Project

General

Profile

Actions

Bug #3625

open

[Workbench] API token provided in query string should not be ignored just because the session already has a token.

Added by Tom Clegg over 10 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
Story points:
0.5
Release:
Release relationship:
Auto

Description

To reproduce:

  1. Log in to Workbench.
  2. Visit any Workbench page ?api_token=123abc (or a valid token).
  3. The new token is ignored. You're still logged in as if you had never provided an api_token.
  4. As a bonus, the ?api_token=123abc is displayed in the location bar instead of being redirected away.
If a token is explicitly provided this way, Workbench should
  1. throw away the existing token (if any) in the session
  2. use the new token from now on, whether or not it's valid
  3. redirect to the current page without the ?api_token param, to avoid having tokens sitting around in Location bars.

In other words, the presence of session[:arvados_api_token] should not affect the process we use to copy a token from query string to session.

This may be a simple matter of reversing the order of the Thread and session tests here in ApplicationController.set_thread_api_token:

    if Thread.current[:arvados_api_token]
      yield   # An API token has already been found - pass it through.
      return
    elsif setup_user_session
      return  # A new session was set up and received a response.
    end
Actions

Also available in: Atom PDF