search

desec-io / desec-stack

Backbone of the deSEC Free Secure DNS Hosting Service
https://desec.io/
MIT License
393 stars 50 forks source link

Automatic login token cleanup? #976

Open JeGr opened 2 weeks ago

JeGr commented 2 weeks ago

Hi,

logged into my desec account and created a new token for another service to set up DNS entries. That's where I found I had around 30 disabled login tokens still in my account that weren't cleaned up which dated back to over a year. Manually cleaning them up I ran into the rate limit -.- so had to come back later to finish it.

Is there no auto-cleanup of auto-disabled login tokens or is the job not working correctly? I don't see why I'd need an auto-created login token even 2-4 weeks later so was quite surprised there was stuff over a year ago?

Cheers \jens

peterthomassen commented 2 weeks ago

Sorry for the rate limit, that's actually a little unfortunate.

There is no auto-cleanup job. Tokens are deleted upon request (e.g., during logout), and just like other API tokens, login tokens otherwise hang around, and depending on circumstances (e.g., time) might become invalid.

The leftover tokens are a symptom of not logging out of the session. While you can say that's fine in your use case, we also think the leftover tokens are not a big problem.

That said, perhaps it would indeed make sense to have them cleaned up. The question is how to do this cheaply, as the validity calculation is currently not done in the database, but in the backend application. Perhaps an alternative solution would be to clean up tokens whenever the list is viewed, so that cleanup is on-demand only (cheap) but still transparent to the user. @nils-wisiol ?

JeGr commented 2 weeks ago

Just a few comments/ideas :)

of not logging out of the session

I'd argue that people do that more often than actually hitting the logout. For me, it's almost default, that my services do log me out automatically either if I close my browser (as the cookies get cleaned up) or after a timeout. As I'm often working mobile or at a laptop, that gets closed in a heartbeat if there's other important stuff happening, I'd guess that most users have accumulated quite a collection of auto-disabled-logout tokens.

Normally that wouldn't be a problem, but as my actual tokens are quite old and often at the end of the list, I have to scroll to the bottom to see them or look at the "disabled" column to see which tokens are actual working API tokens and which are login tokens only.

So I'd like to throw a few points out there, perhaps you find them useful: :)

  1. The token list is "all in one". How about sorting the "login" tokens to another tab/view instead, separating manually created and auto-created tokens?
  2. Another possibility would be to hide them or sort them to the bottom (all invalid tokens are sorted last by default)?
  3. The whole thing actually bugged me because of the rate limit & the impossibility to multi-select tokens. If I had an easy method to select all invalid login-only tokens to simply delete them with a single click that wouldn't be nearly as unfortunate ;)
  4. multiselection of entries to delete would actually be a nice thing for all list views (tokens, DNS entries, etc.). Clearing a DNS zone of a lab domain would be SO much easier then running into rate limits again while deleting one entry at a time :)
  5. auto-cleanup would still be nice ;) but that could also be a thing I hit with a button to clear unused (non-valid flagged) tokens. If that would be easies to implement - would be fine with me!

Thanks for a great service!

Cheers \jens