feat: improve ImplicitBearerToken #698
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FL-1067 Token expired just after login with username and password
ContextOn Lipome, see slack thread. Tanguy got an error "expired token", some minutes after login in with user and password Our interpretation of the issue:
SpecificationThere are several ways around this:
Acceptance criteriaUsing |
github-actions
bot
added
the
documentation
oleobal
changed the title
oleobal
force-pushed
the
fix/issue-old-tokens
branch
from
9c998ed
to
c0a6b5c
Compare
7 tasks
oleobal
force-pushed
the
fix/issue-old-tokens
branch
from
a11ebc3
to
801dd21
Compare
SdgJlbl
reviewed
Aug 2, 2023
SdgJlbl
reviewed
Aug 2, 2023
SdgJlbl
reviewed
Aug 2, 2023
oleobal
force-pushed
the
fix/issue-old-tokens
branch
3 times, most recently
from
798adda
to
4bf67b7
Compare
|
/e2e --tests sdk,frontend |
oleobal
force-pushed
the
fix/issue-old-tokens
branch
from
4bf67b7
to
89bb9b1
Compare
|
/e2e --tests sdk,frontend |
|
End to end tests: ✔️ SUCCESS “Carpe diem. Seize the day, boys.” ― John Keating, Dead Poets Society |
SdgJlbl
approved these changes
Aug 9, 2023
Comment on lines
+84
to
+85
| tokens = model.objects.filter(id=request.GET.get("id")) | ||
| if len(tokens) == 1 and request.user == tokens[0].user: |
There was a problem hiding this comment.
Minor but if we expect only one object, or raise, get does the job
There was a problem hiding this comment.
My worry is since len(tokens) == 0 is a common outcome of the above request, I'd be using exceptions for control flow.
There was a problem hiding this comment.
better ask for forgiveness than permission ☯️
7 tasks
oleobal
force-pushed
the
fix/issue-old-tokens
branch
4 times, most recently
from
ff22581
to
5f0590e
Compare
|
Waiting for Substra/substra#381 to merge |
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
oleobal
force-pushed
the
fix/issue-old-tokens
branch
from
5f0590e
to
dc6c3a0
Compare
|
/e2e --tests sdk,substrafl --refs substra=feat/client-logout |
|
End to end tests: ✔️ SUCCESS |
Signed-off-by: Olivier Léobal <olivier.leobal@owkin.com>
|
/e2e --tests sdk,substrafl --refs substra=feat/client-logout |
|
End to end tests: ✔️ SUCCESS “Carpe diem. Seize the day, boys.” ― John Keating, Dead Poets Society |
Merged
Milouu
added a commit
that referenced
this pull request
Sep 7, 2023
### Added - New `SECRET_KEY` optional environment variable ([#671](#671)) - `/api-token-auth/` and the associated tokens can now be disabled through the `EXPIRY_TOKEN_ENABLED` environment variable and `server.allowImplicitLogin` chart value ([#698](#698)) - Tokens issued by `/api-token-auth/` can now be deleted like other API tokens, through a `DELETE` request on the `/active-api-tokens` endpoint ([#698](#698)) ### Changed - Increase the number of tasks displayable in frontend workflow [#697](#697) - BREAKING: Change the format of many API responses from `{"message":...}` to `{"detail":...}` ([#705](#705)) ### Removed - BREAKING: `SECRET_KEY_PATH` and `SECRET_KEY_LOAD_AND_STORE` environment variables ([#671](#671)) - Removed logic for storing `SECRET_KEY` at startup, in order to increase stability; it should be done at a higher level, i.e. the chart ([#671](#671)) ## Fixed - `/api-token-auth/` sometimes handing out tokens that are about to expire ([#698](#698)) Signed-off-by: Milouu <milan.roustan@owkin.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Solve the issue of sometimes issuing tokens that are about to expire, by just issuing an new token every time and relying on feat: add Client.logout and context manager substra#381 to clean them up
Add a new
server.allowImplicitLoginoption, allowing node admins to disable the option altogether in order to improve security practices.Extend
/active-api-tokens -X DELETEto also be able to deleteImplicitBearerToken, adding anidfield toImplicitBearerTokenfor this purpose. This is to enable users to terminate their sessions, as per security recommendations (this is leveraged by feat: add Client.logout and context manager substra#381)Closes FL-1067, FL-1140
Companion to Substra/substra-documentation#336
How has this been tested?
Tried it on my machine
Checklist