clear progress in sessionStorage when signing in via secret pictures or secret words

[davidsbailey]

Background

When a signed-out user makes progress, we storage that progress in sessionStorage. When a signed-in user makes progress, we persist that progress in the user_levels table, but we also store it in sessionStorage. We make a best-effort attempt to clear sessionStorage when a user signs in or out, but sometimes we fail to do this, causing progress to leak between users as described in LP-502.

It's not 100% clear why we store progress in sessionStorage. PRs #4256 and #4452 are poorly documented, but it probably had something to do with achieving scalability on HoC scripts.

signing in

On sign-in, we sometimes clear sessionStorage by attaching event handlers to the UI elements used to submit login data:

• Email sign in / sign up: cleared at:

  code-dot-org/dashboard/app/views/devise/sessions/new.html.haml

  Line 64 in fd7a827

  $("#new_user").on("submit", function (e) {

  code-dot-org/dashboard/app/views/devise/sessions/new.html.haml

  Line 70 in fd7a827

  dashboard.clientState.reset();

• OAuth: cleared at:

  code-dot-org/dashboard/app/views/devise/shared/_oauth_links.haml

  Line 28 in 4972686

  $('.oauth_sign_in').click(dashboard.clientState.reset);

• Secret picture / secret words: not cleared. (fixed in this PR)
• sign in via direct ajax request: not cleared. only done in ui tests, must also remember to hit /reset_session.

signing out

On sign-out, we clear session storage when the sign-out menu item is selected. This succeeds when done from dashboard pages, but fails when done from pegasus because sessionStorage is domain-specific:

code-dot-org/shared/haml/user_header.haml

Lines 124 to 131 in f30081e

	$('.user_options a:last').click(function (e) {
	// this partial can be on non-dashboard pages.
	if (typeof dashboard !== 'undefined') {
	dashboard.clientState.reset();
	} else {
	// Keep in sync with clientState#reset.
	try {
	sessionStorage.clear();

Description

Fixes the specific problem described in LP-502, by making sure we clear sessionStorage when a user signs in via secret pictures or secret words (fd7384c). This ensures we always clear sessionStorage when signing in via the UI, preventing progress from being leaked between signed-in users, or from a signed-out user to a signed-in user. This does NOT prevent progress from being leaked from a signed-in user to a signed-out user in all cases (see Caveats).

Caveats

1. this solution does not prevent leakage of progress when a user signs out in either of the following ways:
   a. by hitting https://studio.code.org/users/sign_out directly
   b. by using the drop-down menu to sign out from https://code.org/congrats

2. this solution is brittle because it relies on each sign in / sign out mechanism to remember to clear session storage

Detours

• extracted sections/show.js from haml in 2270dbb without making any functional changes in that commit

Future Work

A simple, robust solution would be to isolate progress belonging to different users by bucketing sessionStorage progress based on user id. This work item is tracked by LP-576.

[maddiedierker]

great investigation and fix! i think your idea for future work sounds good and works really well with our future work to refactor how progress is stored in redux (i.e., store by user_id so we have the ability to store and quarantine separate users' progress info)

[davidsbailey]

Hey Maddie, I assume the goal of the work you're referring to is to let the teacher panel switch between students without reloading the page. Thanks for calling that out!

[islemaster]

Agreed! Great improvement and detour, and next steps sound exactly correct.