Updated by Ward Vandewege about 1 year ago
Workbench 1 appends the anonymous user token in a "reader token" to each GET request to make sure that content shared with the anonymous user is available to authenticated users, even if not shared with explicitly with them. Controller just appends any reader tokens received to the token list for the request. API uses reader_tokens for GET requests in (services/api/app/controllers/application_controller.rb). But it also does something else; in services/api/app/middlewares/arvados_api_token.rb it seems that if the primary session token is not valid, the first working reader token is used instead. Workbench 2 does not use reader_tokens (which means authenticated users can not access data only shared with the anonymous user!). Nothing else in our codebase appears to use reader_tokens. Our documentation does not mention reader_tokens. #18937 is about simplifying It would be simpler to automatically consider the anonymous token configuration - basically, doing away with (IF it is not blank in the need configuation file, which indicates the cluster should not allow for an anonymous data access, ever) for all read requests in the token at all. Once that validation code, in addition to any token supplied. The anonymous token has a predictable UUID, so there is done, no reason to pass it around. This also means we can remove the controller and API code that handles reader_tokens. Maybe log a warning if a reader token is used (though, as long as WB1 is around, that's going to generate a lot of noise in the logs)?