remove user token after account is deleted #5149
Conversation
IOS-309 REST: evict access token for deleted account
We should make sure to evict the associated access token after deleting the account from backend. |
There was a problem hiding this comment.
As per the updated issue description, we should do this when the user logs out too. It's slightly less relevant there, as logging in will reset the token anyway, but there's no reason to keep the old auth token around if the user has logged out.
Reviewable status: 0 of 3 files reviewed, all discussions resolved
| @@ -37,6 +38,10 @@ extension REST { | |||
| }) | |||
| } | |||
| } | |||
|
|
|||
| func invalidateToken(for accountNumber: String) { | |||
There was a problem hiding this comment.
AccessTokenProvider is bound by accountNumber so technically you don't have to accept accountNumber as input, you could just use self.accountNumber
mojganii
force-pushed
the
rest-evict-access-token-for-deleted-account-ios-309
branch
from
00cbcf6 to
4a5e637
Compare
There was a problem hiding this comment.
Reviewed 1 of 3 files at r1, 2 of 2 files at r2.
Reviewable status:complete! all files reviewed, all discussions resolved
mojganii
force-pushed
the
rest-evict-access-token-for-deleted-account-ios-309
branch
from
4a5e637 to
68bedf0
Compare
There was a problem hiding this comment.
Reviewable status: 3 of 4 files reviewed, 1 unresolved discussion (waiting on @mojganii)
ios/MullvadREST/RESTDevicesProxy.swift line 163 at r3 (raw file):
/// The completion handler will receive `true` if device is successfully removed, /// otherwise `false` if device is not found or already removed. public func deleteDevice(
I am afraid that removing device does not qualify as "log out", because we do that from other places too. It would be better to release all access tokens from SetAccountOperation when .unset action is given and perhaps at the very end after we delete a device.
In essence REST.ProxyFactory is the one creating REST.AccessTokenManager and then it holds it in REST.ProxyFactory.configuration.accessTokenManager property.
We could perhaps pass REST.AccessTokenManager all the way from AppDelegate into TunnelManager and then to SetAccountOperation so that we could tell it directly to remove all tokens right after logging out.
Note that the task card specifies that we should delete all tokens on logout.
There was a problem hiding this comment.
Reviewed 1 of 1 files at r3.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @mojganii)
There was a problem hiding this comment.
Reviewed all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @mojganii and @pronebird)
ios/MullvadREST/RESTDevicesProxy.swift line 163 at r3 (raw file):
Previously, pronebird (Andrej Mihajlov) wrote…
I am afraid that removing device does not qualify as "log out", because we do that from other places too. It would be better to release all access tokens from
SetAccountOperationwhen.unsetaction is given and perhaps at the very end after we delete a device.In essence
REST.ProxyFactoryis the one creatingREST.AccessTokenManagerand then it holds it inREST.ProxyFactory.configuration.accessTokenManagerproperty.We could perhaps pass
REST.AccessTokenManagerall the way fromAppDelegateintoTunnelManagerand then toSetAccountOperationso that we could tell it directly to remove all tokens right after logging out.Note that the task card specifies that we should delete all tokens on logout.
I agree.
I would suggest to revert the current PR, and go with @pronebird 's suggestion
ios/MullvadREST/RESTDevicesProxy.swift line 169 at r3 (raw file):
completion: @escaping CompletionHandler<Bool> ) -> Cancellable { let accessTokenProvider = createAuthorizationProvider(accountNumber: accountNumber)
This shouldn't be needed here.
There was a problem hiding this comment.
Reviewed 1 of 3 files at r1, 2 of 2 files at r2, 1 of 1 files at r3, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @mojganii and @pronebird)
There was a problem hiding this comment.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @buggmagnet)
ios/MullvadREST/RESTDevicesProxy.swift line 169 at r3 (raw file):
Previously, buggmagnet wrote…
This shouldn't be needed here.
It's a matter of preference and technically REST can invalidate tokens for accounts that it removes, because it knows when it does that.
It's just that there is no separate call for logout so in that regard certainly tunnel manager is the best equipped to clean all tokens after the fact.
mojganii
force-pushed
the
rest-evict-access-token-for-deleted-account-ios-309
branch
from
68bedf0 to
74d7427
Compare
There was a problem hiding this comment.
Reviewable status: 0 of 8 files reviewed, 2 unresolved discussions (waiting on @buggmagnet, @pronebird, and @rablador)
ios/MullvadREST/RESTDevicesProxy.swift line 163 at r3 (raw file):
Previously, buggmagnet wrote…
I agree.
I would suggest to revert the current PR, and go with @pronebird 's suggestion
Done.
ios/MullvadREST/RESTDevicesProxy.swift line 169 at r3 (raw file):
Previously, pronebird (Andrej Mihajlov) wrote…
It's a matter of preference and technically REST can invalidate tokens for accounts that it removes, because it knows when it does that.
It's just that there is no separate call for logout so in that regard certainly tunnel manager is the best equipped to clean all tokens after the fact.
Done.
There was a problem hiding this comment.
Reviewed 8 of 8 files at r4, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @buggmagnet)
buggmagnet
force-pushed
the
rest-evict-access-token-for-deleted-account-ios-309
branch
from
74d7427 to
893b0fb
Compare
buggmagnet
force-pushed
the
rest-evict-access-token-for-deleted-account-ios-309
branch
from
893b0fb to
0f3965e
Compare
buggmagnet
deleted the
rest-evict-access-token-for-deleted-account-ios-309
branch
This PR introduces a crucial improvement to our system. After an account is deleted, it is essential to remove the associated user token from memory. This enhancement ensures that user data remains secure and reduces the risk of unauthorized access.
This change is