Project

General

Profile

Actions

Bug #18936

open

[api] [controller] remove reader_token support

Added by Ward Vandewege 3 months ago. Updated 7 days ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-

Description

Workbench 1 appends the anonymous user token in a "reader token" to each GET request to make sure that content shared with the anonymous user is available to authenticated users, even if not shared with explicitly with them.

Controller just appends any reader tokens received to the token list for the request.

API uses reader_tokens for GET requests in (services/api/app/controllers/application_controller.rb).

But it also does something else; in services/api/app/middlewares/arvados_api_token.rb it seems that if the primary session token is not valid, the first working reader token is used instead.

Workbench 2 does not use reader_tokens (which means authenticated users can not access data only shared with the anonymous user!).

Nothing else in our codebase appears to use reader_tokens.

Our documentation does not mention reader_tokens.

#18937 is about simplifying the anonymous token configuration - basically, doing away with the need for an anonymous token at all. Once that is done, we can remove the controller and API code that handles reader_tokens. Maybe log a warning if a reader token is used (though, as long as WB1 is around, that's going to generate a lot of noise in the logs)?


Related issues

Related to Arvados - Bug #18887: [federation] wb1 fiddlesticks in login federationResolvedWard Vandewege03/25/2022

Actions
Blocked by Arvados - Feature #18937: [config] simplify AnonymousUserToken configurationNew

Actions
Blocked by Arvados - Story #18861: Retire wb1New

Actions
Actions #1

Updated by Ward Vandewege 3 months ago

  • Description updated (diff)
Actions #2

Updated by Ward Vandewege 3 months ago

  • Description updated (diff)
Actions #3

Updated by Ward Vandewege 3 months ago

  • Description updated (diff)
Actions #4

Updated by Ward Vandewege 3 months ago

  • Related to Bug #18887: [federation] wb1 fiddlesticks in login federation added
Actions #5

Updated by Ward Vandewege 3 months ago

  • Description updated (diff)
Actions #6

Updated by Ward Vandewege 3 months ago

  • Related to Feature #18937: [config] simplify AnonymousUserToken configuration added
Actions #7

Updated by Peter Amstutz 3 months ago

  • Target version changed from 2022-04-13 Sprint to 2022-04-27 Sprint
Actions #8

Updated by Ward Vandewege 3 months ago

  • Description updated (diff)
  • Subject changed from [api] handle anonymous token automatically in read requests to [api] [controller] remove reader_token support
Actions #9

Updated by Ward Vandewege 3 months ago

  • Related to deleted (Feature #18937: [config] simplify AnonymousUserToken configuration)
Actions #10

Updated by Ward Vandewege 3 months ago

  • Blocked by Feature #18937: [config] simplify AnonymousUserToken configuration added
Actions #11

Updated by Ward Vandewege 3 months ago

Actions #12

Updated by Ward Vandewege 3 months ago

Actions #13

Updated by Ward Vandewege 3 months ago

Actions #14

Updated by Peter Amstutz 3 months ago

  • Target version changed from 2022-04-27 Sprint to 2022-05-11 sprint
Actions #15

Updated by Peter Amstutz 2 months ago

  • Target version changed from 2022-05-11 sprint to 2022-05-25 sprint
Actions #16

Updated by Peter Amstutz about 2 months ago

  • Target version changed from 2022-05-25 sprint to 2022-06-08 sprint
Actions #17

Updated by Peter Amstutz about 2 months ago

  • Target version changed from 2022-06-08 sprint to 2022-06-22 Sprint
Actions #18

Updated by Peter Amstutz about 2 months ago

  • Target version changed from 2022-06-22 Sprint to 2022-07-06
Actions #19

Updated by Peter Amstutz 7 days ago

  • Target version changed from 2022-07-06 to 2022-07-20
Actions

Also available in: Atom PDF