Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove CAM token from JWT #43

Merged
merged 1 commit into from
Sep 12, 2023
Merged

Remove CAM token from JWT #43

merged 1 commit into from
Sep 12, 2023

Conversation

camargo
Copy link
Member

@camargo camargo commented Sep 12, 2023
edited
Loading

Resolves: NASA-AMMOS/aerie#1138

  • Remove CAM token check from session endpoint
  • Remove CAM user endpoint, and just get user from the JWT where needed
  • Remove logout endpoint, function, and type
  • Remove unused res.locals.username settings in auth middleware

@camargo camargo self-assigned this Sep 12, 2023
@camargo camargo added refactor A code change that neither fixes a bug nor adds a feature breaking change A change that will require updating downstream code labels Sep 12, 2023
@mattdailis
Copy link
Collaborator

For context: NASA-AMMOS/aerie#1138

A consequence of this change is that the JWT expiration becomes the only source of truth for whether a user is logged in or not. This obviates the need for a /logout endpoint - since there is no way to invalidate a JWT prior to its expiration.

@camargo
Remove CAM token from JWT
fa6b606 
* Remove CAM token check from session endpoint
* Remove CAM user profile call from user endpoint, and just get user from the JWT
* Remove logout endpoint, function, and type
* Remove unused res.locals.username settings in auth middleware
@camargo camargo force-pushed the refactor/remove-cam-token-jwt branch from 0c7051f to fa6b606 Compare September 12, 2023 21:32
@camargo camargo mentioned this pull request Sep 12, 2023
Merged
mattdailis
mattdailis approved these changes Sep 12, 2023
View reviewed changes
Copy link
Collaborator

@mattdailis mattdailis left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Chris gave me a walkthrough - looks good to me.

Worth thinking through the implications for downstream applications. Certainly the UI needs updating. Aerie CLI and MAST will as well. We'll need to make the necessary changes clear in our release notes.

EDIT: Chris pointed out that it's uncommon for a cli to call the logout endpoint, so the blast radius may be pretty small

@camargo camargo merged commit 673ad17 into develop Sep 12, 2023
2 checks passed
@camargo camargo deleted the refactor/remove-cam-token-jwt branch September 12, 2023 23:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattdailis mattdailis mattdailis approved these changes

@duranb duranb Awaiting requested review from duranb

Assignees

@camargo camargo

Labels
breaking change A change that will require updating downstream code refactor A code change that neither fixes a bug nor adds a feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Only check JWT session
2 participants
@camargo @mattdailis