Skip to content

feat: Don't warn about expected user changes in safe-sessions #28983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
timmc-edx merged 5 commits into from
Oct 13, 2021
Merged

feat: Don't warn about expected user changes in safe-sessions #28983

timmc-edx merged 5 commits into from
Oct 13, 2021

Conversation

@timmc-edx
Copy link
Contributor

@timmc-edx timmc-edx commented Oct 7, 2021

Description

This is intended to silence a rare false positive that seems to happen when someone logs in on a browser that already has an active session for another user. We believe there should be no further positives once this case is handled.

  • login and logout views annotate the response to indicate the session user should be changing between the request and response phases
  • safe-sessions middleware skips the verify-user check when this annotation is present

Also improve tests and docs and remove an old workaround for the logout case.

Affected roles

LMS operators.

Supporting information

Ticket: ARCHBOM-1878

Testing instructions

  • Log out
  • Open login page in two tabs
  • Log into one account in first tab
  • Log into another account in second tab
  • Confirm that log messages and custom attributes do not fire

Deadline

None

@timmc-edx timmc-edx marked this pull request as draft October 7, 2021 22:01
@timmc-edx
docs: Improve comments and docstrings in safe-sessions
e38fd61
@timmc-edx
test: Test existing safe-sessions behavior
cd8ff44 
This adds a test around what actually happens when an unexpected
user-change happens.
@timmc-edx
refactor: Remove logging control based on is_from_log_out
42f8d9e 
Revert most of af9e26f/PR #11479 for two reasons:

- The safe-sessions `_verify_user` code has since changed to check for
  `request.user.id == None`
- A commit later in the PR changes the login and logout pages to
  signal that the user/session change is expected
@timmc-edx
feat: Don't warn about expected user changes in safe-sessions
484b1d9 
This is intended to silence a rare false positive that seems to happen when
someone logs in on a browser that already has an active session for another
user. We believe there should be no further positives once this case is
handled.

- login and logout views annotate the response to indicate the session user
  should be changing between the request and response phases
- safe-sessions middleware skips the verify-user check when this
  annotation is present

ref: ARCHBOM-1878
@timmc-edx timmc-edx force-pushed the timmc/1878-safe-session-exempt-login branch from a9c1702 to 484b1d9 Compare October 8, 2021 14:16
@timmc-edx timmc-edx marked this pull request as ready for review October 8, 2021 16:10
timmc-edx
timmc-edx commented Oct 8, 2021
View reviewed changes
openedx/core/djangoapps/safe_sessions/middleware.py
# page is used during an active session.
#
# The relevant views set a flag to indicate the exemption.
if getattr(response, 'safe_sessions_expected_user_change', None):
Copy link
Contributor Author

@timmc-edx timmc-edx Oct 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This just checks if it is present, like a flag. I was thinking of actually using the new_user_id present in the dict to validate that it matches up, which would of course add a different thing we might alert on...

rgraber
rgraber approved these changes Oct 8, 2021
View reviewed changes
@timmc-edx
fixup: Use assert_logged_for_request_user_mismatch in test
9e51e72 
(and interpolate the actual user IDs rather than hardcoding)
@edx-status-bot
Copy link

edx-status-bot commented Oct 8, 2021

Your PR has finished running tests. There were no failures.

@timmc-edx timmc-edx merged commit fe3d855 into master Oct 13, 2021
@timmc-edx timmc-edx deleted the timmc/1878-safe-session-exempt-login branch October 13, 2021 15:53
@timmc-edx timmc-edx mentioned this pull request Oct 13, 2021
Closed
@edx-pipeline-bot
Copy link
Contributor

edx-pipeline-bot commented Oct 13, 2021

EdX Release Notice: This PR has been deployed to the staging environment in preparation for a release to production.

@edx-pipeline-bot
Copy link
Contributor

edx-pipeline-bot commented Oct 13, 2021

EdX Release Notice: This PR has been deployed to the production environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@rgraber rgraber rgraber approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@timmc-edx @edx-status-bot @edx-pipeline-bot @rgraber