Bug #3625

Updated by Tom Clegg about 5 years ago

To reproduce:

# Log in to Workbench.
# Visit any Workbench page ?api_token=123abc (or a valid token).
# The new token is ignored. You're still logged in as if you had never provided an api_token.
# As a bonus, the ?api_token=123abc is displayed in the location bar instead of being redirected away.

If a token is explicitly provided this way, Workbench should
# throw away the existing token (if any) in the session
# use the new token from now on, whether or not it's valid
# redirect to the current page without the ?api_token param, to avoid having tokens sitting around in Location bars.

In other words, the presence of <code class="ruby">session[:arvados_api_token]</code> should not affect the process we use to copy a token from query string to session.

This may be a simple matter of reversing the order of the Thread and session tests here in <code class="ruby">ApplicationController.set_thread_api_token</code>:

<pre><code class="ruby">
if Thread.current[:arvados_api_token]
yield # An API token has already been found - pass it through.
return
elsif setup_user_session
return # A new session was set up and received a response.
end
</code></pre>

Back