Revoke session on logout. #607
Conversation
|
Would it make sense to return 409 for this case also? Session might exist, but it belongs to a different user. tiled/tiled/server/authentication.py Lines 931 to 936 in cfb4cf3 |
|
I think 404 is right in this case. The user is providing an ID, and this follows the principle, "If this isn't yours, you're now allowed to know whether or not it exists." |
Oh, right. That make sense. |
| if session is None: | ||
| raise HTTPException(409, detail=f"No session {session_id}") | ||
| session.revoked = True | ||
| db.add(session) |
There was a problem hiding this comment.
In SQLAlchemy, is Session.add() an "upsert" operation -- it will perform INSERT or UPDATE as needed?
There was a problem hiding this comment.
There was a problem hiding this comment.
(As usual with SQLAlchemy, the documentation is sprawling and specific things can be hard to find.)
| @@ -1095,12 +1116,13 @@ async def whoami( | |||
| ) | |||
|
|
|||
|
|
|||
| @base_authentication_router.post("/logout") | |||
| @base_authentication_router.post("/logout", include_in_schema=False) | |||
There was a problem hiding this comment.
This might be a moot point because it's already removed for the schema, but wanted to point out here the deprecated keyword as a possibility.
| @base_authentication_router.post("/logout", include_in_schema=False) | |
| @base_authentication_router.post("/logout", include_in_schema=False, deprecated=True) |
There was a problem hiding this comment.
Moot but good to know about!
Closes #602
In
main, logging out with the Python client discards the relevant tokens, but it leaves the session open. Anyone holding a copy of the refresh token (somehow) can refresh the session and continue to use it, as long as they do so within the refresh token lifetime (days or weeks).Now, logging out first revokes the session, such that it can not be refreshed again, and then discards the tokens. A new unit test verifies that the old refresh token cannot be reused after logout.