You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 2, 2021. It is now read-only.
It doesn't matter what order the contents create lines are in, it always fails on the second line.
I built a local copy of dr-provision from master and added debug logging to frontend.userAuth(), which shows that the userSecret and grantorSecret were changing between the first and second contents create calls around here.
Checking this manually using drpcli users list showed the user Secret being updated as well.
I tracked this back to user.ChangePassword() which modifies the Secret whenever a users' password is changed, but does not appear to save it to the User store at the same time.
Currently, the users password call changes the PasswordHash and the Secret, but does not commit the new Secret into the store (changing the Secret happens after the User is saved).
A token is then generated from this User - either using the 'old' Secret which had been previously persisted, or possibly the 'new' Secret which is stored ephemerally in the existing User object but not persisted to the backing store (not sure which one happens here).
The first content create call (or some other consistently occurring action) then either:
Causes the User to be reloaded from the store, invalidating any Tokens generated using the ephemeral Secret, or
Causes the ephemeral User to be saved to the store, invalidating any Tokens generated using the previously stored Secret.
To test if this is the cause, I made the following change:
diff --git a/backend/user.go b/backend/user.go
index dea0cca1..da0cd801 100644
--- a/backend/user.go+++ b/backend/user.go@@ -95,9 +95,9 @@ func (u *User) ChangePassword(rt *RequestTracker, newPass string) error {
return err
}
u.PasswordHash = ph
- _, err = rt.Save(u)
// When a user changes their password, invalidate any previous cached auth tokens.
u.Secret = randString(16)
+ _, err = rt.Save(u)
return err
}
Which appears to fix the issue and causes a consistent Secret to be returned and used for all runs of content create.
The text was updated successfully, but these errors were encountered:
benagricola
changed the title
Auth Tokens invalidated due to user.ChangePassword() invalidation
Auth Tokens invalidated in future due to user.ChangePassword()
Sep 5, 2018
Versions:
tip
from installer and current code inmaster
both exhibit the same behaviour.TL;DR Writing an Ansible playbook to deploy DRP, in the following order:
Expressed as shell commands, the relevant part is something like this:
It doesn't matter what order the
contents create
lines are in, it always fails on the second line.I built a local copy of
dr-provision
frommaster
and added debug logging tofrontend.userAuth()
, which shows that theuserSecret
andgrantorSecret
were changing between the first and secondcontents create
calls around here.Checking this manually using
drpcli users list
showed the userSecret
being updated as well.I tracked this back to
user.ChangePassword()
which modifies theSecret
whenever a users' password is changed, but does not appear to save it to theUser
store at the same time.Currently, the
users password
call changes thePasswordHash
and theSecret
, but does not commit the newSecret
into the store (changing theSecret
happens after theUser
is saved).A token is then generated from this
User
- either using the 'old'Secret
which had been previously persisted, or possibly the 'new'Secret
which is stored ephemerally in the existingUser
object but not persisted to the backing store (not sure which one happens here).The first
content create
call (or some other consistently occurring action) then either:User
to be reloaded from the store, invalidating anyToken
s generated using the ephemeralSecret
, orUser
to be saved to the store, invalidating anyToken
s generated using the previously storedSecret
.To test if this is the cause, I made the following change:
Which appears to fix the issue and causes a consistent
Secret
to be returned and used for all runs ofcontent create
.The text was updated successfully, but these errors were encountered: