New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bind web UI access tokens to sessions #3940
Conversation
When you logout, session also destroys the access token, so it's no longer valid. If access token is destroyed some other way, the session is also destroyed, requiring a re-login. Fix #1681 - Add scheduler to remove revoked access tokens and grants
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm~
def assign_access_token | ||
superapp = Doorkeeper::Application.find_by(superapp: true) | ||
|
||
return if superapp.nil? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this check hasn't existed previously, it will breaks instances which don't have "Web" application. For example, Docker Guide says you should run docker-compose run --rm web rake db:migrate
, but db:migrate doesn't call db:seed which contains "Web" app generation.
Anyway, super app must be existent, so we shouldn't ignore non existence of it I think. If you don't want to regenerate this automatically, you might want to mention this in the release note.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This must have existed previously. The old code was in HomeController#find_or_create_access_token
, which also called Doorkeeper::Application.where(superapp: true).first
- how could those instances have worked then? Unless nil was allowed for application_id on oauth_access_tokens, which I didn't check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're allowing nil for application_id: https://github.com/tootsuite/mastodon/blob/v1.4.6/db/schema.rb#L193
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like our db:migrate
does also db:setup
now, but it was introduced at v1.4rc4...
256e3ad#diff-1bf337030f4e56fa36281d23cf9e2082
BTW, don't you force users logged out when access_token is missing? |
This reverts commit ed7dc17.
PR based on #3929
Fix Web client stayed logged in when using multiple tabs #2347 - Bind web UI access tokens to sessions
When you logout, session also destroys the access token, so it's no longer
valid. If access token is destroyed some other way, the session is also
destroyed, requiring a re-login.
Fix OAuth access tokens - never removed, never expire #1681 - Add scheduler to remove revoked access tokens and grants