Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3233: Handle session expired in Admin Panel #2906

Merged
merged 4 commits into from
Jul 30, 2021
Merged

3233: Handle session expired in Admin Panel #2906

merged 4 commits into from
Jul 30, 2021

Conversation

chris-bes
Copy link
Contributor

@chris-bes chris-bes commented Jul 27, 2021
edited
Loading

@chris-bes chris-bes force-pushed the 3233-session-expires-handle branch from 27605a7 to 1a92ffc Compare July 27, 2021 05:33
chris-bes
chris-bes commented Jul 27, 2021
View reviewed changes
packages/server-boilerplate/src/orchestrator/session/attachSession.ts
@@ -11,7 +11,7 @@ export const attachSession = async (req: Request, res: Response, next: NextFunct
try {
const sessionId = req.sessionCookie?.id;
if (!sessionId) {
throw new UnauthenticatedError('User not authenticated');
throw new UnauthenticatedError('Session not found or has expired. Please log in again.');
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tom suggested a nice idea to which is to use a new http response code to indicate that the session has expired (beyondessential/tupaia-backlog#3233 (comment)). However, I think with the case of session cookie not found, it could be because of some other reasons rather than just the session has expired (eg: someone unauthenticated trying to access the server). So I'm still keeping 401 as the response code here.

tcaiger
tcaiger reviewed Jul 28, 2021
View reviewed changes
packages/admin-panel/src/api/TupaiaApi.js
@@ -77,9 +79,21 @@ export class TupaiaApi {
};
}

async checkIfAuthorized(response) {
// Unauthorized
if (response.status === 401) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initially I was wondering whether it is too aggressive to always log out users when there is a 401 but after thinking about it for a while I agree that it makes good sense.

tcaiger
tcaiger approved these changes Jul 28, 2021
View reviewed changes
Copy link
Contributor

@tcaiger tcaiger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Thanks for handling this. I'm wondering if there is a similar change that needs to happen in psss? If so, would you mind creating a card for it? I don't want to hold up this change and the psss fix is quite a low priority.

@chris-bes
Copy link
Contributor Author

chris-bes commented Jul 28, 2021
edited
Loading

Looks good. Thanks for handling this. I'm wondering if there is a similar change that needs to happen in psss? If so, would you mind creating a card for it? I don't want to hold up this change and the psss fix is quite a low priority.

Yep, PSSS already logs people out when response code is 401.
image

However, now that you mentioned, I've realized the error message if that happens is still User not authenticated. Will change to the same one here!

@chris-bes chris-bes merged commit 3c3105a into dev Jul 30, 2021
@chris-bes chris-bes deleted the 3233-session-expires-handle branch July 30, 2021 04:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tcaiger tcaiger tcaiger approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chris-bes @tcaiger @avaek