-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ASI-614] Bull queue to expire user session tokens #1905
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
csjiang
commented
Sep 24, 2021
csjiang
commented
Sep 24, 2021
csjiang
commented
Sep 24, 2021
csjiang
commented
Sep 24, 2021
monitoring - prob not needed. test on staging. |
csjiang
force-pushed
the
asi-614-session-expiration-queue
branch
7 times, most recently
from
September 29, 2021 04:30
d4339a2
to
4399716
Compare
csjiang
force-pushed
the
asi-614-session-expiration-queue
branch
from
September 29, 2021 15:01
4399716
to
a6d6654
Compare
dmanjunath
suggested changes
Sep 29, 2021
csjiang
force-pushed
the
asi-614-session-expiration-queue
branch
from
September 29, 2021 16:06
a6d6654
to
c5b5699
Compare
csjiang
force-pushed
the
asi-614-session-expiration-queue
branch
from
September 29, 2021 18:20
c5b5699
to
5bd7694
Compare
csjiang
added
content-node
Content Node (previously known as Creator Node)
javascript
Pull requests that update Javascript code
labels
Sep 29, 2021
csjiang
force-pushed
the
asi-614-session-expiration-queue
branch
3 times, most recently
from
October 26, 2021 21:29
23f6bf0
to
cbc8d62
Compare
dmanjunath
reviewed
Oct 28, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! Small asks but i think we can get it merged today or tomorrow!
Prevent replay attacks by expiring user session tokens with a daily cron and Bull queue in content node. See also: [ASI-614][1] [1]: https://linear.app/audius/issue/ASI-614
* Use Redis MULTI feature to batch handle transactions in SessionExpirationQueue * Implement retry for DB bulk session delete call in SessionManager before rollback See also: [ASI-614][1] [1]: https://linear.app/audius/issue/ASI-614 i
See also: [ASI-614][1] [1]: https://linear.app/audius/issue/ASI-614
* add tests for SessionManager * add tests for DBManager See also: [ASI-614][1] [1]: https://linear.app/audius/issue/ASI-614
csjiang
force-pushed
the
asi-614-session-expiration-queue
branch
from
October 28, 2021 19:27
0c8ee6c
to
fc636ba
Compare
dmanjunath
approved these changes
Oct 28, 2021
good to go out after next client release |
raymondjacobson
approved these changes
Nov 9, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
content-node
Content Node (previously known as Creator Node)
javascript
Pull requests that update Javascript code
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Prevent replay attacks by expiring user session tokens with a daily cron
and Bull queue in content node.
See also:
ASI-614
Description
STs get generated when you go to client and start a new session. But tokens don’t get cleared in current architecture. So there’s possibility of replay attacks - session from 2y ago could be leveraged if someone got ahold of DB and made requests on behalf of a user. So we want to clean up sessions after 2 weeks.
See ASI-614 design doc on Notion for additional details.
Tests
SessionManager.deleteSessions
andDBManager.deleteSessionTokensFromDB
.How will this change be monitored?