search

cloudant / nodejs-cloudant

Cloudant Node.js client library
Apache License 2.0
255 stars 90 forks source link

cookieauth plugin with autoRenew renews token constantly #426

Closed markusd closed 4 years ago

markusd commented 4 years ago

Bug Description

The cookieauth plugin with autoRenew=true can get the TokenManager into a state where it constantly renews the token. This happens if the Max-Age cookie header field is missing.

  cloudant:tokens:tokenmanager Auto renewing token now... +1ms
  cloudant:tokens:tokenmanager Starting token renewal. +0ms
  cloudant:tokens:tokenmanager Finished token renewal. +466ms
  cloudant:tokens:tokenmanager Renewing token in NaN milliseconds. +0ms
  cloudant:tokens:tokenmanager Auto renewing token now... +1ms
  cloudant:tokens:tokenmanager Starting token renewal. +0ms
  cloudant:tokens:tokenmanager Finished token renewal. +555ms
  cloudant:tokens:tokenmanager Renewing token in NaN milliseconds. +0ms

1. Steps to reproduce and the simplest code sample possible to demonstrate the issue

Connect using the cookieauth plugin and get a Set-Cookie HTTP header without the Max-Age field.

2. What you expected to happen

Cookie to be renewed after the Max-Age from the Set-Cookie header, or the defaultMaxAgeSecs if not present.

3. What actually happened

Cookie is renewed constantly

Environment details

ricellis commented 4 years ago

Out of curiosity is there a particular CouchDB version you are using that doesn't provide the Max-Age attribute?

markusd commented 4 years ago

CouchDB 3.1.0 does not return it: {"couchdb":"Welcome","version":"3.1.0","git_sha":"ff0feea20","uuid":"0befa9b1-b7b0-11ea-b05f-961ac42f4b44","features":["search","access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"IBM"}}

Set-Cookie: AuthSession=XXXX; Version=1; Secure; Path=/; HttpOnly

markusd commented 4 years ago

@ricellis Digged a bit further and it looks like this is happening when the database instance has allow_persistent_cookies = false in the config.

https://docs.couchdb.org/en/stable/config/auth.html#authentication-configuration

ricellis commented 4 years ago

yes, we came to the same conclusion

sanduteo95 commented 4 years ago

Hi, we ran into this problem over the past week and have eventually found this issue, which matches the behaviour we're seeing. We noticed there hasn't been a release since the 2nd of March - are there are plans to release version 4.2.5 containing this fix? We would really need this fix soon, to unblock our work. Thank you!

ricellis commented 4 years ago

Yes, the milestone items are all in now and a release will be happening ASAP.

If you need to unblock faster, change your server configuration to use allow_persistent_cookies=true which will give the cookies an expiry header.