UI: fix token expiry banner for batch tokens #27479
Conversation
github-actions
bot
added
the
hashicorp-contributed-pr
ui/app/services/auth.js
Outdated
| // this is the problem -- the auth/userpass/login/ endpoint returns a diff response than self-lookup. it doesn't include anything about expiration for batch tokens | ||
|
|
||
| console.log('authenticate resp: ', resp); | ||
|
|
||
| return this.authSuccess(options, resp.auth || resp.data); |
There was a problem hiding this comment.
i believe this is the root of the problem. depending on what login method the user is using (token, userpass, LDAP etc), we hit a different API endpoint, and those apis have a different response shape. note the difference between the various responses:
- a GET
/auth/token/lookup-self(using a batch token created viavault token create -type=batch -policy=test -ttl=20m) responds withtype: "batch"andexpiry_timeproperties. API docs confirm this. - a POST to
/auth/userpass/login(using a username and password with a batch token) responds with a property calledtoken_type: "batch"andlease_durationbut doesn't include an explicitexpiry_time. API docs confirm this, too
| endpoint | response | |
|---|---|---|
| /auth/token/lookup-self |
|
|
| /auth/userpass/login |
|
|
the frontend code on line 308 above suggests to me that we expect the backend responses to be the same regardless of whether the batch token was created via an auth method or via vault token create -type=batch -policy=test.
|
CI Results: |
| if (resp.renewable) { | ||
| Object.assign(data, this.calculateExpiration(resp)); |
There was a problem hiding this comment.
the this.calculateExpiration function is already set up to handle batch tokens returned by /auth/[backend]/login methods since those APIs return a lease_duration, which is accounted for on line 220 above.
as a result, i didn't see a reason why we wouldn't couldn't call calculateExpiration regardless of whether or not resp.renewable or not.
so you'll notice i modified this.calculateExpiration to handle the case where resp.type === 'batch' (which happens when logging in via a token directly). this way calculateExpiration is used universally, regardless of the authentication method (token/userpass/ldap, batch token, service token etc).
andaley
force-pushed
the
ui/vault-27813/fix-token-banner
branch
from
602a557
to
26f3a3f
Compare
andaley
changed the title
andaley
added
backport/ent/1.15.x+ent
backport/ent/1.16.x+ent
|
Build Results: |
andaley
force-pushed
the
ui/vault-27813/fix-token-banner
branch
from
26f3a3f
to
8acb2b2
Compare
andaley
force-pushed
the
ui/vault-27813/fix-token-banner
branch
from
e5dceb6
to
6dd294e
Compare
…g banner is shown
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
andaley
force-pushed
the
ui/vault-27813/fix-token-banner
branch
from
c8e408a
to
0033b44
Compare
Description
Ensures the "token expired" banner displays in the UI when logged in via a batch token, regardless of whether that token was generated via an auth method or via
vault token createdirectly.Previously the banner would not display for users logged in with a batch token that was generated by an auth method.
Screenshot
Batch tokens show token expiry banner
Service tokens show token expiring soon banner
Service tokens show token expiry banner
TODO only if you're a HashiCorp employee
getting backported to N-2, use the new style
backport/ent/x.x.x+entlabelsinstead of the old style
backport/x.x.xlabels.the normal
backport/x.x.xlabel (there should be only 1).of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
description. Also, make sure the changelog is in this PR, not in your ENT PR.