Skip to content

🐛 Logs out previously logged in users to avoid authentication issues with the cookie which is passed in all subdomains #6507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

🐛 Logs out previously logged in users to avoid authentication issues with the cookie which is passed in all subdomains #6507

wants to merge 4 commits into from

Conversation

@GitHK
Copy link
Contributor

@GitHK GitHK commented Oct 9, 2024
edited
Loading

What do these changes do?

After #6484 was merged it became obvious that we need to logout users. Current functionality does not allow us to logout users which do not have running services or a running frontend at the moment when the maintenance page is put up.

To avoid issues, the cookie name was changed and the old cookie is also removed.

NOTE: tried multiple ways to delete the session cookie but it appears to be impossible:

  • removing the cookie via del_cookie and name does not work
  • using a header does not work
  • using max-age or expires fields does not work

Any ideas are here are welcomed.

Related issue/s

How to test

Dev-ops checklist

@GitHK GitHK self-assigned this Oct 9, 2024
@GitHK GitHK added a:webserver webserver's codebase. Assigning the area is particularly useful for bugs bug buggy, it does not work as expected labels Oct 9, 2024
@codecov
Copy link

codecov bot commented Oct 9, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.1%. Comparing base (cafbf96) to head (e439438).
Report is 627 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #6507      +/-   ##
=========================================
+ Coverage    84.5%   86.1%    +1.5%     
=========================================
  Files          10    1540    +1530     
  Lines         214   63138   +62924     
  Branches       25    2058    +2033     
=========================================
+ Hits          181   54372   +54191     
- Misses         23    8463    +8440     
- Partials       10     303     +293
Flag Coverage Δ
unittests 86.1% <100.0%> (+1.5%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...ings-library/src/settings_library/utils_session.py 44.4% <100.0%> (ø)

... and 1489 files with indirect coverage changes

@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 10, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@GitHK GitHK marked this pull request as ready for review October 10, 2024 08:35
matusdrobuliak66
matusdrobuliak66 approved these changes Oct 10, 2024
View reviewed changes
Copy link
Collaborator

@matusdrobuliak66 matusdrobuliak66 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Did the change of cookie name helped? or still needs to be tested after deploy?

@GitHK GitHK added this to the MartinKippenberger milestone Oct 10, 2024
pcrespov
pcrespov reviewed Oct 11, 2024
View reviewed changes
Copy link
Member

@pcrespov pcrespov left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure this is needed. An easier way to invalidate all cookies is to change the SESSION_SECRET_KEY

Moreover, NOTE that logging out a use is achieved by removing the auth token within the cookie not necessarily removing the entire cookie!

Let's check this when you are back :-)

@GitHK
Copy link
Contributor Author

GitHK commented Oct 14, 2024

I am not sure this is needed. An easier way to invalidate all cookies is to change the SESSION_SECRET_KEY

Moreover, NOTE that logging out a use is achieved by removing the auth token within the cookie not necessarily removing the entire cookie!

Let's check this when you are back :-)

So this approach seems to work. Tested locally. We can regenerate the env var WEBSERVER_SESSION_SECRET_KEY on all deployments to logout users. I will go for this approach.

sanderegg
sanderegg approved these changes Oct 14, 2024
View reviewed changes
Copy link
Member

@sanderegg sanderegg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure I get what this is about.

YuryHrytsuk
YuryHrytsuk reviewed Oct 14, 2024
View reviewed changes
services/docker-compose-dev-vendors.yml
- traefik.http.middlewares.${SWARM_STACK_NAME}_manual-auth.forwardauth.address=http://${WEBSERVER_HOST}:${WEBSERVER_PORT}/v0/auth:check
- traefik.http.middlewares.${SWARM_STACK_NAME}_manual-auth.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.${SWARM_STACK_NAME}_manual-auth.forwardauth.authResponseHeaders=Set-Cookie,osparc-sc
- traefik.http.middlewares.${SWARM_STACK_NAME}_manual-auth.forwardauth.authResponseHeaders=Set-Cookie,osparc-sc-v2
Copy link
Contributor

@YuryHrytsuk YuryHrytsuk Oct 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you explain why do we need a new name?

Copy link
Contributor Author

@GitHK GitHK Oct 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we do not currently. Forgot to close the PR

@GitHK
Copy link
Contributor Author

GitHK commented Oct 14, 2024

will rotate credentials instead of renaming cookie

@GitHK GitHK closed this Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcrespov pcrespov pcrespov left review comments

@YuryHrytsuk YuryHrytsuk YuryHrytsuk left review comments

@sanderegg sanderegg sanderegg approved these changes

@matusdrobuliak66 matusdrobuliak66 matusdrobuliak66 approved these changes

@mrnicegyu11 mrnicegyu11 Awaiting requested review from mrnicegyu11

@giancarloromeo giancarloromeo Awaiting requested review from giancarloromeo

Assignees

@GitHK GitHK

Labels

a:webserver webserver's codebase. Assigning the area is particularly useful for bugs bug buggy, it does not work as expected

Projects

None yet

Milestone

MartinKippenberger

Development

Successfully merging this pull request may close these issues.

5 participants

@GitHK @pcrespov @sanderegg @YuryHrytsuk @matusdrobuliak66