Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add same expiration date that header_payload to signature cookie #540

Merged
merged 3 commits into from
Nov 21, 2022
Merged

fix: Add same expiration date that header_payload to signature cookie #540

merged 3 commits into from
Nov 21, 2022

Conversation

Milouu
Copy link
Contributor

@Milouu Milouu commented Nov 17, 2022
edited
Loading

Description

Access token in Substra is secured by separating the cookie in 2 cookies: header_payload and signature. The header_payload cookie has a 24h expiration date but the signature had none. Because of this once the header_payload expired there was a bug as the signature was still existing which blocked the creation of a new pair of cookies (be it from the refresh token or entering credentials again), which led to the user having to delete the signature cookie manually to resolve the issue.
This fix only give the same expiration date to the signature cookie so that it disappears at the same time as header_payload. If the user still has a refresh token (1 week expiration date), a new header_payload-signature pair will be fetched automatically, otherwise credentials have to be entered anew.

How has this been tested?

Checklist

  • changelog was updated with notable changes
  • documentation was updated

@Milouu Milouu force-pushed the fix/signature-cookie-exp branch from a3a79ca to 70f2623 Compare November 17, 2022 16:12
@Milouu Milouu changed the title 🐛 Add same expiration date that header_payload to signature cookie fix:Add same expiration date that header_payload to signature cookie Nov 17, 2022
@Milouu Milouu changed the title fix:Add same expiration date that header_payload to signature cookie fix: Add same expiration date that header_payload to signature cookie Nov 17, 2022
@Milouu Milouu force-pushed the fix/signature-cookie-exp branch from 70f2623 to ded607d Compare November 17, 2022 16:16
@sergebouchut2
Copy link
Contributor

I am not sure to understand why having different dates results in a bug but I think this was defined as is on purpose. See https://github.com/Substra/substra-backend/blob/main/docs/authentication.md#jwt-cookie

Milouu and others added 2 commits November 21, 2022 14:30
@Milouu
🐛 Fix black
467d2e8 
Signed-off-by: Milouu <[email protected]>
@ThibaultFy
black
60a57d3 
Signed-off-by: ThibaultFy <[email protected]>
@Milouu Milouu merged commit e3a93e4 into main Nov 21, 2022
@Milouu Milouu deleted the fix/signature-cookie-exp branch November 21, 2022 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThibaultFy ThibaultFy ThibaultFy approved these changes

@AlexandrePicosson AlexandrePicosson Awaiting requested review from AlexandrePicosson

@AurelienGasser AurelienGasser Awaiting requested review from AurelienGasser

@cboillet-dev cboillet-dev Awaiting requested review from cboillet-dev

@Kelvin-M Kelvin-M Awaiting requested review from Kelvin-M

@mblottiere mblottiere Awaiting requested review from mblottiere

@samlesu samlesu Awaiting requested review from samlesu

@sergebouchut2 sergebouchut2 Awaiting requested review from sergebouchut2

@oleobal oleobal Awaiting requested review from oleobal

@guilhem-barthes guilhem-barthes Awaiting requested review from guilhem-barthes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Milouu @sergebouchut2 @ThibaultFy