Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: update jwt vs session user monitoring #398

Merged
merged 2 commits into from
Oct 31, 2023

Conversation

robrap
Copy link
Contributor

@robrap robrap commented Oct 25, 2023

Description:

An issue was found when both ENABLE_JWT_VS_SESSION_USER_CHECK and ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE were enabled at the same time in an ecommerce stage environment for edx.org, that is not reproducible locally. Additionally, the issue killed the requests without providing errors, so potentially caused an infinite loop or some such issue.

The guess is that the code for setting the user behind ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE, and the code to get the user in the new ENABLE_JWT_VS_SESSION_USER_CHECK check, were somehow in conflict. This update attempts to skip the JWT vs Session check in the case that we have set the user based on the JWT, in which case it would be a JWT vs JWT check, which not only is unnecessary, but also may be the cause of the issue.

Adds custom attributes:

  • set_user_from_jwt_status
  • skip_jwt_vs_session_check

Issue:

edx/edx-arch-experiments#429

Merge checklist:

  • All reviewers approved
  • CI build is green
  • Version bump if needed
  • Changelog record added
  • Documentation updated (not only docstrings)
  • Commits are squashed

Post merge:

  • Create a tag
  • Check new version is pushed to PyPi after tag-triggered build is
    finished.
  • Delete working branch (if not needed anymore)

Copy link
Contributor Author

@robrap robrap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@feanil: Here is a first pass that has existing tests passing (locally at least). I did not yet add new tests for the new functionality. I wanted some feedback before either of us invested in that next level of effort. I may do some local ecommerce testing as well. Thanks.

@robrap robrap requested a review from feanil October 25, 2023 19:52
@robrap
Copy link
Contributor Author

robrap commented Oct 27, 2023

@feanil: This is ready for re-review. You can review the three newest commits one-by-one. I made some minor changes and added tests. Thanks.
UPDATE: : Make that 4 commits, because I updated the changelog date.

Copy link
Contributor

@feanil feanil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good.

@robrap
Copy link
Contributor Author

robrap commented Oct 30, 2023

@feanil: This is ready for re-re-review. I want to see how many approvals I can get for the same PR. :) Please see the latest 3 commits, and reviewing them separately may make things simpler for you.

Copy link
Contributor

@feanil feanil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good cleanup to prep for the actual deploy.

1. An issue was found when both ENABLE_JWT_VS_SESSION_USER_CHECK
and ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE were enabled at the
same time in an ecommerce stage environment for edx.org, that
is not reproducible locally. Additionally, the issue killed the
requests without providing errors, so potentially caused an
infinite loop or some such issue.

The guess is that the code for setting the user behind
ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE, and the code to get
the user in the new ENABLE_JWT_VS_SESSION_USER_CHECK check,
were somehow in conflict. This update skips the JWT vs
Session user check in the case that we have set the user
based on the JWT, in which case it would be a JWT vs JWT check,
which not only is unnecessary, but also may be the cause of
the issue.

2. Also adds custom attributes
- set_user_from_jwt_status
- skip_jwt_vs_session_check

3. Additionally, enforces JWT and session user matching when the
toggle ENABLE_SET_REQUEST_USER_FOR_JWT_COOKIE is enabled, because
otherwise the user in the middleware might not match the user
during JWT authentication.

4. Since the JWT cookie vs session user check is an intimate
part of how ENABLE_FORGIVING_JWT_COOKIES should function
appropriately, this removes ENABLE_JWT_VS_SESSION_USER_CHECK
as a toggle and these checks will be performed whenever
ENABLE_FORGIVING_JWT_COOKIES is enabled.

This makes the ENABLE_FORGIVING_JWT_COOKIES toggle more safe,
because it can no longer be enabled without this required
functionality.

Note that the earlier tests did not cover all combinations of
ENABLE_FORGIVING_JWT_COOKIES and ENABLE_JWT_VS_SESSION_USER_CHECK
being disabled and enabled, and the updated tests better cover
both cases for the remaining toggle.

5. Lastly, the ADR was updated to explain that various
cases regarding handling of a JWT cookie user and session
user mismatch.
@robrap robrap force-pushed the robrap/fix-jwt-session-monitoring branch from e9d3ad1 to efa2c4e Compare October 31, 2023 16:57
@robrap robrap merged commit 11acf2e into master Oct 31, 2023
7 checks passed
@robrap robrap deleted the robrap/fix-jwt-session-monitoring branch October 31, 2023 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants