Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(authn): create sessions only if UI header value is supplied #1919

Merged
merged 1 commit into from
Oct 12, 2023
Merged

fix(authn): create sessions only if UI header value is supplied #1919

merged 1 commit into from
Oct 12, 2023

Conversation

eusebiu-constantin-petu-dbk
Copy link
Collaborator

What type of PR is this?

bug
Which issue does this PR fix:
#1910

What does this PR do / Why do we need it:

If an issue # is not available please add repro steps and logs showing the issue:

Testing done on this change:

Automation added to e2e:

Will this break upgrades or downgrades?

Does this PR introduce any user-facing change?:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@eusebiu-constantin-petu-dbk eusebiu-constantin-petu-dbk linked an issue Oct 10, 2023 that may be closed by this pull request
[Bug]: session cleanup with file system storage #1910
Closed
@codecov
Copy link

codecov bot commented Oct 10, 2023
edited
Loading

Codecov Report

Merging #1919 (079dbaf) into main (ab45356) will decrease coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #1919      +/-   ##
==========================================
- Coverage   91.94%   91.93%   -0.01%     
==========================================
  Files         153      153              
  Lines       26437    26440       +3     
==========================================
+ Hits        24307    24308       +1     
- Misses       1573     1574       +1     
- Partials      557      558       +1
Files Coverage Δ
pkg/api/authn.go 95.27% <100.00%> (+0.02%) ⬆️

... and 5 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

rchincha
rchincha reviewed Oct 10, 2023
View reviewed changes
pkg/api/authn.go
if err := saveUserLoggedSession(cookieStore, response, request, identity, ctlr.Log); err != nil {
return false, err
// saved logged session only if the request comes from web (has UI session header value)
if hasSessionHeader(request) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to take care of deleting these sessions though?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using the current library, no... I can not get a reference for an expired session.
In case of an expired session, the library will return an error (expired session) and a new valid session. losing the ability to get the reference of the expired session and delete it.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there are a lot of issues about this:
gorilla/sessions#160

they say how can you delete, but they don't say how to delete expired session, in another issue they state that expired sessions are overwritten by new sessions, but that's not true, at least for our case.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO let's fix what we can be fixed with this library, and track relacing it with something else (another sessions library? or tokens? we need a discussion) separately.

@andaaron andaaron removed a link to an issue Oct 12, 2023
[Bug]: session cleanup with file system storage #1910
Closed
@andaaron andaaron merged commit a91c0c5 into project-zot:main Oct 12, 2023
32 of 33 checks passed
@andaaron andaaron mentioned this pull request Oct 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rchincha rchincha rchincha left review comments

@andaaron andaaron andaaron approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eusebiu-constantin-petu-dbk @andaaron @rchincha