Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Queue stays authenticated after log out #397

Closed
redshiftzero opened this issue Jun 4, 2019 · 1 comment · Fixed by #404
Closed

Queue stays authenticated after log out #397

redshiftzero opened this issue Jun 4, 2019 · 1 comment · Fixed by #404
Assignees
@redshiftzero
Labels
bug Something isn't working security

Comments

@redshiftzero
Copy link
Contributor

The queue stays authenticated after the user logs out. One can repro this via trying to download a file after you've logged out. This is a similar issue to #178, now re-occurring in the queue.

While this won't be possible after freedomofpress/securedrop#3933 is used in the client, regardless the queue should not attempt to send API requests to the server when the user is offline / not logged in.

One resolution would be to add a logout() method to the ApiJobQueue to update the api_client attribute after logout. This method would then get called by the logout method on the controller.
@redshiftzero redshiftzero added bug Something isn't working security labels Jun 4, 2019
@redshiftzero
Copy link
Contributor Author

so in #400 @creviera has a good idea which is to have one single place in the client (ApiJobQueue) that accesses the API. this would prevent issues like this from arising because it would be a single place that has the API token (#385 would also help us as developers reason about the application).

I suggest we:

  • first do the less-smart resolution here to resolve this bug (what I suggest in the original ticket, adding a logout() method) so that we can tag a release,
  • then do a broader refactor following @creviera's suggestion in What can make an API call [Discussion] #400. We can't do this refactor immediately because we need to finish migrating over the existing API actions to the queue (in progress) as well as decide how to handle the login and sync actions (see my comment here).

@redshiftzero redshiftzero self-assigned this Jun 5, 2019
redshiftzero added a commit that referenced this issue Jun 5, 2019
@redshiftzero
security: deauth queue when user logs out (#397)
a0e5c8a 
also ensure that we can, in one run of the client:

1. Log in, be authed to make network calls
2. Log out, not be authed to make network calls
3. Log _back_ in, once again be authed to make network calls
@redshiftzero redshiftzero mentioned this issue Jun 5, 2019
Merged
2 tasks
@redshiftzero redshiftzero mentioned this issue Jun 6, 2019
Merged
redshiftzero added a commit that referenced this issue Jun 6, 2019
@redshiftzero
security: deauth queue when user logs out (#397)
82afef9 
also ensure that we can, in one run of the client:

1. Log in, be authed to make network calls
2. Log out, not be authed to make network calls
3. Log _back_ in, once again be authed to make network calls
redshiftzero added a commit that referenced this issue Jun 11, 2019
@redshiftzero
queue: rework login/logout
9b9c511 
* security bugfix: deauth queue when user logs out (#397)

* make sure queues are started when we enqueue a new job (#380)

* also ensure that we can, in one run of the client:

1. Log in, be authed to make network calls
2. Log out, not be authed to make network calls
3. Log _back_ in, once again be authed to make network calls

* show "user must login" message when download clicked if offline
redshiftzero added a commit that referenced this issue Jun 11, 2019
@redshiftzero
queue: rework login/logout
4116f81 
* security bugfix: deauth queue when user logs out (#397)

* make sure queues are started when we enqueue a new job (#380)

* also ensure that we can, in one run of the client:

1. Log in, be authed to make network calls
2. Log out, not be authed to make network calls
3. Log _back_ in, once again be authed to make network calls

* show "user must login" message when download clicked if offline
@emkll emkll mentioned this issue Jun 12, 2019
Merged
6 tasks
sssoleileraaa pushed a commit that referenced this issue Jun 13, 2019
@redshiftzero @sssoleileraaa
queue: rework login/logout
a0c1fd0 
* security bugfix: deauth queue when user logs out (#397)

* make sure queues are started when we enqueue a new job (#380)

* also ensure that we can, in one run of the client:

1. Log in, be authed to make network calls
2. Log out, not be authed to make network calls
3. Log _back_ in, once again be authed to make network calls

* show "user must login" message when download clicked if offline
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@redshiftzero redshiftzero

Labels
bug Something isn't working security
Projects
None yet
Milestone
No milestone
1 participant
@redshiftzero