Beta: sign-in links do not expire after 15 minutes and are reusable #16912
Comments
|
Wait… just checked my MongoDB records. The auth tokens' TTLs are all set to 900000. Is that intentional? |
|
@leonfeng it is: they use miliseconds (15 * 60 * 1000) see freeCodeCamp/common/models/user.js Line 519 in bce8e0a Ok, I can confirm that:
My guess is that they will never expire, as I do not see the code for it, but I'm pretty new to the code base. /cc @BerkeleyTrue ccing you as you've implemented standalone auth tokens in 07f3042 |
|
Hi @leonfeng Nice find. I guess, the last discussions we had about an year ago that MongoDB should be doing this for us. One of the causes this could be the TTL expiration thread needs to be configured explicitly? But, I guess we would have to have this in to a message queue, and schedule it. I will investigate further. |
|
Or, maybe we simply missed the invalidation in a recent refactoring. |
|
I'll just drop here what I cam across trying to unravel this little puzzle, hope it's helpful: Intention to validate: freeCodeCamp/server/boot/authentication.js Line 140 in bce8e0a Intention to destroy: freeCodeCamp/server/boot/authentication.js Line 155 in bce8e0a I noticed that validation of length and existence of the token does happen, I'm not familiar with the code base and frameworks but that seems to happen in I guess a shortcut is to add TTL validation in |
|
Hi all. I saw that @raisedadead submitted a PR to migrate authentication to Auth0, but I thought I'd comment here. Did some searching through the Mongo docs for getting TTL to work. Seems like Mongo will automatically remove documents, but an index needs to be created on the collection first. To get the email authentication links to expire correctly, I had to run mongo, use freecodecamp, then run One thing I noticed is that the authentication token is not always destroyed when the user clicks on the link and logs in. I'm not sure what is causing the issue, but it seems to be destroyed about half the time. So a user could click on an email link, log in, sign out, then log in multiple times until the token is destroyed or ~15 minutes passes. Another potential issue I saw is that the db.AccessToken collection seems to grow every time a user logs in with a new authentication token. Not sure if that's supposed to happen, but I thought it worth mentioning. Also, the freeCodeCamp/common/models/user.js Line 181 in a2076ce |
|
@scissorsneedfoodtoo thanks for the excellent summary of what is happening. And Yes, you are correct that the indexing is not done automatically. Well sadly that is because we originally thought LoopBack does that for us. Turns out it doesn't. In short their docs aren't as good as they claim to be (so much for being an enterprise grade SDK!!) Anyways, what we have thought off is completely moving away from our custom auth solution. I know its sad, for the work it took to implement in the first place. But its worth every effort in handling it separate from our core. This is further to our goals of breaking the huge monolith, and making life easier for everyone. |
|
@raisedadead, that's alright! True that it's a shame to move away from the custom authentication after all the work that was put into it, but it will give you and the other core team members more time to better the platform in other ways. Looking forward to the future Auth0 implementation! |
|
We've implemented Auth0 and heeded the advice "never roll your own authentication." Thanks for all the help QA'ing the old passwordless authentication, and to @raisedadead for building our new Auth0 implementation. |
Issue Description
I am able to sign in using the links well after 15 minutes (and in one case, 2 hours). And I can do so repeatedly using the same link in different browsers (private mode) and on different devices. Reproducible on my local copy of freeCodeCamp and on beta.freecodecamp.org.
Browser Information
The text was updated successfully, but these errors were encountered: