arvados with the proper permissions. For more information see Getting an API token. Your Arvados API host is: ... [copy to clipboard button] Your token is: v2/x2b8c-gj3su-qjoa01idfdfyczx/5kf9gdosqvvmsn8jthhrbq2ws5sx1ogvwtruo1oid6p0i1tfos [copy to clipboard button] This token expires at ... / This token does not have an expiration date [Generate new Token] Paste the following lines at a shell prompt to set up the necessary environment for Arvados SDKs to authenticate to your account. HISTIGNORE=$HISTIGNORE:'export ARVADOS_API_TOKEN=*' export ARVADOS_API_TOKEN=v2/x2b8c-gj3su-qjoa01idfdfyczx/5kf9gdosqvvmsn8jthhrbq2ws5sx1ogvwtruo1oid6p0i1tfos export ARVADOS_API_HOST=172.17.0.2:8000 unset ARVADOS_API_HOST_INSECURE [Copy to clipboard]
Updated by Lucas Di Pentima about 3 years ago
Updates at arvados-workbench2|21cb7a9d
Test run: developer-tests-workbench2: #313
- Applies suggested updates from the above comments on the 'Get API token' dialog.
Updated by Lucas Di Pentima about 3 years ago
Updates at arvados-workbench2|e84e9949
Test run: developer-tests-workbench2: #316
- Adds unit test for
getNewExtraToken()
Updated by Peter Amstutz about 3 years ago
Lucas Di Pentima wrote:
Updates at arvados-workbench2|e84e9949
Test run: developer-tests-workbench2: #316
- Adds unit test for
getNewExtraToken()
Just one more suggestion, maybe use <DetailsAttribute> and label them "API Host", "API Token" and "Token Expiration"?
Rest LGTM.
Updated by Lucas Di Pentima about 3 years ago
Updates at: arvados-workbench2|835fca71
Changed data display layout to use <DetailsAttribute /> as suggested. Reduced the shell code block's font size a little so it doesn't show an horizontal scrollbar.
Will merge to master.
Updated by Anonymous about 3 years ago
- Status changed from In Progress to Resolved
Applied in changeset arvados:arvados-workbench2|a2eefb6888ba68ffdf6efe49f4f05b388443330d.
Updated by Lucas Di Pentima about 3 years ago
Unit tests failing because of the use of DetailsAttribute component that requires a mocked store.
Fix at arvados-workbench2|4c2c72d6 - branch 16848-unit-tests-fixes
Test run: developer-tests-workbench2: #332