[4/n] Let user request a specific TTL for a token #8231
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
david-crespo
force-pushed
the
device-auth-ttl
branch
2 times, most recently
from
67e596d to
1f03596
Compare
7 tasks
david-crespo
force-pushed
the
device-auth-ttl
branch
2 times, most recently
from
fb2efbe to
72c81dd
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
from
72c81dd to
ae3cd6b
Compare
david-crespo
force-pushed
the
device-tokens-api
branch
from
214811b to
f18022c
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
from
ae3cd6b to
47f0a8b
Compare
david-crespo
force-pushed
the
device-tokens-api
branch
from
f18022c to
6811931
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
2 times, most recently
from
e9b8ab1 to
28485f3
Compare
david-crespo
force-pushed
the
device-tokens-api
branch
from
6811931 to
1467bfd
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
from
28485f3 to
771b719
Compare
david-crespo
force-pushed
the
device-tokens-api
branch
from
1467bfd to
3e15398
Compare
7 tasks
david-crespo
force-pushed
the
device-auth-ttl
branch
from
771b719 to
9890dfe
Compare
david-crespo
force-pushed
the
device-tokens-api
branch
2 times, most recently
from
f6a9934 to
66254ea
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
2 times, most recently
from
2c789de to
81eccee
Compare
david-crespo
force-pushed
the
device-tokens-api
branch
2 times, most recently
from
9e014d0 to
6772411
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
from
81eccee to
41bdb7f
Compare
david-crespo
force-pushed
the
device-tokens-api
branch
from
6772411 to
7fa6757
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
from
41bdb7f to
8ca0aa3
Compare
Contributor
Author
|
Good point, Gemini! It would make sense to use https://gist.github.com/david-crespo/adc7e570eb0341f8529f505972756873 
|
david-crespo
added a commit
that referenced
this pull request
Jun 3, 2025
Closes #8139. Token IDs are used in #8227 and #8231 for token CRUD. WIP. Everything compiles and existing tests work, but we are not yet testing retrieval by ID and we need to think about authz checks on the datastore functions for retrieving tokens and sessions by token string. This PR would be a lot shorter if not for the fact that the `token` column was the primary key on both tables, so adding the `id` requires a bunch of migration steps to change the primary key. There were also a lot of changes to code and tests around making things ID-centric instead of token-centric. * [x] SQL migrations for adding `id` col and changing primary key to that * [x] Add `TypedUuid` to session and token DB models * [x] Update `authz_resource!` and `lookup_resource!` calls for new primary key * [x] Update `Session` trait methods to use `id` instead of `token` * [x] Update app and datastore session and token methods to use ID instead of token * [x] Update two distinct but nearly identical `FakeSession` implementations (one for unit tests, one for integration tests) to a) track sessions in a `Vec` instead of a `HashMap` with token keys * [x] Figure out authz situation in new fetch session/token by token string methods
david-crespo
force-pushed
the
device-tokens-api
branch
from
7fa6757 to
fd19e2d
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
from
8ca0aa3 to
6bb39cb
Compare
david-crespo
force-pushed
the
device-tokens-api
branch
from
fd19e2d to
ab6ec2b
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
from
007a825 to
148ee14
Compare
hawkw
approved these changes
Jun 3, 2025
Member
hawkw
left a comment
hawkw
left a comment
There was a problem hiding this comment.
some minor nits, but seems good to me!
david-crespo
force-pushed
the
device-tokens-api
branch
from
ab6ec2b to
bbcc90d
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
from
7b7392d to
9ba7e6c
Compare
david-crespo
force-pushed
the
device-auth-ttl
branch
from
9ba7e6c to
b2a452d
Compare
david-crespo
added a commit
that referenced
this pull request
Jun 4, 2025
Built on top of #8231. Fix for an issue with the internals of session expiration discussed in #8137 (comment). When I added ID primary keys to sessions and tokens, I changed the session delete method on the Session trait to operate by ID as well, and that meant a more complex authz situation compared to deleting by token. A bearer token is its own authz, at least according to the implicit policy we decided on. When I changed it to delete by ID, I made the delete function (now removed in this PR) use the user ID from the `opctx` to filter tokens to ensure that users could only delete their own sessions. The problem is that the `opctx` used in that case is the external authenticator op context, which has its own special actor that is distinct from the user in question. This means we would never actually delete a token this way because the query would always come up empty. This is not actually a problem from a correctness point of view because on subsequent requests we always check the expiration time on the session we pull out of the DB anyway. But it does mean that we probably end up with a lot more sessions piling up in the DB than we otherwise would. Not a big deal either way, but I feel more comfortable having it keep working the way it has worked for several years. It's also nice that we are deleting some app code here and replacing it with a test for a behavior that was previously untested. (I added the test in the first commit and confirmed that it fails without the changes from the second commit.)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #8147.
Built on #8137, #8214, and #8227.
This is pretty straightforward, I think. The user gives us a TTL in seconds at token request time. We store it on the request row. When they come back in the later step to confirm the code and generate the token, we retrieve the TTL, validate that it is less than the silo max (if one is set), and we use it to generate the
time_expirestimestamp, which cannot be changed later.One slightly surprising bit is that we can't validate the TTL against the silo max at initial request time because we don't have any idea what silo the user is associated with until the confirm step. So probably want to make sure we are handling TTL validation errors nicely in the web console, because I think that's where they will show up.