Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Old accesstokens are not cleaned up #8035

Closed
kevinansfield opened this issue Feb 22, 2017 · 2 comments · Fixed by #8065
Closed

Old accesstokens are not cleaned up #8035

kevinansfield opened this issue Feb 22, 2017 · 2 comments · Fixed by #8065
Assignees
@kirrg001
Labels
server / core Issues relating to the server or core of Ghost

Comments

@kevinansfield
Copy link
Contributor

kevinansfield commented Feb 22, 2017
edited by kirrg001
Loading

Issue Summary

Each time a refreshtoken is used to get a new accesstoken we create a new record in the DB but the old accesstoken record is still kept. Now that we have longer expiry times on the tokens it means that we can't rely on the old tokens being unusable after an hour so we should either delete the old records or update the current record when a new token is generated.

Steps to Reproduce

  1. Log in to the admin
  2. Refresh the page (requests a new access token from the stored refresh token)
  3. Examine the database, in the accesstokens table you will now have at least 2 valid tokens for the same user

Technical details:

  • Ghost Version: master && LTS
  • Node Version: 4.7.0
  • Database: sqlite
@kirrg001 kirrg001 added the server / core Issues relating to the server or core of Ghost label Feb 22, 2017
kirrg001 added a commit to kirrg001/Ghost that referenced this issue Feb 27, 2017
@kirrg001
🐛 🎨 old accesstokens are not cleaned up
915b562 
closes TryGhost#8035

- create auth/utils
- use authUtils.createTokens for all cases
- remove old tokens before creating new ones
@kirrg001 kirrg001 mentioned this issue Feb 27, 2017
Merged
kevinansfield pushed a commit that referenced this issue Mar 1, 2017
@kirrg001 @kevinansfield
🐛 🎨 old accesstokens are not cleaned up (#8065)
fa38257 
closes #8035
- create auth/utils
- use authUtils.createTokens for all cases
- decrease the expiry of the old access token before creating a new one
@kirrg001 kirrg001 reopened this Mar 1, 2017
@kirrg001
Copy link
Contributor

kirrg001 commented Mar 1, 2017

Fix for LTS is coming.

@kirrg001 kirrg001 added the LTS label Mar 1, 2017
kirrg001 added a commit to kirrg001/Ghost that referenced this issue Mar 1, 2017
@kirrg001
🐛 🎨 old accesstokens are not cleaned up
8f18e10 
refs TryGhost#8035

- same fix as TryGhost@fa38257
- no fancy refactoring as we did on master
- tested with 2 browsers and 2 tabs
@kirrg001 kirrg001 mentioned this issue Mar 1, 2017
Merged
kevinansfield pushed a commit that referenced this issue Mar 1, 2017
@kirrg001 @kevinansfield
🐛 🎨 old accesstokens are not cleaned up (#8076)
a692389 
refs #8035

- same fix as fa38257
- no fancy refactoring as we did on master
- tested with 2 browsers and 2 tabs
@kirrg001
Copy link
Contributor

kirrg001 commented Mar 1, 2017

closed via #8076

@kirrg001 kirrg001 closed this as completed Mar 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kirrg001 kirrg001

Labels
server / core Issues relating to the server or core of Ghost
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🐛 🎨 old accesstokens are not cleaned up kirrg001/Ghost
2 participants
@kevinansfield @kirrg001