Allow a non-public user to get their event context

[chris-allan]

It's very useful for a non-public user to be able to retrieve the current event context at any time rather than just at login; particularly so for scenarios where API access is being done by OMERO session key. This is especially important when using OMERO session creation strategies such as single sign on (SSO) or other login view plugin. Otherwise, retrieving the current OMERO session key, knowing one's current groups, etc. is currently impossible from OMERO.web APIs.

The requirement for POST, where the request is subject to all the standard CSRF protection criteria enforced by Django, is to prevent session hijacking via clickjacking or similar attacks.

To test, simply open your browser developer tools to the network tab and log in to OMERO.web. Really any request will do but the initial one to /webclient/ is usually the easiest to handle. You will want to copy the entirety of the Cookie: header, for example:

csrftoken=ZJ6JVp6ngjvMVtaTQAzR97lRd4CWlE7flaUbtx3N2kJ0Mk18RYOyeUZzeNl3mEXI; sessionid=q264uf0l6qatjn1da76cd0ny9xo29l27

You can then craft a suitable request to /api/v0/login/ via curl to ensure the event context can be retrieved. For example:

curl -X POST \
    -H 'Referrer: http://localhost/api/v0/login/' \
    -H 'Cookie: csrftoken=ZJ6JVp6ngjvMVtaTQAzR97lRd4CWlE7flaUbtx3N2kJ0Mk18RYOyeUZzeNl3mEXI; sessionid=q264uf0l6qatjn1da76cd0ny9xo29l27' \
    -d 'csrfmiddlewaretoken=ZJ6JVp6ngjvMVtaTQAzR97lRd4CWlE7flaUbtx3N2kJ0Mk18RYOyeUZzeNl3mEXI' \
        http://localhost/api/v0/login/

Where the value for the Cookie: is what you copied from your network tab and the value of csrfmiddlewaretoken is the same as the csrftoken from your cookie. Referrer: is essential if you are using HTTPS; the same URL you are sending the POST to.

The response should look something like:

{
  "success": true,
  "eventContext": {
    "sessionId": 12126,
    "sessionUuid": "bc307c16-cbf7-4329-b0e2-5ea75d8cce70",
    "userId": 0,
    "userName": "root",
    "groupId": 0,
    "groupName": "system",
    "isAdmin": true,
    "eventId": -1,
    "eventType": "User",
    "memberOfGroups": [
      0,
      1
    ],
    "leaderOfGroups": [
      0
    ]
  }
}

You can then destroy your session via the omero-py CLI:

$ omero -s localhost -k 'bc307c16-cbf7-4329-b0e2-5ea75d8cce70' shell --login
Joined session for root@localhost :4064. Idle timeout: 10 min. Current group: system
Python 3.10.6 (main, Nov  2 2022, 18:53:38) [GCC 11.3.0]
Type 'copyright', 'credits' or 'license' for more information
IPython 8.5.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]: client.destroySession('bc307c16-cbf7-4329-b0e2-5ea75d8cce70')
Out[1]: 1

and ensure the regular behaviour is present by re-executing your curl crafted as above where you will get a response like:

{
  "message": "Username: This field is required. Password: This field is required. Server: This field is required."
}

[will-moore]

I tried this on merge-ci... but this just returned me the login page html:

curl -X POST \
    -H 'Referrer: https://merge-ci.openmicroscopy.org/web/webclient/login/' \
    -H 'Cookie: csrftoken=42wRU6FIm5moi8Igei0k1MlhqMmKn67JR3Co6hzddYDBkQssTvJRnTTBAkMEoxzW; sessionid=9ymovc1yaqspdmopgj18c3d23dpc3w94' \
    -d 'csrfmiddlewaretoken=42wRU6FIm5moi8Igei0k1MlhqMmKn67JR3Co6hzddYDBkQssTvJRnTTBAkMEoxzW' \
        https://merge-ci.openmicroscopy.org/web/webclient/login/

According to snoopycrimecop@02e18f3 and redeployed with https://merge-ci.openmicroscopy.org/jenkins/job/OMERO-web/ the PR should be there, but is there any way to check?
Any reason why this wouldn't work over https? I've had similar issues with https before.

[chris-allan]

webclient's behaviour is different as it uses its own LoginView implementation. You will need to use /api/v0/login/ (trailing slash also essential) as detailed in the description. Let me know if that still doesn't work and we can try to debug it together.

