Bug #3625: [Workbench] API token provided in query string should not be ignored just because the session already has a token. - Arvados

Actions

Copy link

Bug #3625

open

[Workbench] API token provided in query string should not be ignored just because the session already has a token.

Added by Tom Clegg over 9 years ago. Updated about 2 months ago.

Status:

New

Priority:

Normal

Assigned To:

Category:

Target version:

Future

Story points:

0.5

Release:

Postponed

Release relationship:

Auto

Description

To reproduce:

Log in to Workbench.
Visit any Workbench page ?api_token=123abc (or a valid token).
The new token is ignored. You're still logged in as if you had never provided an api_token.
As a bonus, the ?api_token=123abc is displayed in the location bar instead of being redirected away.

If a token is explicitly provided this way, Workbench should

throw away the existing token (if any) in the session
use the new token from now on, whether or not it's valid
redirect to the current page without the ?api_token param, to avoid having tokens sitting around in Location bars.

In other words, the presence of session[:arvados_api_token] should not affect the process we use to copy a token from query string to session.

This may be a simple matter of reversing the order of the Thread and session tests here in ApplicationController.set_thread_api_token:

    if Thread.current[:arvados_api_token]
      yield   # An API token has already been found - pass it through.
      return
    elsif setup_user_session
      return  # A new session was set up and received a response.
    end