search

arch-kiosk / arch-kiosk-office

💼 central place for collaboration
GNU Affero General Public License v3.0
1 stars 0 forks source link

(re)design the api-token and CSRF token expiration #895

Open urapadmin opened 3 years ago

urapadmin commented 3 years ago

they even depend on each other sometimes.

urapadmin commented 3 years ago

csrf tokens are used in forms and js ajax calls. According to flask-csrf the expiration time is 60 minutes. There is something about returning different errors depending on whether the token is invalid or just expired: https://flask-wtf.readthedocs.io/en/stable/api.html#flask_wtf.csrf.validate_csrf

In flask_wtf/form the time limit is explicitly set to 3600 seconds, which is indeed an hour:

        @cached_property
        def csrf_time_limit(self):
            return current_app.config.get('WTF_CSRF_TIME_LIMIT', 3600)

Seems, that can be changed in the flask config using WTF_CSRF_TIME_LIMIT

urapadmin commented 3 years ago

after not doing anything in the file repository for more than an hour and then navigating to the workstation manager, this is what happens on 0.8.22 (after I had attended to #877) :

[22852/23888: kioskuser.ERROR at 2021-01-11 20:28:46,156]: KioskUser.load_user: User lkh cannot be loaded because of missing token. [22852/23888: init.ERROR at 2021-01-11 20:28:46,156]: Exception in @LoginManager user loader Exception('kiosk user not found or an exception occurred. Please consult the logs') [22852/23888: authorization.ERROR at 2021-01-11 20:28:46,156]: authorization.@full_login_required: AttributeError("'bool' object has no attribute 'is_authenticated'") [22852/22576: kioskuser.ERROR at 2021-01-11 20:28:46,169]: KioskUser.load_user: User lkh cannot be loaded because of missing token. [22852/22576: init.ERROR at 2021-01-11 20:28:46,169]: Exception in @LoginManager user loader Exception('kiosk user not found or an exception occurred. Please consult the logs') [22852/22576: urlforjavascript.DEBUG at 2021-01-11 20:28:46,169]: trying directorsview.static [22852/12092: kioskuser.ERROR at 2021-01-11 20:28:46,240]: KioskUser.load_user: User lkh cannot be loaded because of missing token. [22852/12092: init.ERROR at 2021-01-11 20:28:46,240]: Exception in @LoginManager user loader Exception('kiosk user not found or an exception occurred. Please consult the logs') [22852/10280: kioskuser.ERROR at 2021-01-11 20:28:46,240]: KioskUser.load_user: User lkh cannot be loaded because of missing token. [22852/10280: init.ERROR at 2021-01-11 20:28:46,240]: Exception in @LoginManager user loader Exception('kiosk user not found or an exception occurred. Please consult the logs')

So it seems that it is indeed the new api token that expires and leads to the logout. Now that the login page is properly shown, I don't find it as annoying anymore.

What I still don't understand is why "bool" object has not attribute ...

urapadmin commented 3 years ago

the api token expires either in 2 hours or in as many seconds as set in kiosk\security_token_timeout_seconds in the kiosk config.

urapadmin commented 3 years ago

currently this is at least covered by a proper reaction on most fronts. I want to postpone it and look at the current behavior a bit more.

urapadmin commented 3 years ago

It is still really not perfect but should suffice in normal scenarios. So postponed to after v1

urapadmin commented 1 year ago

see also #1157

urapadmin commented 1 year ago

I should invest some time to actually understand CSRF. I am not even sure what it does. Is it just another Token? Form my work on using the kioskfilemakerworkstation.upload as an api I learned that I can generate a new csrf token and set it as the header and it seems to work. So does it simply expire at some point?