New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement logout call #884

rubendel opened this Issue Nov 23, 2018 · 0 comments


None yet
1 participant

rubendel commented Nov 23, 2018

Currently an HMAC is used to create the token. This works great in the sense that we can validate tokens without accessing the database, we don't need to store the tokens in memory and even after restarting a server the tokens are still valid. Also if BIMserver at some point becomes a distributed system, this would alleviate the need for distributed "session management".

But, currently this also means that the AuthInterface.logout call doesn't actually do anything. To allow for logout to work, we do need to keep track of tokens that have been invalidated. Since most people/systems never logout, one could argue that this is still a good trade-off.

So what should be done:

  • Implement AuthInterface.logout, store the token in the database linked to the User, also store in memory. Also remove the tokens from the cached tokens collection (which is a performance optimization to reduce the amount of cpu spent on cryptography).
  • During startup, load all invalidated tokens into memory, so we don't have to access the database in order to determine whether a token is invalidated. This memory structure should be based on the username, so the lookups are manageable.
  • Schedule a process that cleans up invalidated tokens. Since tokens have a limited lifetime, they can be removed from the in-memory structure and database once they do.

Before doing this, it might be useful to reevaluate the use of HMACs, wouldn't simply storing the valid tokens in a database be easier, possibly cached in memory?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment