Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client_id + client_secret are inaccessible to modify if associated consumer object is deleted #438

Closed
ahmadnassri opened this issue Jul 30, 2015 · 3 comments
Closed

client_id + client_secret are inaccessible to modify if associated consumer object is deleted #438

ahmadnassri opened this issue Jul 30, 2015 · 3 comments
Assignees
@thibaultcha
Labels
plugins/oauth2 task/bug
Milestone
0.5.0

Comments

@ahmadnassri
Copy link
Contributor

scenario:

  • create API profile
  • create consumer object
  • associate oauth2 plugin with API
  • create consumer "authentication credentials / application" with client_id + client_secret
  • 👍
  • delete consumer object
  • create new consumer object
  • attempt to create authentication credentials using the same client_id + client_secret as before
  • will be rejected, with error:
{
  "client_id": "client_id already exists with value 'xxx'",
  "client_secret": "client_secret already exists with value 'yyy'"
}

in addition, there is no possible way to modify the plugin configrations, or attempt to reset the client_id and client_secret, so the result is that those values are stored forever in the database with no chance of ever re-using them.
@ahmadnassri
Copy link
Contributor Author

cc: @lucamaraschi

@subnetmarco
Copy link
Member

@thibaultcha this is the consistency problem that we have been discussing a couple of times. Somehow related to #107.

@thibaultcha
Copy link
Member

Context: Cassandra has no concept of foreign keys and cascade operations.

To solve this the Cassandra DAO Factory could trigger an event such as on_delete_consumer on all loaded DAOs, and those DAOs can chose to implement the event method if they have something to delete when a consumer is being deleted.

function my_dao:on_delete_consumer(consumer_id)

end

function my_dao:on_delete_api(api_id)

end

More work for developers but tied to the Cassandra DAO so no need to apply it to the future Postgres DAO which can use proper cascade deletes.

@thibaultcha thibaultcha added this to the 0.5.0 milestone Aug 21, 2015
thibaultcha added a commit that referenced this issue Aug 25, 2015
@thibaultcha
feat(dao) implement cascade deletion
554a19a 
This implements a "delete hook" system to trigger cascade deletion of
foreign rows in Cassandra. To do so, all foreign columns (representing foreign keys) must now be queryable (which means be indexed by Cassandra).

A "delete hook" is added to a parent DAO if any other DAO has foreign
rows to that DAO. Ex: APIs are parents to plugins_credentials, hence the
`apis` DAO will have a delete hook on the deletion of a row, to also
delete any related `plugins_configurations`.

- Move cascade delete tests to another file, with all use cases of
  current cascade deletion.
- Add a migration for oauth2 plugin to index the `consumer_id` field.
- Remove obsolete overridden delete methods of apis and consumers DAOs.

This should be a solution to #438 and is an improved implementation of #107
@thibaultcha thibaultcha mentioned this issue Aug 25, 2015
Merged
@alronlam alronlam mentioned this issue Sep 8, 2015
Closed
hutchic added a commit that referenced this issue Jun 10, 2022
@hutchic
feat(cache): the cache buster is one cause of why we have cache misse…
90e7e2e 
…s during releases (#438)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thibaultcha thibaultcha

Labels
plugins/oauth2 task/bug
Projects
None yet
Milestone
0.5.0
Development

No branches or pull requests
4 participants
@ahmadnassri @subnetmarco @bungle @thibaultcha