Skip to content

feat(core): Logout should invalidate the auth token (no-changelog) #10335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 22, 2024
Merged

feat(core): Logout should invalidate the auth token (no-changelog) #10335

merged 4 commits into from
Aug 22, 2024

Conversation

netroy
Copy link
Member

@netroy netroy commented Aug 8, 2024
edited
Loading

Summary

When a user logs out, we should also invalidate the auth token to prevent it from being used again.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/SEC-75

Review / Merge checklist

  • PR title and summary are descriptive

@n8n-assistant n8n-assistant bot added n8n team Authored by the n8n team ui Enhancement in /editor-ui or /design-system labels Aug 8, 2024
@netroy netroy force-pushed the SEC-75-invalidate-browserId-on-logout branch from 5e5c04b to defcc05 Compare August 8, 2024 16:01
@netroy netroy marked this pull request as ready for review August 8, 2024 16:02
@netroy netroy added the security label Aug 8, 2024
alexgrozav
alexgrozav previously approved these changes Aug 12, 2024
View reviewed changes
@cypress Cypress
Copy link

cypress bot commented Aug 12, 2024
edited
Loading


Test summary

414 0 0 0Flakiness 0

Run details
Project n8n
Status Passed
Commit a883203
Started Aug 22, 2024 7:19 AM
Ended Aug 22, 2024 7:25 AM
Duration 05:31 💡
OS Linux Debian -
Browser Electron 118

View run in Cypress Cloud ➡️

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Cloud

@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@netroy netroy force-pushed the SEC-75-invalidate-browserId-on-logout branch from defcc05 to 9db4425 Compare August 14, 2024 12:18
@netroy netroy requested a review from a team as a code owner August 14, 2024 12:18
@netroy netroy changed the title fix(editor): Logout should delete browserId to invalidate the auth token (no-changelog) fix(editor): Logout should invalidate the auth token (no-changelog) Aug 14, 2024
@netroy netroy requested a review from tomi August 14, 2024 12:23
tomi
tomi reviewed Aug 15, 2024
View reviewed changes
Copy link
Collaborator

@tomi tomi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functionality and approach seem decent 👌 Couple comments about implementation details

packages/cli/test/integration/auth.api.test.ts
Comment on lines +401 to +402
ownerAgent.jar.setCookie(`${AUTH_COOKIE_NAME}=${cookie!.value}`);
await ownerAgent.get('/login').expect(401);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be its own test case? Also should we try some other endpoint than /login as it's not normally used with the auth token?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should rename GET /login to GET /me instead. it keeps confusing people.

@netroy netroy changed the title fix(editor): Logout should invalidate the auth token (no-changelog) feat(core): Logout should invalidate the auth token (no-changelog) Aug 15, 2024
@netroy netroy force-pushed the SEC-75-invalidate-browserId-on-logout branch from 48208fc to b7c7ebc Compare August 21, 2024 13:28
@tomi
Copy link
Collaborator

tomi commented Aug 21, 2024

Another thing I was thinking about but forgot to ask: Should we also clean up the InvalidAuthToken table, e.g. on startup? In the long run it keeps accruing more and more rows. Not an urgent thing but something to consider

@netroy
Copy link
Member Author

netroy commented Aug 21, 2024

Should we also clean up the InvalidAuthToken table

That is the plan. That's why the table already has a expiresAt timestamp.
Ideally all we need to do is fire a delete on this new repository where expiresAt is in the past. But I want to rethink how we do startup tasks before I add yet another one.
Since this table is going to fill up relatively slowly, we don't need to do this right away, and can do this much later.

tomi
tomi approved these changes Aug 22, 2024
View reviewed changes
Copy link
Collaborator

@tomi tomi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@netroy netroy merged commit 9fe6a71 into master Aug 22, 2024
32 checks passed
@netroy netroy deleted the SEC-75-invalidate-browserId-on-logout branch August 22, 2024 07:33
MiloradFilipovic added a commit that referenced this pull request Aug 22, 2024
@MiloradFilipovic
Merge branch 'master' into ADO2-74-assistant-store-unit-tests
15247a5 
* master:
  ci: Fix benchmark cli path (no-changelog) (#10506)
  refactor(core): Standardize filenames in `cli` (no-changelog) (#10484)
  fix(AI Agent Node): Allow AWS Bedrock Chat to be used with conversational agent (#10489)
  feat(AI Agent Node): Add tutorial link to agent node (#10493)
  feat: Add n8n-benchmark cli (no-changelog) (#10410)
  feat(core): Logout should invalidate the auth token (no-changelog) (#10335)
  refactor(editor): Add types to importCurlEventBus (no-changelog) (#10497)
  refactor(editor): Add types to htmlEditorEventBus (no-changelog) (#10498)
  refactor(editor): Add types for dataPinningEventBus (no-changelog) (#10499)
  refactor(editor): Add types to codeNodeEditorEventBus (no-changelog) (#10501)
@janober
Copy link
Member

janober commented Aug 28, 2024

Got released with n8n@1.57.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomi tomi tomi approved these changes

@alexgrozav alexgrozav alexgrozav left review comments

Assignees
No one assigned
Labels
n8n team Authored by the n8n team Released security ui Enhancement in /editor-ui or /design-system
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@netroy @tomi @janober @alexgrozav