Clear invalid session cookies #22327
Conversation
🦋 Changeset detectedLatest commit: 3ae3b1c The changes in this PR will be included in the next version bump. This PR includes changesets to release 2 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
api/src/middleware/authenticate.ts
Outdated
| } catch (error) { | ||
| // Clear the session cookie if the provided token is invalid, | ||
| // allowing the client to login again | ||
| if (isDirectusError(error, ErrorCode.InvalidToken) && req.tokenSource === 'cookie') { | ||
| const env = useEnv(); | ||
| res.clearCookie(env['SESSION_COOKIE_NAME'] as string, SESSION_COOKIE_OPTIONS); | ||
| } | ||
|
|
There was a problem hiding this comment.
I feel like it may be overkill to introduce a tokenSource for all the sources purely to check for a session token here 🤔 perhaps we can simplify it to something like this:
| } catch (error) { | |
| // Clear the session cookie if the provided token is invalid, | |
| // allowing the client to login again | |
| if (isDirectusError(error, ErrorCode.InvalidToken) && req.tokenSource === 'cookie') { | |
| const env = useEnv(); | |
| res.clearCookie(env['SESSION_COOKIE_NAME'] as string, SESSION_COOKIE_OPTIONS); | |
| } | |
| } catch (error) { | |
| // Clear the session cookie if the provided token is invalid, allowing the client to login again | |
| const env = useEnv(); | |
| const cookie_name = env['SESSION_COOKIE_NAME'] as string; | |
| if (isDirectusError(error, ErrorCode.InvalidToken) && req.cookies[cookie_name]) { | |
| res.clearCookie(cookie_name, SESSION_COOKIE_OPTIONS); | |
| } |
Or we could check the actual token to determine if it is a session token but i think this can suffice 🤔
There was a problem hiding this comment.
Wasn't a fan of having it in the request either 👍 But I'd like to be certain about the token source to prevent any (malicious or unintended) logouts via invalid access_token queries.
Therefore, I've now combined the extractToken and getAccountability functions in the authenticate middleware, so we can easily access the source where we need it.
IMO that structure makes more sense anyway - we do not need to distribute these two functions, which both serve the purpose of authentication, across two middleware.
This also makes testing easier/cleaner (which I've also cleaned-up now).
On that note, we could now also drop req.token, as it is not used anywhere in the API. However, there could be extensions that make use of this... Would certainly be a separate PR.
There was a problem hiding this comment.
This solution feels like the simplest one
I don't feel this review statement still holds after the latest refactor. While im not against the merging of these 2 middle wares it looks like some other unrelated (maybe unintended) things were refactored here as well.
Will have to review from scratch again.
paescuj
force-pushed
the
clear-invalid-session-cookie
branch
from
8b014c0
to
267c946
Compare
Scope
In some cases tokens can become invalid. For example, if the signing secret has changed since the token was issued, which will especially be the case in dev/test environments after merging #22320.
A client with an invalid token won't be able to perform any requests. This is particularly cumbersome in browsers using the session cookie mode (Data Studio) as the cookie would have to be deleted manually, in order to be able to refresh the session (login) and get a valid token again.
This PR ensures such invalid session cookies are cleared from the client's cookie store. For the Data Studio, this means the login page will be shown instead of a reoccurring error message (for open tabs, a page refresh might be necessary).
Potential Risks / Drawbacks
Review Notes / Questions
None