Bug #3625

[Workbench] API token provided in query string should not be ignored just because the session already has a token.

Added by Tom Clegg over 7 years ago. Updated 10 months ago.

Assigned To:
Target version:
Start date:
Due date:
% Done:


Estimated time:
Story points:


To reproduce:

  1. Log in to Workbench.
  2. Visit any Workbench page ?api_token=123abc (or a valid token).
  3. The new token is ignored. You're still logged in as if you had never provided an api_token.
  4. As a bonus, the ?api_token=123abc is displayed in the location bar instead of being redirected away.
If a token is explicitly provided this way, Workbench should
  1. throw away the existing token (if any) in the session
  2. use the new token from now on, whether or not it's valid
  3. redirect to the current page without the ?api_token param, to avoid having tokens sitting around in Location bars.

In other words, the presence of session[:arvados_api_token] should not affect the process we use to copy a token from query string to session.

This may be a simple matter of reversing the order of the Thread and session tests here in ApplicationController.set_thread_api_token:

    if Thread.current[:arvados_api_token]
      yield   # An API token has already been found - pass it through.
    elsif setup_user_session
      return  # A new session was set up and received a response.


#1 Updated by Tom Clegg over 7 years ago

  • Description updated (diff)

#2 Updated by Tom Clegg about 7 years ago

  • Target version set to Arvados Future Sprints

#3 Updated by Ward Vandewege 10 months ago

  • Target version deleted (Arvados Future Sprints)

Also available in: Atom PDF