-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If user is removed from GitHub team/org they should lose access (within X minutes) #67
Comments
We could invalidate the actor cookie after a short TTL but this will be frustrating for the users (unless we bring back auto-login, which was removed in #64). Maybe a better option: embed a timestamp in the actor cookie showing when those teams/orgs were last fetched. Re-fetch them from the GitHub API any time that timestamp has expired, and re-issue the cookie. |
I'm going to store |
Here's an interesting challenge: at what point should the re-fetch of teams and orgs from GitHub happen? We've baked the results of those API calls into the actor cookie itself. This means Datasette's default permission checking code doesn't need to call anything relating to our plugin at all - it can work purely off those values. But we want to re-fetch the results from that API every five minutes or so to avoid them becoming stale. How do we know when to re-fetch the results? We potentially need to issue a fresh cookie at the same time, to update the timestamp - that's a bit gnarly. |
I could try registering a custom |
Maybe the solution here is to move away from the |
Actually I think I can solve this with a It could work by itself dispatching to the default Datasette one - https://github.com/simonw/datasette/blob/0.53/datasette/actor_auth_cookie.py - and then applying some extra logic to see if the permissions need to be re-checked. Since this runs on every incoming request that should be the right place to do this. It can return an |
One catch: how can the |
One way could be for it to set a key on the This is pretty fragile and weird though. Maybe Datasette itself needs to grow a mechanism that allows plugins to specify that the actor cookie should be set again? |
An ASGI middleware wrapper could add a function key to This is similar to the pattern used by |
The problem I'm trying to solve here - mark that a cookie should be set at the end of the response - is the same problem I had to solve for the def add_message(self, request, message, type=INFO):
if not hasattr(request, "_messages"):
request._messages = []
request._messages_should_clear = False
request._messages.append((message, type))
def _write_messages_to_response(self, request, response):
if getattr(request, "_messages", None):
# Set those messages
response.set_cookie("ds_messages", self.sign(request._messages, "messages"))
elif getattr(request, "_messages_should_clear", False):
response.set_cookie("ds_messages", "", expires=0, max_age=0) Here's where |
How about if the Datasette |
I'm going to try to implement the |
I've hit a REALLY nasty problem: calling the GitHub API to check what teams and orgs the user is a member of requires an access token. But we've not stored the user's access token anywhere - which is good, because keeping hold of an access token for any longer than strictly necessary is never a good idea. But this means that a design where we make ongoing calls to check the user's memberships won't actually work. |
Alternative solutions to this problem:
I think that second option may be the way to go here. The case of needing to kick a user out of Datasette because they left a GitHub team or organization is going to be vanishingly rare, so leaving this to the administrators (as long as it is clearly documented) feels like an OK thing to do. |
See this comment for why: #67 (comment)
Idea for an alternative mechanism: allow users to define a JSON file of GitHub user IDs that are allowed access. They can host this at a separate URL - e.g. in a gist. Datasette hits that URL and caches it for a few seconds between hits to figure out who is allowed access. |
For the moment I'm going to add the note about this to the README and ship the release. |
Last remaining issue for #64 - if Datasette is configured to only allow access to users who are members of a specific GitHub organization, we need to ensure they lose access within a reasonable timeframe.
Their teams and orgs are baked into their
actor
cookie.It's OK for them to maintain access for a little while, provided that's documented and administrators know to e.g. rotate the
DATASETTE_SECRET
.The text was updated successfully, but these errors were encountered: