Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalidate existing sessions for a given User when User.password is changed #10859

Merged
merged 11 commits into from
Mar 2, 2022
Merged

Invalidate existing sessions for a given User when User.password is changed #10859

merged 11 commits into from
Mar 2, 2022

Conversation

ewdurbin
Copy link
Member

@ewdurbin ewdurbin commented Mar 2, 2022

Closes #10849.

@ewdurbin
invalidate existing sessions for a given User when User.password is c…
fbeca85 
…hanged
@ewdurbin
set User.password_date whenever User.password is updated
6942da2 
The trigger implementation is _best_ since it ensures that the column will stay up to date whenever it is changed, even if not via this method...

Problematically the resulting value of the trigger isn't accessible inside the transaction (at least not that I was able to find).

I tried flushes and savepoints but no matter what I did nothing worked :(
ewdurbin
ewdurbin commented Mar 2, 2022
View reviewed changes
warehouse/accounts/services.py
@@ -80,14 +82,19 @@ def __init__(self, session, *, ratelimiters=None, remote_addr, metrics):
)
self.remote_addr = remote_addr
self._metrics = metrics
self.cached_get_user = functools.lru_cache()(self._get_user)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Side effect of scrambling with figuring out why I couldn't get the latest password_date value... but interestingly this may resolve a memory leak? https://rednafi.github.io/reflections/dont-wrap-instance-methods-with-functoolslru_cache-decorator-in-python.html

@ewdurbin ewdurbin requested review from di and ewjoachim March 2, 2022 16:38
@ewdurbin ewdurbin force-pushed the invalidate_sessions_on_password_change branch from b71b9f3 to 0bd0f62 Compare March 2, 2022 16:54
@ewdurbin ewdurbin force-pushed the invalidate_sessions_on_password_change branch from 0bd0f62 to 2c1aad8 Compare March 2, 2022 17:20
di
di reviewed Mar 2, 2022
View reviewed changes
warehouse/accounts/models.py Outdated Show resolved Hide resolved
di
di reviewed Mar 2, 2022
View reviewed changes
warehouse/sessions.py Outdated Show resolved Hide resolved
@ewdurbin ewdurbin force-pushed the invalidate_sessions_on_password_change branch from 2c1aad8 to 57458ac Compare March 2, 2022 17:44
@ewdurbin ewdurbin force-pushed the invalidate_sessions_on_password_change branch from 57458ac to 61ce40b Compare March 2, 2022 17:45
@ewdurbin
fix mass logout bug
91a817a
@ewdurbin
revert to DB Trigger for password_date
8309b00 
Thanks @dstufft! db.refresh was the magic ticket to getting the resulting value from the trigger
@ewdurbin ewdurbin force-pushed the invalidate_sessions_on_password_change branch from 2835ba2 to 8309b00 Compare March 2, 2022 18:02
@ewdurbin
Copy link
Member Author

ewdurbin commented Mar 2, 2022

Sanity check done locally:

  • Switched back to main
  • Logged in with a brand new session
  • Switched to this branch
  • Stayed logged in!
  • Opened new window and changed password
  • New session that changed password stayed logged in, Old session terminated.

@ewdurbin ewdurbin requested a review from di March 2, 2022 18:40
di
di approved these changes Mar 2, 2022
View reviewed changes
warehouse/sessions.py Outdated Show resolved Hide resolved
warehouse/sessions.py
# we cannot say for sure, let it live its life.
return False

return current_password_timestamp != stored_password_timestamp
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like that the != comparison also covers our bases against time-travelers.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ewdurbin @di
Update warehouse/sessions.py
f770b88 
Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
@ewdurbin ewdurbin merged commit 25ffc1f into main Mar 2, 2022
@ewdurbin ewdurbin deleted the invalidate_sessions_on_password_change branch March 2, 2022 23:05
domdfcoding pushed a commit to domdfcoding/warehouse that referenced this pull request Jun 7, 2022
@ewdurbin @di @domdfcoding
Invalidate existing sessions for a given User when User.password is c…
537297e 
…hanged (pypi#10859)

* invalidate existing sessions for a given User when User.password is changed

* set User.password_date whenever User.password is updated

The trigger implementation is _best_ since it ensures that the column will stay up to date whenever it is changed, even if not via this method...

Problematically the resulting value of the trigger isn't accessible inside the transaction (at least not that I was able to find).

I tried flushes and savepoints but no matter what I did nothing worked :(

* lint/translations

* remove cache bypass for get_user, it is not necessary

* translate string

* cleanup 6942da2

* fix mass logout bug

* revert to DB Trigger for password_date

Thanks @dstufft! db.refresh was the magic ticket to getting the resulting value from the trigger

* translations

* explicitly flush before refresh to ensure modified state is maintained

* Update warehouse/sessions.py

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>

Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

@ewjoachim ewjoachim Awaiting requested review from ewjoachim

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Invalidate active sessions on password change
3 participants
@ewdurbin @di @ewjoachim