search

ssl-hep / ServiceX_frontend

Client access library for ServiceX
https://servicex-frontend.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
5 stars 11 forks source link

Long-running transforms can lose their authentication #473

Closed ponyisi closed 1 month ago

ponyisi commented 2 months ago

For a long-running transformation we can get authentication errors, as seen from the backend:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 489, in wrapper
    resp = resource(*args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
  File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 604, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/home/servicex/servicex_app/decorators.py", line 52, in inner
    verify_jwt_in_request(locations=["headers"])
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/view_decorators.py", line 94, in verify_jwt_in_request
    jwt_data, jwt_header, jwt_location = _decode_jwt_from_request(
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/view_decorators.py", line 340, in _decode_jwt_from_request
    decoded_token = decode_token(encoded_token, csrf_token)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/utils.py", line 128, in decode_token
    return jwt_manager._decode_jwt_from_config(encoded_token, csrf_value, allow_expired)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/jwt_manager.py", line 556, in _decode_jwt_from_config
    return _decode_jwt(**kwargs, allow_expired=allow_expired)
  File "/usr/local/lib/python3.10/site-packages/flask_jwt_extended/tokens.py", line 95, in _decode_jwt
    decoded_token = jwt.decode(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 211, in decode
    decoded = self.decode_complete(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 163, in decode_complete
    self._validate_claims(
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 249, in _validate_claims
    self._validate_exp(payload, now, leeway)
  File "/usr/local/lib/python3.10/site-packages/jwt/api_jwt.py", line 307, in _validate_exp
    raise ExpiredSignatureError("Signature has expired")
jwt.exceptions.ExpiredSignatureError: Signature has expired

We should either re-auth under these conditions, or the server should send a redirect that does it automatically (not sure if that's possible?)