[will-moore]

Oops - my mistake. But I'm afraid that using the correct URL didn't get me there either:

$ curl -X POST \
>     -H 'Referrer: https://merge-ci.openmicroscopy.org/web/api/v0/login/' \
>     -H 'Cookie: csrftoken=42wRU6FIm5moi8Igei0k1MlhqMmKn67JR3Co6hzddYDBkQssTvJRnTTBAkMEoxzW; sessionid=9ymovc1yaqspdmopgj18c3d23dpc3w94' \
>     -d 'csrfmiddlewaretoken=42wRU6FIm5moi8Igei0k1MlhqMmKn67JR3Co6hzddYDBkQssTvJRnTTBAkMEoxzW' \
>         https://merge-ci.openmicroscopy.org/web/api/v0/login/
{"message": "Username: This field is required. Password: This field is required. Server: This field is required."}

[jburel]

I got the same output while testing earlier. I forgot to copy it

[jburel]

With this morning build
on merge-ci

curl     -H 'Referrer: http://merge-ci.openmicroscopy.org/web/api/v0/login/' \
    -H 'Cookie: csrftoken=siXhA8szbtgx3EmeWaMZsjnVG4tnwYUXplT4lw98FSdEJLbi4vCxjrNF5OVv5nhR; sessionid=3uza0r1lqpjoujq51hmwqznb9cqlahhf' \
        -d 'csrfmiddlewaretoken=siXhA8szbtgx3EmeWaMZsjnVG4tnwYUXplT4lw98FSdEJLbi4vCxjrNF5OVv5nhR' \
        https://merge-ci.openmicroscopy.org/web/api/v0/login/
{"success": true, "eventContext": {"sessionId": 250259, "sessionUuid": "81409bf1-f743-4d60-9565-321e288461ba", "userId": 452, "userName": "user-1", "groupId": 453, "groupName": "private-1", "isAdmin": false, "eventId": -1, "eventType": "User", "memberOfGroups": [453, 1, 903], "leaderOfGroups": [903, 453]}}%  

[jburel]

latest-ci (Expected)

curl -X POST \
    -H 'Referrer: http://latest-ci.openmicroscopy.org/web/api/v0/login/' \
    -H 'Cookie: csrftoken=MCzWRKWEhELm6YUeM6ubxt7AxdzE1RTHSdL3Qf0rFnof6nrkMay3lluQBKU7wZEx; sessionid=h9rf2pffqgyf13kvaxkwsnm1hbmr6v3d' \
        -d 'csrfmiddlewaretoken=MCzWRKWEhELm6YUeM6ubxt7AxdzE1RTHSdL3Qf0rFnof6nrkMay3lluQBKU7wZEx' \
        https://latest-ci.openmicroscopy.org/web/api/v0/login/
{"message": "Username: This field is required. Password: This field is required. Server: This field is required."}% 

[jburel]

merge-ci

• user has logged out
• attempt to use session and token from previous connection

curl -X POST \
    -H 'Referrer: http://merge-ci.openmicroscopy.org/web/api/v0/login/' \
    -H 'Cookie: csrftoken=siXhA8szbtgx3EmeWaMZsjnVG4tnwYUXplT4lw98FSdEJLbi4vCxjrNF5OVv5nhR; sessionid=3uza0r1lqpjoujq51hmwqznb9cqlahhf' \
        -d 'csrfmiddlewaretoken=siXhA8szbtgx3EmeWaMZsjnVG4tnwYUXplT4lw98FSdEJLbi4vCxjrNF5OVv5nhR' \
        https://merge-ci.openmicroscopy.org/web/api/v0/login/
{"message": "Username: This field is required. Password: This field is required. Server: This field is required."}%  

[will-moore]

Some integration test failures today with login tests: https://merge-ci.openmicroscopy.org/jenkins/job/OMERO-test-integration/1306/

[will-moore]

Looking good on merge-ci.
NB: if you want an easy way to get sessionId from web-UI, open the dev-tools console and enter:

$.post("https://merge-ci.openmicroscopy.org/web/api/v0/login/", (rsp)=>console.log(rsp));

[chris-allan]

6e2a45b should resolve the test failures by ensuring that the logic does not run when any form fields are provided. I'm pretty sure what was happening is that the tests were not logging out between requests so you were getting the current event context when providing "incorrect" fields.

[will-moore]

Thanks for that Chris, and nice that it doesn't need to update tests (no change in functionality).
However, it would probably be nice to have an integration test for this new functionality?

[chris-allan]

However, it would probably be nice to have an integration test for this new functionality?

Definitely. I would have done it right away but didn't want to create omero-py vs. openmicroscopy merge order issues for everyone since the integration tests are not in this repository. Would you like them done before or after this PR is merged?

[will-moore]

I don't think that integration tests are a blocker for this PR. Whenever works really.

[jburel]

One remaining failure
https://merge-ci.openmicroscopy.org/jenkins/job/OMERO-test-integration/lastCompletedBuild/testReport/OmeroWeb.test.integration.test_api_login/TestLogin/test_login_errors_credentials2_/

[chris-allan]

c61e6aa should resolve the last test failure. It will be very tricky to integration test all these conditions with the different ways to provide CSRF tokens and the login/logout semantics of the current test suite here but I'll try once things are green with what we have now.

[chris-allan]

Build #1310 (Dec 13, 2022 1:13:47 AM)

https://merge-ci.openmicroscopy.org/jenkins/job/OMERO-test-integration/1310/

Test Result (no failures)

[will-moore]

$.post("https://merge-ci.openmicroscopy.org/web/api/v0/login/", (rsp)=>console.log(rsp)); is still working for me on merge-ci.
Tests passing.
👍