Bug #18936
open
[api] [controller] remove reader_token support
Description
Workbench 1 appends the anonymous user token in a "reader token" to each GET request to make sure that content shared with the anonymous user is available to authenticated users, even if not shared with explicitly with them.
Controller just appends any reader tokens received to the token list for the request.
API uses reader_tokens for GET requests in (services/api/app/controllers/application_controller.rb).
But it also does something else; in services/api/app/middlewares/arvados_api_token.rb it seems that if the primary session token is not valid, the first working reader token is used instead.
Workbench 2 does not use reader_tokens (which means authenticated users can not access data only shared with the anonymous user!).
Nothing else in our codebase appears to use reader_tokens.
Our documentation does not mention reader_tokens.
#18937 is about simplifying the anonymous token configuration - basically, doing away with the need for an anonymous token at all. Once that is done, we can remove the controller and API code that handles reader_tokens. Maybe log a warning if a reader token is used (though, as long as WB1 is around, that's going to generate a lot of noise in the logs)?
Related issues
Updated by Ward Vandewege about 2 years ago
- Related to Bug #18887: [federation] wb1 fiddlesticks in login federation added
Updated by Ward Vandewege about 2 years ago
- Related to Feature #18937: [config] simplify AnonymousUserToken configuration added
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-04-13 Sprint to 2022-04-27 Sprint
Updated by Ward Vandewege about 2 years ago
- Description updated (diff)
- Subject changed from [api] handle anonymous token automatically in read requests to [api] [controller] remove reader_token support
Updated by Ward Vandewege about 2 years ago
- Related to deleted (Feature #18937: [config] simplify AnonymousUserToken configuration)
Updated by Ward Vandewege about 2 years ago
- Blocked by Feature #18937: [config] simplify AnonymousUserToken configuration added
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-04-27 Sprint to 2022-05-11 sprint
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2022-05-11 sprint to 2022-05-25 sprint
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2022-05-25 sprint to 2022-06-08 sprint
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2022-06-08 sprint to 2022-06-22 Sprint
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2022-06-22 Sprint to 2022-07-06
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2022-07-06 to 2022-07-20
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2022-07-20 to 2022-08-03 Sprint
Updated by Peter Amstutz almost 2 years ago
- Target version deleted (
2022-08-03 Sprint)
Updated by Peter Amstutz almost 2 years ago
- Target version set to 2022-09-28 sprint
Updated by Peter Amstutz over 1 year ago
- Target version deleted (
2022-09-28 sprint)
Updated by Peter Amstutz 7 months ago
- Related to Idea #17001: Arvados uses WB2 by default added