Skip to content
This repository has been archived by the owner on Nov 30, 2022. It is now read-only.

Unable to logout from Admin UI with an expired/invalid token #1257

Closed
NevilleS opened this issue Sep 6, 2022 · 0 comments · Fixed by #1305
Closed

Unable to logout from Admin UI with an expired/invalid token #1257

NevilleS opened this issue Sep 6, 2022 · 0 comments · Fixed by #1305
Assignees
@pattisdr
Labels
bug Something isn't working

Comments

@NevilleS
Copy link
Contributor

NevilleS commented Sep 6, 2022
edited by mfbrown
Loading

Bug Description

On fidesops:1.7.2 I have found that I cannot logout from the Admin UI when my token is already expired or invalid. When this occurs, you get stuck in a bad state where you can't use the UI (because your token is rejected), but you also can't log back in (because the existing token prevents using the /login route).

There is at least two ways to cause this:

  • If you have an expired token, the /logout endpoint will throw a 403, not succeed, and not clear the local storage
  • If you have an invalid token, the /logout endpoint will throw a 403, not succeed, and not clear the local storage

Steps to Reproduce

It's simple enough to reproduce an invalid token:

  1. Login to the Admin UI normally
  2. Logout normally and observe that the logout succeeds
  3. In the console, run window.localStorage.setItem('auth.fidesops-admin-ui', '{"token":"invalid"}')
  4. Refresh the home page (http://localhost:8080)
  5. Observe the console to see a 500 error ,due to the invalid token
  6. Click the logout button from the top-right dropdown menu
  7. Observe that /logout fails with a 500, and the invalid token is not cleared:

image

  1. Try to manually go to /login
  2. Observe that you are automatically redirected back to the home page, despite still having an invalid token that you cannot logout from

Expected behavior

I'd expect two things here that aren't happening:

  1. Whenever the user logs out from the Admin UI, the local auth token should be deleted no matter what happens on the server (403, 500, etc.). This would prevent you from getting into an unrecoverable state where you cannot clear your token
  2. Invalid tokens should be captured as a 403 error on the server, even if they are structurally incorrect (like in this example)

The latter is less important as it's more of a QOL improvement, but the former is blocking usage of the Admin UI right now if you ever get timed out.

Screenshots

(see above)

Environment

  • Version: 1.7.2
  • OS: Mac OSX Monterey (12.5.1)
  • Python Version: 3.10.5
  • Docker Version: 20.10.17
@NevilleS NevilleS added the bug Something isn't working label Sep 6, 2022
@pattisdr pattisdr self-assigned this Sep 13, 2022
This was referenced Sep 13, 2022
Merged
Merged
sanders41 pushed a commit that referenced this issue Sep 14, 2022
@pattisdr
Allow the user to logout with a malformed or expired token [#1257] (#…
2598adf 
…1305)

* Allow the user to logout with a malformed or expired token.

* Fix formatting.

* Fix test comment.

* Update changelog.

* Bump fideslib version to raise a 403 if the supplied token is malformed instead of a 500.

* Allow the root user to logout.
sanders41 pushed a commit that referenced this issue Sep 22, 2022
@pattisdr
Allow the user to logout with a malformed or expired token [#1257] (#…
dc1604c 
…1305)

* Allow the user to logout with a malformed or expired token.

* Fix formatting.

* Fix test comment.

* Update changelog.

* Bump fideslib version to raise a 403 if the supplied token is malformed instead of a 500.

* Allow the root user to logout.
This was referenced Oct 22, 2022
Merged
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@pattisdr pattisdr

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow the user to logout with a malformed or expired token [#1257] ethyca/fidesops
2 participants
@NevilleS @pattisdr