search

langgenius / dify

Dify is an open-source LLM app development platform. Dify's intuitive interface combines AI workflow, RAG pipeline, agent capabilities, model management, observability features and more, letting you quickly go from prototype to production.
https://dify.ai
Other
52.36k stars 7.64k forks source link

User Logs Out Within Access Token Expiration Time, Old Access Token Still Used in Request Header Causes Background Interface to Remain Accessible #10962

Closed 113223 closed 13 hours ago

113223 commented 13 hours ago

Self Checks

Dify version

0.11

Cloud or Self Hosted

Self Hosted (Source)

Steps to reproduce

When the user exits within the expiration time of access_token, but the old access_token is still used in the request header, the background interface can still access the problem image

  1. first,login with account
  2. second, get Authorization from WebUI
  3. third,on WebUI click logout button
  4. use postman ,the background interface can still access

✔️ Expected Behavior

When the user exits within the expiration time of access_token, but the old access_token is still used in the request header, the background interface can not access

❌ Actual Behavior

No response

dosubot[bot] commented 13 hours ago

Hey @113223! I'm here to help you with any bugs, questions, or contributions you have for the Dify project. Let me know how I can assist you!

The issue you're experiencing seems to be related to the access token not being invalidated immediately upon logout. In the Dify codebase, the logout functionality involves revoking the access token by deleting it from the Redis store using the revoke_token method in the TokenManager class. This should prevent further access with the token [1].

Here are a few things you might want to check or try:

  1. Ensure Token Revocation: Verify that the revoke_token method is being called correctly when the logout action is triggered. This method should delete the token from Redis, effectively invalidating it.

  2. Redis Configuration: Check your Redis configuration to ensure that the token is being stored and deleted as expected. Any issues with Redis connectivity or configuration might affect token revocation.

  3. Frontend Token Removal: Make sure that the frontend is correctly removing the access token from client-side storage upon logout. The removeAccessToken function should handle this by deleting the token from localStorage [2].

  4. API Endpoint: Confirm that the API endpoint responsible for handling logout is correctly implemented to interact with the token revocation process.

If these steps do not resolve the issue, there might be a need to further investigate the specific implementation details or any potential bugs in the codebase related to token management.

To continue talking to Dosu, mention @dosu.

laipz8200 commented 13 hours ago

This is how JWT works: it will expire quickly after you log out. More importantly, make sure to keep your token safe and avoid any leaks.

113223 commented 13 hours ago

rks: it will expire quickly after you log ou

in fact , it will not expire quickly after you log out. when i use AccountService.logout(account=account) function,clear the refresh_token, but access_token is not expire quickly ,the old access_token is still used in the request header, the background interface can still access.

laipz8200 commented 13 hours ago

This is as expected. Please confirm that you are familiar with the JWT authorization.

If you have stricter security requirements, you can shorten the validity period of the JWT by adjusting the ACCESS_TOKEN_EXPIRE_MINUTES. However, it will still be usable until it expires.

113223 commented 11 hours ago

This is as expected. Please confirm that you are familiar with the JWT authorization.

If you have stricter security requirements, you can shorten the validity period of the JWT by adjusting the ACCESS_TOKEN_EXPIRE_MINUTES. However, it will still be usable until it expires.

get it ,thank you