ORCID tokens have a lifetime of 24 hours and are not renewable. After 24 hours, a logged-in MaveDB user will begin to get error responses to any API requests that check authentication status, even if they do not require authentication.
When this occurs, the UI should detect the change and clear the client-side login status. This will cause the UI to revert to logged-out status.
To capture this occurrence, we install an Axios response interceptor that looks for unauthorized (HTTP 401) responses. When one occurs, it makes a request to /users/me; if the response is again 401, it logs the user out. To notify the user, it publishes a toast message to a new Vuex store module.
Since sessions endure for 24 hours, one way to test the new behavior in a local MaveDB instance is to insert return None into the API's get_current_user function (in src/mavedb/lib/authentication.py):
async def get_current_user(
api_key_user_data: Optional[UserData] = Depends(get_current_user_data_from_api_key),
token_payload: dict = Depends(JWTBearer()),
db: Session = Depends(deps.get_db),
# Custom header for the role the authenticated user would like to assume.
# Namespaced with x_ to indicate this is a custom application header.
x_active_roles: Optional[str] = Header(default=None),
) -> Optional[UserData]:
if api_key_user_data is not None:
return api_key_user_data
if token_payload is None:
return None
username: Optional[str] = token_payload.get("sub")
if username is None:
return None
return None # Added this for testing
# ...
Add this after starting the application and logging in. The next time the user attempts an action that involves checking the current login session, the UI should recognize that the user has been logged out.
ORCID tokens have a lifetime of 24 hours and are not renewable. After 24 hours, a logged-in MaveDB user will begin to get error responses to any API requests that check authentication status, even if they do not require authentication.
When this occurs, the UI should detect the change and clear the client-side login status. This will cause the UI to revert to logged-out status.
To capture this occurrence, we install an Axios response interceptor that looks for unauthorized (HTTP 401) responses. When one occurs, it makes a request to /users/me; if the response is again 401, it logs the user out. To notify the user, it publishes a toast message to a new Vuex store module.
Since sessions endure for 24 hours, one way to test the new behavior in a local MaveDB instance is to insert
return None
into the API's get_current_user function (in src/mavedb/lib/authentication.py):Add this after starting the application and logging in. The next time the user attempts an action that involves checking the current login session, the UI should recognize that the user has been logged out.