The bug:
At some point, there was a bug while authenticating with the admin user (which is used to create all projects/components/etc. automatically). Only this user was concerned, and no action was possible with it.
The cause:
The reason was the length of the authentication token. This token is generated using several information, one of them being the groups the user is a part of. However, in certain scenario, for each new project, 4 new groups are created automatically with the admin user. Thus, you can understand that with over 30 projects, this user belongs to a lot of groups and this number is only growing.
What we propose:
We would recommend changing the data used for generating the token or simply the way it is generated in TruBudget core. Indeed, this situation could happen again with other partners and the number of groups a user belongs to should not prevent him from authenticating.
[x] Remove unnecessary data from token: such that can be retrieved from the server (groups, ..., check others), and should be in any case. token data might be outdated. e.g. when user is added to a group, or removed from a group, user's token is not "updated" with new information, nor is the user given a new token.
[x] Update any code that extracts groups from token
[x] There are two different interfaces with the name AuthToken. Have fun with that!
[x] Update tests
EDIT: Groups are removed from only those tokens that couldn't be handled as a cookie.
The bug: At some point, there was a bug while authenticating with the admin user (which is used to create all projects/components/etc. automatically). Only this user was concerned, and no action was possible with it.
The cause: The reason was the length of the authentication token. This token is generated using several information, one of them being the groups the user is a part of. However, in certain scenario, for each new project, 4 new groups are created automatically with the admin user. Thus, you can understand that with over 30 projects, this user belongs to a lot of groups and this number is only growing.
What we propose: We would recommend changing the data used for generating the token or simply the way it is generated in TruBudget core. Indeed, this situation could happen again with other partners and the number of groups a user belongs to should not prevent him from authenticating.
AuthToken
. Have fun with that!EDIT: Groups are removed from only those tokens that couldn't be handled as a cookie.