clear progress in sessionStorage when signing in via secret pictures or secret words #29386
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
When a signed-out user makes progress, we storage that progress in sessionStorage. When a signed-in user makes progress, we persist that progress in the user_levels table, but we also store it in sessionStorage. We make a best-effort attempt to clear sessionStorage when a user signs in or out, but sometimes we fail to do this, causing progress to leak between users as described in LP-502.
It's not 100% clear why we store progress in sessionStorage. PRs #4256 and #4452 are poorly documented, but it probably had something to do with achieving scalability on HoC scripts.
signing in
On sign-in, we sometimes clear sessionStorage by attaching event handlers to the UI elements used to submit login data:
code-dot-org/dashboard/app/views/devise/sessions/new.html.haml
Line 64 in fd7a827
code-dot-org/dashboard/app/views/devise/sessions/new.html.haml
Line 70 in fd7a827
code-dot-org/dashboard/app/views/devise/shared/_oauth_links.haml
Line 28 in 4972686
signing out
On sign-out, we clear session storage when the sign-out menu item is selected. This succeeds when done from dashboard pages, but fails when done from pegasus because sessionStorage is domain-specific:
code-dot-org/shared/haml/user_header.haml
Lines 124 to 131 in f30081e
Description
Fixes the specific problem described in LP-502, by making sure we clear sessionStorage when a user signs in via secret pictures or secret words (fd7384c). This ensures we always clear sessionStorage when signing in via the UI, preventing progress from being leaked between signed-in users, or from a signed-out user to a signed-in user. This does NOT prevent progress from being leaked from a signed-in user to a signed-out user in all cases (see Caveats).
Caveats
this solution does not prevent leakage of progress when a user signs out in either of the following ways:
a. by hitting https://studio.code.org/users/sign_out directly
b. by using the drop-down menu to sign out from https://code.org/congrats
this solution is brittle because it relies on each sign in / sign out mechanism to remember to clear session storage
Detours
Future Work
A simple, robust solution would be to isolate progress belonging to different users by bucketing sessionStorage progress based on user id. This work item is tracked by LP-576.