Bug: AUTH_COOKIE user_id persist as long as the server runs #94
Comments
mtreacy002
added
Category: Coding
|
What: When a user logged in and retrieved their personal details through GET /user/personal_details, the user_id is kept as AUTH_COOKIE user_id. This cookie persist even though the next user logged in, until that new logged in user reetrieved their personal details. Why is this a problem?
Potential solution? Option 2. Originally thought removing previous AUTH_COOKIE usre_id through POST /login might be an option, but if the app deployed remotely and many users login, the issue will persist. (I personally don't think this is a good option) Option 3. Probably create BIT JWT token specific to BIT requests. Keep the 2 tokens (BIT and MS) as cookies and use them accordingly, BIT token for BIT requests, MS token for MS requests. Not sure how to do it, but that sounds the most logical option. Thoughts anyone? @anitab-org/bridgeintech-maintainers . Do you have any suggestion? |
mtreacy002
added
Status: On Hold
mtreacy002
added
the
Category: Outreach/Research
mtreacy002
removed
the
Status: On Hold
|
@mtreacy002 I don't understand why are we not removing the auth-cookie on user logout ? 🤔 |
|
Can I work on this issue ? |
|
Sure, @b-thebest. I'll assign this to you now. Thanks for picking up the issue 😉. |
@Rahulm2310 . The MS backend that deals with authentication has no logout feature, that's also why the BIT backend doesn't have this feature. |
|
@mtreacy002 I was trying to understand what else needed to be done from now in this project. Could you please help me understand, what should be done actually after these merge requests. |
|
After these merge requests , @b-thebest ? I’m not following. Do you mean what you need to do on this PR? If so, Please check the “expected behaviour” and the “additional context” on the issue description for what is expected from this PR 😉 |
|
@b-thebest , can you please give an update on this? |
|
@mtreacy002 I am working on this issue, need some help |
|
Sure, can you tell me what issue you're facing atm, @b-thebest? |
|
@b-thebest , how are you going with your issue? Are you able to solve the issue? |
|
I'm making this issue available again as there is no response received from the contributor. |
mtreacy002
added
the
Status: Available
Describe the bug
AUTH_COOKIE user_id from the previous logged in user persist and can be used by the next logged in user to get previous logged in user information
To Reproduce
Steps to reproduce the behavior:
Make sure you have 2 users in the database (if you don't have them, create and confirm email verifications). Here I have test0101 and test0202
Make sure one of your user has created an additional information and the other has none. Here I have user test0101 has an additional information
Logged in as test0101, get details by sending GET /user/peersonal_details which will set the AUTH_COOKIE user_id. Then view additional information, which should be returning additional information for user_id 2 (test0101 user_id)
Now login as test0202 and try get user additional information (which supposed to be for test0202) without sending GET /user/personal_details for user test0202. Notice that the api will responded by returning user test0101 additional information since the AUTH_COOKIE user_id still has the user test0101 user id.
Only when test0202 send the GET /user/personal_details this AUTH_COOKIE will change to test0202 user_id (== 3) then when you try send GET /user/additional_information request for user test0202, it will return with the proper error message : "No additional information found with your data. Please provide them now."
Expected behavior
Only authenticated user should be allowed/able to retrieve their own user additional_info with GET/user/additional_info request.
Screenshots
see gifs above
Desktop (please complete the following information):
Additional context
TO DO: upon login, previous AUTH_COOKIE user_id (if any) need to be removed.
The text was updated successfully, but these errors were encountered: