Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Long-running transforms can lose their authentication #473

Closed
ponyisi opened this issue Sep 22, 2024 · 0 comments · Fixed by #487
Closed

Long-running transforms can lose their authentication #473

ponyisi opened this issue Sep 22, 2024 · 0 comments · Fixed by #487
Assignees
@ponyisi
Milestone
3.0.1 Bugfixes

Comments

@ponyisi
Copy link
Collaborator

ponyisi commented Sep 22, 2024

For a long-running transformation we can get authentication errors, as seen from the backend:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 489, in wrapper
    resp = resource(*args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
  File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 604, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/home/servicex/servicex_app/decorators.py", line 52, in inner
    verify_jwt_in_request(locations=["headers"])
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/view_decorators.py", line 94, in verify_jwt_in_request
    jwt_data, jwt_header, jwt_location = _decode_jwt_from_request(
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/view_decorators.py", line 340, in _decode_jwt_from_request
    decoded_token = decode_token(encoded_token, csrf_token)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/utils.py", line 128, in decode_token
    return jwt_manager._decode_jwt_from_config(encoded_token, csrf_value, allow_expired)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/jwt_manager.py", line 556, in _decode_jwt_from_config
    return _decode_jwt(**kwargs, allow_expired=allow_expired)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/tokens.py", line 95, in _decode_jwt
    decoded_token = jwt.decode(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 211, in decode
    decoded = self.decode_complete(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 163, in decode_complete
    self._validate_claims(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 249, in _validate_claims
    self._validate_exp(payload, now, leeway)
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 307, in _validate_exp
    raise ExpiredSignatureError("Signature has expired")
jwt.exceptions.ExpiredSignatureError: Signature has expired

We should either re-auth under these conditions, or the server should send a redirect that does it automatically (not sure if that's possible?)
@ponyisi ponyisi added this to the 3.0.1 Bugfixes milestone Sep 22, 2024
@BenGalewsky BenGalewsky moved this to Backlog in ServiceX Sep 26, 2024
@ponyisi ponyisi self-assigned this Oct 1, 2024
@ponyisi ponyisi mentioned this issue Oct 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ponyisi ponyisi

Labels
None yet
Projects
ServiceX
Status: Done
Milestone
3.0.1 Bugfixes
Development

Successfully merging a pull request may close this issue.

Better handling of tokens near expiry ssl-hep/ServiceX_frontend
1 participant
@ponyisi