Bug #3625

[Workbench] API token provided in query string should not be ignored just because the session already has a token.

Added by Tom Clegg almost 5 years ago. Updated about 4 years ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
0.5

Description

To reproduce:

  1. Log in to Workbench.
  2. Visit any Workbench page ?api_token=123abc (or a valid token).
  3. The new token is ignored. You're still logged in as if you had never provided an api_token.
  4. As a bonus, the ?api_token=123abc is displayed in the location bar instead of being redirected away.
If a token is explicitly provided this way, Workbench should
  1. throw away the existing token (if any) in the session
  2. use the new token from now on, whether or not it's valid
  3. redirect to the current page without the ?api_token param, to avoid having tokens sitting around in Location bars.

In other words, the presence of session[:arvados_api_token] should not affect the process we use to copy a token from query string to session.

This may be a simple matter of reversing the order of the Thread and session tests here in ApplicationController.set_thread_api_token:

    if Thread.current[:arvados_api_token]
      yield   # An API token has already been found - pass it through.
      return
    elsif setup_user_session
      return  # A new session was set up and received a response.
    end

History

#1 Updated by Tom Clegg almost 5 years ago

  • Description updated (diff)

#2 Updated by Tom Clegg about 4 years ago

  • Target version set to Arvados Future Sprints

Also available in: Atom PDF